SIGDROP: Signature-based ROP Detection using Hardware Performance Counters
This addresses the need for efficient ROP detection in software security without requiring source code, binary access, or hardware modifications, though it appears incremental compared to existing defenses.
The paper tackled the problem of detecting Return-Oriented Programming (ROP) attacks by proposing SIGDROP, a low-cost method that uses hardware performance counters to identify patterns in hardware events during execution, achieving effective detection with acceptable performance and negligible storage overhead.
Return-Oriented Programming (ROP) is a software exploit for system compromise. By chaining short instruction sequences from existing code pieces, ROP can bypass static code-integrity checking approaches and non-executable page protections. Existing defenses either require access to source code or binary, a customized compiler or hardware modifications, or suffer from high performance and storage overhead. In this work, we propose SIGDROP, a low-cost approach for ROP detection which uses low-level properties inherent to ROP attacks. Specifically, we observe special patterns of certain hardware events when a ROP attack occurs during program execution. Such hardware event-based patterns form signatures to flag ROP attacks at runtime. SIGDROP leverages Hardware Performance Counters, which are already present in commodity processors, to efficiently capture and extract the signatures. Our evaluation demonstrates that SIGDROP can effectively detect ROP attacks with acceptable performance overhead and negligible storage overhead.