Today’s cybersecurity playing field is fundamentally asymmetric. Attackers are easily able to identify weaknesses in a target system once they have access to its code and configuration. As a result, defenders are perpetually playing a game of catch-up to secure their systems post-attack.
ROP attacks are particularly insidious in that they harness software components aka ‘gadgets’ within the system to carry out their actions. Once devised, such attacks are easy to accomplish due to target systems being essentially static.
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing. In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine’s memory, called “gadgets”. Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.
ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for top malware because of its effectiveness and stealth properties. Because ROP malware uses parts of trusted code, it is very difficult to detect and stop. Software solutions have tried in the past to stem the problem but have largely been unsuccessful.
Companies like IBM have developed software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP security can be further enhanced if based on features embedded beneath the software, operating systems, virtual machines, and even the firmware.
It can be located in the hardware processor itself. Hardware remains outside the maneuvering zone of software hackers, and thus can give a definitive advantage to securing the system from ROP-based attacks. The architecture can be designed to give advantages to secure computing practices, help operating system be more secure, and compensate for vulnerable software.
Intel Released New Control-flow Enforcement Technology (CET) to Protect Against ROP attacks
Intel, working with Microsoft, introduced new hardware defenses against ROP called Control-flow Enforcement Technology (CET). CET works by introducing a shadow stack – which only contains return addresses, is held in system RAM, and is protected by the CPU’s memory management unit. When a subroutine is called, the return address is stashed on the thread’s stack, as per normal, and also in the shadow stack. When the processor reaches a return instruction, the processor ensures the return address on the thread stack matches the address on the shadow stack.
If they don’t match, then an exception is raised, allowing the operating system to catch and stop execution. Therefore, if exploit code starts tampering with the stack to chain together malicious instructions to install malware or otherwise compromise a system, these alterations will be detected and the infiltration halted before any damage can be done.
CET also protects against a variant of ROP, Jump Oriented Programming, by ensuring via Indirect Branch Tracking (IBT) that all valid targets of jumps or indirect branch instructions are labeled as such.
What CET does here is ensure that, when returning from a subroutine, the stack hasn’t been tampered with to hijack the flow of the software. No ROP, no working exploit, no malware infection. But support for CET is in its early stages. It will take many more years before even a majority of the installed base of CPUs implements CET.
Perspecta Labs’ ROP Protector
Perspecta Labs’ ROP Protector is a radical defense solution that protects legacy systems from ROP cyberattacks. Considered a moving target solution for cyber defense, ROP Protector ensures that the target system itself is dynamic, preventing attacks that aim to leverage static gadgets within the system. ROP Protector creates a morphed version of the target system that has exactly the same set of capabilities as the original, yet does not have the gadgets that the attack depends on.
ROP Protector is particularly valuable in the case of legacy systems for which source code is unavailable since it is a pure binary-to-binary code scrambling solution. Studies have shown that neither the capabilities nor the performance of well-known applications (e.g. the Apache webserver) are impacted after being scrambled by ROP Protector. Thus, ROP Protector is an efficient and practical capability for the ROP defense needs of legacy systems.
ROP Protector value and benefits:
- Vulnerable system is protected against ROP attacks without new development effort
- Protection is achieved without exposing underlying Intellectual Property in source code
- System performance is not impacted
- Protection is built into target system, no new components are added
- Defends by preventing the attack instead of acting in response to it
- Operation is transparent to end users
References and resources also include: