Systems and methods for detecting return-oriented programming (ROP) exploits

摘要

Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.

主权项

1. A host system comprising at least one hardware processor configured to:
identify a target area of a call stack of a target process executing on the host system; identify a set of gadget references within the target area, each identified gadget reference pointing to a section of memory hosting a return-oriented programming (ROP) gadget; and in response to identifying the target area and the set of gadget references, determine whether the target process is malicious according to a proportion of the target area occupied by the set of gadget references.