Efficient Detection of the Return-Oriented Programming Malicious Code

Ping Chen; Xiao Xing; Hao Han; Bing Mao; Li Xie

Efficient Detection of the Return-Oriented Programming Malicious Code

Ping Chen, Xiao Xing, Hao Han, Bing Mao, Li Xie

Published: 01 Jan 2010, Last Modified: 11 Apr 2025ICISS 2010EveryoneRevisionsBibTeXCC BY-SA 4.0

Abstract: Return-Oriented Programming (ROP) is a code-reuse technique which helps the attacker construct malicious code by using the instruction snippets in existing libraries/executables. Such technique makes the ROP program contain no malicious instructions. Moreover, in recent research, Return-Oriented Programming without returns has been proposed, which can be used to mount an attack without any independent return instructions, therefore, ROP malicious code circumvents the existing defenses which are based on the assumption that the ROP malicious code should use the ret without corresponding call. In this paper, we found the intrinsic feature of the ROP shellcode, and proposed an efficient method which can detect the ROP malicious code (including the one without returns). Preliminary experimental results show that our method can efficiently detect ROP malicious code and have no false positives and negatives.

Loading