中国科学院软件研究所机构知识库

Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in ret called “gadgets” and craft stack content to “chain” these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.