TY - GEN
T1 - DeRop
T2 - 27th Annual Computer Security Applications Conference, ACSAC 2011
AU - Lu, Kangjie
AU - Zou, Dabi
AU - Wen, Weiping
AU - Gao, Debin
PY - 2011
Y1 - 2011
N2 - Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.
AB - Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.
KW - Malware analysis
KW - Return-oriented programming
UR - http://www.scopus.com/inward/record.url?scp=84855711130&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84855711130&partnerID=8YFLogxK
U2 - 10.1145/2076732.2076784
DO - 10.1145/2076732.2076784
M3 - Conference contribution
AN - SCOPUS:84855711130
SN - 9781450306720
T3 - ACM International Conference Proceeding Series
SP - 363
EP - 372
BT - Proceedings - 27th Annual Computer Security Applications Conference, ACSAC 2011
Y2 - 5 December 2011 through 9 December 2011
ER -