ROPNN: Detection of ROP Payloads Using Deep Neural Networks
Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code (known as gadgets) to perform arbitrary operations on target machines. Existing detection mechanisms against ROP often rely on certain heuristic rules and/or require instrumentations to the program or the compiler. As a result, they exhibit low detection efficiency and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks, to detect ROP payloads in HTTP requests, PDF files, and images, etc. The disassembler treats application input data as code pointers to potential gadgets and aims to find any potential gadget chains. The identified potential gadget chains are then classified by the deep neural network as benign or malicious. We propose novel methods to generate the two training datasets, respectively, and process huge amount (TB-level) of raw input data to obtain sufficient training data. Our experiments show that ROPNN has high detection rate (98.3 very low false positive rate (0.01 scenario, we also test it against ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools Ropper and ROPC. ROPNN successfully detects all of the 80 exploits. Meanwhile, ROPNN is completely non-intrusive and does not incur any runtime overhead to the protected program.
READ FULL TEXT