In recent years, researchers have come up with proof of concepts of seemingly benign applications such as InstaStock and Jekyll that remain dormant until triggered by an attacker-crafted condition, which activates a malicious behavior, eluding code review and signing mechanisms. In this paper, we make a step forward by describing a stealthy injection vector design approach based on Return Oriented Programming (ROP) code reuse that provides two main novel features: 1) the ability to defer the specification of the malicious behavior until the attack is struck, allowing fine-grained targeting of the malware and reuse of the same infection vector for delivering multiple payloads over time; 2) the ability to conceal the ROP chain that specifies the malicious behavior to an analyst by using encryption. We argue that such an infection vector might be a dangerous weapon in the hands of advanced persistent threat actors. As an additional contribution, we report on a preliminary experimental investigation that seems to suggest that ROP-encoded malicious payloads are likely to pass unnoticed by current security solutions, making ROP an effective malware design ingredient.
The ROP needle: Hiding trigger-based injection vectors via code reuse / Borrello, P.; Coppa, E.; D'Elia, D. C.; Demetrescu, C.. - (2019), pp. 1962-1970. (Intervento presentato al convegno 34th Annual ACM Symposium on Applied Computing, SAC 2019 tenutosi a Limassol; Cyprus) [10.1145/3297280.3297472].
The ROP needle: Hiding trigger-based injection vectors via code reuse
Borrello P.Primo
;Coppa E.;D'Elia D. C.
;Demetrescu C.
2019
Abstract
In recent years, researchers have come up with proof of concepts of seemingly benign applications such as InstaStock and Jekyll that remain dormant until triggered by an attacker-crafted condition, which activates a malicious behavior, eluding code review and signing mechanisms. In this paper, we make a step forward by describing a stealthy injection vector design approach based on Return Oriented Programming (ROP) code reuse that provides two main novel features: 1) the ability to defer the specification of the malicious behavior until the attack is struck, allowing fine-grained targeting of the malware and reuse of the same infection vector for delivering multiple payloads over time; 2) the ability to conceal the ROP chain that specifies the malicious behavior to an analyst by using encryption. We argue that such an infection vector might be a dangerous weapon in the hands of advanced persistent threat actors. As an additional contribution, we report on a preliminary experimental investigation that seems to suggest that ROP-encoded malicious payloads are likely to pass unnoticed by current security solutions, making ROP an effective malware design ingredient.| File | Dimensione | Formato | |
|---|---|---|---|
|
Borrello_Postoprint_The-ROP-Needle_2019.pdf
accesso aperto
Note: https://dl.acm.org/citation.cfm?id=3297280.3297472
Tipologia:
Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
459.6 kB
Formato
Adobe PDF
|
459.6 kB | Adobe PDF | |
|
Borrello_The-ROP-Needle_2019.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
863.75 kB
Formato
Adobe PDF
|
863.75 kB | Adobe PDF | Contatta l'autore |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
