DOI QR코드

DOI QR Code

Detecting code reuse attack using RNN

RNN을 이용한 코드 재사용 공격 탐지 방법 연구

  • Kim, Jin-sub (Graduate School of Information Security, Korea University) ;
  • Moon, Jong-sub (Graduate School of Information Security, Korea University)
  • 투고 : 2018.04.12
  • 심사 : 2018.05.05
  • 발행 : 2018.06.30

초록

A code reuse attack is an attack technique that can execute arbitrary code without injecting code directly into the stack by combining executable code fragments existing in program memory and executing them continuously. ROP(Return-Oriented Programming) attack is typical type of code reuse attack and serveral defense techniques have been proposed to deal with this. However, since existing methods use Rule-based method to detect attacks based on specific rules, there is a limitation that ROP attacks that do not correspond to previously defined rules can not be detected. In this paper, we introduce a method to detect ROP attack by learning command pattern used in ROP attack code using RNN(Recurrent Neural Network). We also show that the proposed method effectively detects ROP attacks by measuring False Positive Ratio, False Negative Ratio, and Accuracy for normal code and ROP attack code discrimination.

코드 재사용 공격은 프로그램 메모리상에 존재하는 실행 가능한 코드 조각을 조합하고, 이를 연속적으로 실행함으로써 스택에 직접 코드를 주입하지 않고도 임의의 코드를 실행시킬 수 있는 공격 기법이다. 코드 재사용 공격의 대표적인 종류로는 ROP(Return-Oriented Programming) 공격이 있으며, ROP 공격에 대응하기 위한 여러 방어기법들이 제시되어왔다. 그러나 기존의 방법들은 특정 규칙을 기반으로 공격을 탐지하는 Rule-base 방식을 사용하기 때문에 사전에 정의한 규칙에 해당되지 않는 ROP 공격은 탐지할 수 없다는 한계점이 존재한다. 본 논문에서는 RNN(Recurrent Neural Network)을 사용하여 ROP 공격 코드에 사용되는 명령어 패턴을 학습하고, 이를 통해 ROP 공격을 탐지하는 방법을 소개한다. 또한 정상 코드와 ROP 공격 코드 판별에 대한 False Positive Ratio, False Negative Ratio, Accuracy를 측정함으로써 제안한 방법이 효과적으로 ROP 공격을 탐지함을 보인다.

키워드

참고문헌

  1. P.Bania, "Security Mitigations for Return-Oriented Programming Attacks", http://piotrbania.com/all/articles/pbania_rop_mitigations2010.pdf, 2010.
  2. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, "DROP: Detecting return-oriented programming malicious code", 5th Internationak Conference on Information System Security, LNCS Vol 5905, pp. 163-177, 2009. https://link.springer.com/chapter/10.1007%2F978-3-642-10772-6_13
  3. K. Cho, B. van Merrienboer, C. Gulcehre, D. Bahdanau, F. Bougares, H. Schwenk, and Y. Bengio, "Learning phrase representations using RNN encoder-decoder for statistical machine translation", Empirical Methods in Natural Language Processing, pp. 1724-1734, 2014.
  4. S. Hochreiter, and J. Schmidhuber, "Long Short-Term Memory", Neural computation, 1997.
  5. P. J. Werbos, "Backpropagation through time: what it does and how to do it", Proceedings of the IEEE, 1990.
  6. M. Kayaalp, T. Schmitt, J. Nomani, D. Ponomarev, and N. Abu-Ghazaleh, "Scrap: Architecture for signature-based protection from code reuse attacks", Proceedings of the 2013 IEEE conference on High Performance Computer Architecture, 2013.
  7. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating return-oriented rootkits with return-less kernels". 5th ACM SIGOPS EuroSys conference, 2010.
  8. CK. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, "Pin: Building customized program analysis tools with dynamic instrumentation", PLDI '05 Proceedings of the ACM SIGPLAN conference on Programming language design and inplementaion, pp. 190-200, 2005.
  9. Microsoft, Data Execution Prevention(DEP), http://support.microsoft.com/kb/875352/EN-US/, 2006.
  10. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, "G-free: Defeating return-oriented programming through gadget-less binaries", ACSAC '10 Proceedings of the 26th Annual Computer Security Applications Conference, pp. 49-58, 2010.
  11. H.Shacham, "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)", CCS '07 Proceedings of the 14th ACM conference on Computer and Communicatopns Security, pp. 552-56, 2007.
  12. K. Yao, B. Peng, Y. Zhang, D. Yu, G. Zweig, and Y. Shi, "Spoken Language Understanding Using Long Short-Term Memory Neural Network", IEEE - Institute of Electrical and Electronics Engineers, 2014.
  13. K. Yao, B. Peng, G. Zweig, D. Yu, X. Li, and F. Gao, "Recurrent Conditional Random Field For Language Understanding", IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), 2014. https://doi.org/10.1109/ICASSP.2014.6854368