Transparent ROP Detection using CPU Performance Counters presented at CSAWthreads 2014

by Xiaoning Li, Michael Crouse,

Summary : Return Oriented Programming (ROP) has become a popular technique employed by exploit writers to deliver powerful 0-day/APT attacks. In 2013, FireEye discovered a sophisticated PDF attack in the wild capable of exploiting Adobe Reader and escaping the application sandbox. This exploit (CVE-2013-0640/CVE-2013-0641) demonstrates a suite of complex exploit techniques including a pure ROP gadget without the need of delivering shell code. Detecting complex ROP exploits is a challenge and generally incurs a large performance penalty. We illustrate several proof of concepts to detect ROP based exploits including a CPU performance counter based approach which is transparent to the application layer and reduce the performance overhead. In this talk, we will present how to use performance counters available on most modern CPUs to detect abnormal behaviors created by ROP exploits specifically on the PDF exploit found in the wild.
Xiaoning Li is a security researcher for a Fortune 50 company. For the past 10 years, his work has been focusing on vulnerability research, new exploit development, malware analysis, and reverse engineering. Michael Crouse is a doctoral candidate in his third year of study at Harvard University in the School of Engineering and Applied Sciences and is advised by HT Kung. He received his B.S. and M.S. degrees in Computer Science from Wake Forest University. His research interests are at the intersection of networking, computer security and machine learning.