Skip to main content
SpringerLink
Log in

HoneyGadget: A Deception Based Approach for Detecting Code Reuse Attacks

  • Published:
Information Systems Frontiers Aims and scope Submit manuscript

Abstract

Code reuse attacks such as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) are the prevalent attack techniques which reuse code snippets named gadget in vulnerable applications and hijack control flow to achieve malicious behaviors. Existing defense techniques for code reuse attacks attempt to prevent illegal control flow transition or make locating gadgets a hard work. However, decades of the arms race proved the ability to detect and prevent advanced attacks is still outdated. In this paper, we propose HoneyGadget, a deception based approach for detecting code reuse attacks. HoneyGadget works by inserting honey gadgets into the application as decoys and keep track of their addresses once the application is loaded. During the execution phase, HoneyGadget traces the execution records using Last Branch Record (LBR), compares the LBR records with the maintained address list, and alarms code reuse attacks if some records match. HoneyGadget not only prevents code reuse attacks, but also provides LBR records for researchers to analyze patterns of these attacks. We have developed a fully functioning prototype of HoneyGadget. Our evaluation results show that HoneyGadget can capture code reuse attacks effectively and only incurs a modest performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  • Abadi, M, Budiu, M, Erlingsson, U, & Ligatti, J. (2005). Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security (pp. 340–353): ACM.

  • Andersen, S, & Abella, V. (2004). Data execution prevention. changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies.

  • Araujo, F, Hamlen, K W, Biedermann, S, & Katzenbeisser, S. (2014). From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security (pp. 942–953): ACM.

  • Avgerinos, T, Sang, K C, Rebert, A, Schwartz, E J, Woo, M, & Brumley, D. (2014). Automatic exploit generation. Communications of the Acm, 57(2), 74–84.

    Article  Google Scholar 

  • Bittau, A, Belay, A, Mashtizadeh, A, Mazières, D., & Boneh, D. (2014). Hacking blind. In 2014 IEEE Symposium on Security and privacy (SP) (pp. 227–242): IEEE.

  • Bletsch, T, Jiang, X, Freeh, V W, & Liang, Z. (2011). Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (pp. 30–40): ACM.

  • Cadar, C, Dunbar, D, Engler, D R, & et al. (2008). Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, (Vol. 8 pp. 209–224).

  • Carlini, N, & Wagner, D. (2014). Rop is still dangerous: Breaking modern defenses. In USENIX Security Symposium (pp. 385–399).

  • Carlini, N, Barresi, A, Payer, M, Wagner, D, & Gross, TR. (2015). Control-flow bending: On the effectiveness of control-flow integrity. In USENIX Security Symposium (pp. 161–176).

  • Checkoway, S, Davi, L, Dmitrienko, A, Sadeghi, AR, Shacham, H, & Winandy, M. (2010). Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 559–572): ACM.

  • Chen, Y, Wang, Z, Whalley, D, & Lu, L. (2016). Remix: On-demand live randomization. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (pp. 50–61): ACM.

  • Cheng, Y, Zhou, Z, Miao, Y, Ding, X, & Deng, H. (2014). Ropecker: A generic and practical approach for defending against rop attack. Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS’14).

  • Crane, S, Larsen, P, Brunthaler, S, & Franz, M. (2013). Booby trapping software. In Proceedings of the 2013 New Security Paradigms Workshop (pp. 95–106): ACM.

  • Crane, SJ, Volckaert, S, Schuster, F, Liebchen, C, Larsen, P, Davi, L, Sadeghi, AR, Holz, T, De Sutter, B., & Franz, M. (2015). It’s a trap: Table randomization and protection against function-reuse attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 243–255): ACM.

  • Crossler, R E, Bélanger, F, & Ormond, D. (2019). The quest for complete security: an empirical analysis of users’ multi-layered protection from security threats. Information Systems Frontiers, 21(2), 343–357.

    Article  Google Scholar 

  • Durumeric, Z, Bailey, M, & Halderman, JA. (2014). An internet-wide view of internet-wide scanning. In USENIX Security Symposium (pp 65–78).

  • Evans, I, Fingeret, S, Gonzalez, J, Otgonbaatar, U, Tang, T, Shrobe, H, Sidiroglou-Douskos, S, Rinard, M, & Okhravi, H. (2015). Missing the point (er): on the effectiveness of code pointer integrity. In 2015 IEEE Symposium on Security and privacy (SP) (pp. 781–796): IEEE.

  • Göktas, E., Athanasopoulos, E, Bos, H, & Portokalidis, G. (2014). Out of control: Overcoming control-flow integrity. In 2014 IEEE Symposium on Security and privacy (SP) (pp. 575–589): IEEE.

  • Guide, P. (2011). Intel®; 64 and ia-32 architectures software developer’s manual. Volume 3B: System programming Guide, Part 2.

  • Hiser, J, Nguyen-Tuong, A, Co, M, Hall, M, & Davidson, J W. (2012). Ilr: Where’d my gadgets go?. In 2012 IEEE Symposium on Security and privacy (SP) (pp. 571–585): IEEE.

