Detecting Code Reuse Attacks with a Model of Conformant Program Execution

Code reuse attacks circumvent traditional program protection mechanisms such as

$W \bigoplus X$

by constructing exploits from code already present within a process. Existing techniques to defend against these attacks provide ad hoc solutions or lack in features necessary to provide comprehensive and adoptable solutions. We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against anticipated attacks. We define

conformant program execution

(

${\mathcal{CPE}}$

) as a set of requirements on program states. We demonstrate that code reuse attacks violate these requirements and thus can be detected; further, new exploit variations will not circumvent

${\mathcal{CPE}}$

. To provide an efficient and adoptable solution, we also define

observed conformant program execution

, which validates program state at system call invocations; we demonstrate that this relaxed model is sufficient to detect code reuse attacks. We implemented our algorithm in a tool, ROPStop, which operates on unmodified binaries, including running programs. In our testing, ROPStop accurately detected real exploits while imposing low overhead on a set of modern applications: 5.3% on SPEC CPU2006 and 6.3% on an Apache HTTP Server.