Code-Reuse Attack Detection Using Kullback-Leibler Divergence in IoT

  • Ho, Jun-Won (Department of Information Security, Seoul Women's University)
  • Received : 2016.10.26
  • Accepted : 2016.11.25
  • Published : 2016.12.31


Code-reuse attacks are very dangerous in various systems. This is because they do not inject malicious codes into target systems, but reuse the instruction sequences in executable files or libraries of target systems. Moreover, code-reuse attacks could be more harmful to IoT systems in the sense that it may not be easy to devise efficient and effective mechanism for code-reuse attack detection in resource-restricted IoT devices. In this paper, we propose a detection scheme with using Kullback-Leibler (KL) divergence to combat against code-reuse attacks in IoT. Specifically, we detect code-reuse attacks by calculating KL divergence between the probability distributions of the packets that generate from IoT devices and contain code region addresses in memory system and the probability distributions of the packets that come to IoT devices and contain code region addresses in memory system, checking if the computed KL divergence is abnormal.


Supported by : National Research Foundation of Korea (NRF)


  1. J. Habibi, A. Panicker, A. Gupta, and E. Bertino, "DisARM: Mitigating Buffer Overflow Attacks on Embedded Devices", CERIAS Tech Report 2015-15, 2015.
  2. T. Bletsch, X. Jiang, V. Fresh, "Mitigating Code-Reuse Attacks with Control-Flow Locking", ACSAC, 2011.
  3. A. Follner, E. Bodden, "ROPocop - Dynamic mitigation code-reuse attacks", Journal of Information Security and Applications, 29, pp. 16-26, 2016.
  4. L. Davi, A-R. Sadeghi, D. Lehmann, F. Monrose, "Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection", Usenix Security, 2014.
  5. E. Goktas E. Athanasopoulos, M. Polychronakis, H. Bos, G. Portokalidis, "Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard", Usenix Security, 2014.
  6. L. Davi, C. Liebchen, A-R. Sadeghi, K. Z. Snow, F. Monrose, "Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming", NDSS, 2015.
  7. L. Davi, A-R. Sadeghi, M. Winandy, "ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks", ASIACCS, 2011.
  8. T.M. Cover, J.A. Thomas, "Elements of Information Theory, Wiley, 2006.
  9. R. Roemer, E. Buchanan, H. Shacham, and S. Savage, "Return-oriented programming: Systems, languages, and applications", ACM Transactions on Information and System Security, 15, 1 (Mar. 2012), 2:1-2:34.