Home » Publication » 18535

Dettaglio pubblicazione

2019, SAC '19 Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, Pages 1962-1970

The ROP needle: Hiding trigger-based injection vectors via code reuse (04b Atto di convegno in volume)

Borrello P., Coppa E., D'Elia D. C., Demetrescu C.

In recent years, researchers have come up with proof of concepts of seemingly benign applications such as InstaStock and Jekyll that remain dormant until triggered by an attacker-crafted condition, which activates a malicious behavior, eluding code review and signing mechanisms. In this paper, we make a step forward by describing a stealthy injection vector design approach based on Return Oriented Programming (ROP) code reuse that provides two main novel features: 1) the ability to defer the specification of the malicious behavior until the attack is struck, allowing fine-grained targeting of the malware and reuse of the same infection vector for delivering multiple payloads over time; 2) the ability to conceal the ROP chain that specifies the malicious behavior to an analyst by using encryption. We argue that such an infection vector might be a dangerous weapon in the hands of advanced persistent threat actors. As an additional contribution, we report on a preliminary experimental investigation that seems to suggest that ROP-encoded malicious payloads are likely to pass unnoticed by current security solutions, making ROP an effective malware design ingredient.
ISBN: 9781450359337
Gruppo di ricerca: Cybersecurity
© Università degli Studi di Roma "La Sapienza" - Piazzale Aldo Moro 5, 00185 Roma