Packed, printable, and polymorphic return-oriented programming

Kangjie Lu; Dabi Zou; Weiping Wen; Debin Gao

doi:10.1007/978-3-642-23644-0_6

Packed, printable, and polymorphic return-oriented programming

Kangjie Lu, Dabi Zou, Weiping Wen, Debin Gao

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

12 Scopus citations

Abstract

Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Original language	English (US)
Title of host publication	Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings
Pages	101-120
Number of pages	20
DOIs	https://doi.org/10.1007/978-3-642-23644-0_6
State	Published - 2011
Event	14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011 - Menlo Park, CA, United States Duration: Sep 20 2011 → Sep 21 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	6961 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011
Country/Territory	United States
City	Menlo Park, CA
Period	9/20/11 → 9/21/11

Keywords

Return-oriented programming
packer
polymorphic malware
printable shellcode

Access

10.1007/978-3-642-23644-0_6

OpenUrl availability

Full text

Cite this

Lu, K., Zou, D., Wen, W., & Gao, D. (2011). Packed, printable, and polymorphic return-oriented programming. In Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings (pp. 101-120). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6961 LNCS). https://doi.org/10.1007/978-3-642-23644-0_6

Packed, printable, and polymorphic return-oriented programming. / Lu, Kangjie; Zou, Dabi; Wen, Weiping et al.
Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings. 2011. p. 101-120 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6961 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Lu, K, Zou, D, Wen, W & Gao, D 2011, Packed, printable, and polymorphic return-oriented programming. in Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6961 LNCS, pp. 101-120, 14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011, Menlo Park, CA, United States, 9/20/11. https://doi.org/10.1007/978-3-642-23644-0_6

Lu K, Zou D, Wen W, Gao D. Packed, printable, and polymorphic return-oriented programming. In Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings. 2011. p. 101-120. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-23644-0_6

@inproceedings{f03123b5dfb94706a38ddfa95f0044c8,

title = "Packed, printable, and polymorphic return-oriented programming",

abstract = "Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.",

keywords = "Return-oriented programming, packer, polymorphic malware, printable shellcode",

author = "Kangjie Lu and Dabi Zou and Weiping Wen and Debin Gao",

year = "2011",

doi = "10.1007/978-3-642-23644-0_6",

language = "English (US)",

isbn = "9783642236433",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "101--120",

booktitle = "Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings",

note = "14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011 ; Conference date: 20-09-2011 Through 21-09-2011",

}

TY - GEN

T1 - Packed, printable, and polymorphic return-oriented programming

AU - Lu, Kangjie

AU - Zou, Dabi

AU - Wen, Weiping

AU - Gao, Debin

PY - 2011

Y1 - 2011

N2 - Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

AB - Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

KW - Return-oriented programming

KW - packer

KW - polymorphic malware

KW - printable shellcode

UR - http://www.scopus.com/inward/record.url?scp=84857320507&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84857320507&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-23644-0_6

DO - 10.1007/978-3-642-23644-0_6

M3 - Conference contribution

AN - SCOPUS:84857320507

SN - 9783642236433

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 101

EP - 120

BT - Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings

T2 - 14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011

Y2 - 20 September 2011 through 21 September 2011

ER -

Packed, printable, and polymorphic return-oriented programming

Abstract

Publication series

Other

Keywords

Access

OpenUrl availability

Other files and links

Fingerprint

Cite this