  • Huang, X, Yan, F, Zhang, L, & Wang, K. (2019). Honeygadget: A deception based rop detection scheme. In International Conference on Science of Cyber Security (pp. 121–135 ): Springer.

  • Junod, P, Rinaldini, J, Wehrli, J, & Michielin, J. (2015). Obfuscator-LLVM – software protection for the masses. In Wyseur, B (Ed.) Proceedings of the IEEE/ACM 1st International Workshop on Software Protection, SPRO’15. https://doi.org/10.1109/SPRO.2015.10 (pp. 3–9). Firenze: IEEE.

  • Kemerlis, VP, Portokalidis, G, & Keromytis, AD. (2012). kguard: lightweight kernel protection against return-to-user attacks. In Presented as part of the 21st {USENIX} Security Symposium ({USENIX} Security 12) (pp. 459–474).

  • Kil, C, Jun, J, Bookholt, C, Xu, J, & Ning, P. (2006). Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In Computer Security Applications Conference, 2006. ACSAC’06. 22nd Annual (pp. 339–348): IEEE.

  • Larabel, M, & Tippett, M. (2011). Phoronix test suite. Phoronix Media, [Online] Available: http://www.phoronix-test-suitecom/ [Accessed July 2019].

  • Le, L. (2010). Payload already inside: datafire-use for rop exploits. USA: Black Hat.

  • Liu, Y, Shi, P, Wang, X, Chen, H, Zang, B, & Guan, H. (2017). Transparent and efficient cfi enforcement with intel processor trace. In 2017 IEEE International Symposium on High performance computer architecture (HPCA) (pp. 529–540): IEEE.

  • Ming, J, Xu, D, Wang, L, & Wu, D. (2015). Loop: Logic-oriented opaque predicate detection in obfuscated binary code. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 757–768): ACM.

  • Onarlioglu, K, Bilge, L, Lanzi, A, Balzarotti, D, & Kirda, E. (2010). G-free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (pp. 49–58).

  • Pappas, V. (2012). kbouncer: Efficient and transparent rop mitigation.

  • Pappas, V, Polychronakis, M, & Keromytis, AD. (2013). Transparent rop exploit mitigation using indirect branch tracing. In USENIX Security Symposium (pp. 447–462).

  • Pappas, V. (2015). Defending against return-oriented programming. New York: Columbia University.

    Google Scholar 

  • Riden, J, McGeehan, R, Engert, B, & Mueter, M. (2007). Know your enemy: Web application threats, using honeypots to learn about http-based attacks.

  • Salwan, J. (2011). Ropgadget–gadgets finder and auto-roper.

  • Schuster, F, Tendyck, T, Liebchen, C, Davi, L, Sadeghi, A R, & Holz, T. (2015). Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in c++ applications. In 2015 IEEE Symposium on Security and privacy (SP) (pp. 745–762): IEEE.

  • Schwartz, EJ, Avgerinos, T, & Brumley, D. (2011). Q: Exploit hardening made easy. In USENIX Security Symposium (pp. 25–41).

  • Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security (pp. 552–561): ACM.

  • Silic, M, & Lowry, P B. (2019). Breaking bad in cyberspace: Understanding why and how black hat hackers manage their nerves to commit their virtual crimes. Information Systems Frontiers, 1–13.

  • Snow, K Z, Monrose, F, Davi, L, Dmitrienko, A, Liebchen, C, & Sadeghi, A R. (2013). Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In 2013 IEEE Symposium on Security and privacy (SP) (pp. 574–588): IEEE.

  • Vishwanath, A. (2015). Diffusion of deception in social media: Social contagion effects and its antecedents. Information Systems Frontiers, 17(6), 1353–1367.

    Article  Google Scholar 

  • Yan, F, Huang, F, Zhao, L, Peng, H, & Wang, Q. (2016). Baseline is fragile: On the effectiveness of stack pivot defense. In 2016 IEEE 22nd International Conference on Parallel and Distributed Systems (ICPADS) (pp. 406–413): IEEE.

  • Zhang, C, Wei, T, Chen, Z, Duan, L, Szekeres, L, McCamant, S, Song, D, & Zou, W. (2013a). Practical control flow integrity and randomization for binary executables. In 2013 IEEE Symposium on Security and privacy (SP) (pp. 559–573): IEEE.

  • Zhang, M, & Sekar, R. (2013b). Control flow integrity for cots binaries. In USENIX Security Symposium (pp. 337– 352).

Download references

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China under Grant No. 61272452 and the National Basic Research Program of China (973 Program) under Grant No. 2014CB340601.

Author information

Authors and Affiliations

  1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, 430072, China

    Xin Huang, Fei Yan, Liqiang Zhang & Kai Wang

Authors
  1. Xin Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fei Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Liqiang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kai Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fei Yan.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Huang, X., Yan, F., Zhang, L. et al. HoneyGadget: A Deception Based Approach for Detecting Code Reuse Attacks. Inf Syst Front 23, 269–283 (2021). https://doi.org/10.1007/s10796-020-10014-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10796-020-10014-7

Keywords

Search

Navigation