TY - GEN
T1 - Packed, printable, and polymorphic return-oriented programming
AU - Lu, Kangjie
AU - Zou, Dabi
AU - Wen, Weiping
AU - Gao, Debin
PY - 2011
Y1 - 2011
N2 - Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.
AB - Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.
KW - Return-oriented programming
KW - packer
KW - polymorphic malware
KW - printable shellcode
UR - http://www.scopus.com/inward/record.url?scp=84857320507&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84857320507&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-23644-0_6
DO - 10.1007/978-3-642-23644-0_6
M3 - Conference contribution
AN - SCOPUS:84857320507
SN - 9783642236433
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 101
EP - 120
BT - Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings
T2 - 14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011
Y2 - 20 September 2011 through 21 September 2011
ER -