Code reuse attacks such as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) are the prevalent attack techniques which reuse code snippets named gadget in vulnerable applications and hijack control flow to achieve malicious behaviors. Existing defense techniques for code reuse attacks attempt to prevent illegal control flow transition or make locating gadgets a hard work. However, decades of the arms race proved the ability to detect and prevent advanced attacks is still outdated. In this paper, we propose HoneyGadget, a deception based approach for detecting code reuse attacks. HoneyGadget works by inserting honey gadgets into the application as decoys and keep track of their addresses once the application is loaded. During the execution phase, HoneyGadget traces the execution records using Last Branch Record (LBR), compares the LBR records with the maintained address list, and alarms code reuse attacks if some records match. HoneyGadget not only prevents code reuse attacks, but also provides LBR records for researchers to analyze patterns of these attacks. We have developed a fully functioning prototype of HoneyGadget. Our evaluation results show that HoneyGadget can capture code reuse attacks effectively and only incurs a modest performance overhead.

诸如回程编程（ROP）和面向跳转的编程（JOP）之类的代码重用攻击是普遍使用的攻击技术，它们在易受攻击的应用程序中重用名为小工具的代码段并劫持控制流以实现恶意行为。现有的用于代码重用攻击的防御技术试图防止非法控制流过渡或使定位小工具困难。但是，数十年的军备竞赛证明，检测和阻止高级攻击的能力仍然过时。在本文中，我们提出了HoneyGadget，这是一种基于欺骗的方法，用于检测代码重用攻击。HoneyGadget的工作原理是将蜂蜜小工具作为诱饵插入到应用程序中，并在加载应用程序后跟踪其地址。在执行阶段，HoneyGadget使用Last Branch Record（LBR）跟踪执行记录，将LBR记录与维护的地址列表进行比较，如果某些记录匹配，则警告代码重用攻击。HoneyGadget不仅可以防止代码重用攻击，还可以为研究人员提供LBR记录，以分析这些攻击的模式。我们已经开发了功能齐全的HoneyGadget原型。我们的评估结果表明，HoneyGadget可以有效地捕获代码重用攻击，并且仅产生适度的性能开销。