Detecting a return-oriented programming exploit

摘要

A method and apparatus for detecting a Return-Oriented Programming exploitation. At a computer device, a mechanism to detect a control transfer of a code location in a memory is established. This may be, for example, hooking the control transfer. The code location relates to an electronic file. In the event that a control transfer of the code location is detected, a comparison is made between a destination code location address with values in the freed stack. If the code location address matches any of the values in the freed stack, then it is determined that the control transfer of the code location relates to a Return-Oriented Programming exploitation.

主权项

1. A method of detecting a Return Oriented Programming exploitation of an application, the method comprising, at a computer device:
establishing a hooking rule to hook a code location relating to an electronic file stored in a computer readable medium in the form of a memory; in the event that a control transfer of the code location relating to the electronic file is detected, comparing a code location address with values in a stack space freed by the control transfer, wherein the comparison of the code location address is made with one of a number of location addresses for values in the freed stack space, the method further comprising:
estimating the number of location addresses to be compared with the code location address, wherein the estimation is performed by:
determining a set of electronic files to inspect;disassembling each electronic file to analyze functions related to each electronic file;determining a number of parameters related to each function;determining the function having the highest number of parameters; andusing the number of parameters for the function with the highest number of parameters as the estimate for the number of location addresses to be compared with the code location address; and, in the event that the code location address and any of the values in the freed stack match, determining that the control transfer relates to a Return-Oriented Programming exploitation.