Twisted-Stack

Abstract

Return-Oriented Programming (ROP) is considered a highly threatening exploit technique. For mitigating ROP attacks, many researchers have proposed fine-grained Address Space Layout Randomization (ASLR). And it is considered as an efficient defense mechanism for ROP attacks. However, new advanced ROP attack called the JIT-ROP circumvents the fine-grained ASLR by disassembling the code pages repeatedly in runtime. For Mitigating the JIT-ROP attack, many researchers have proposed leakage-resilient defenses.

In this paper, we introduce Twisted-Stack, a new kind of approach

that randomizes the stack pointer which plays a role as the program counter in ROP attacks. More specifically, for mitigating the JIT-ROP attack, our solution places multiple stacks and randomly switches the stack at each call and ret site. By randomly switching the stacks, the adversary loses the control of the stack pointer at the ret site. If the stack pointer is lost, it makes it harder for the adversary to run the gadget. Even if one gadget is executed, the adversary loses the control of the stack pointer. Thus he will fail to execute the gadgets reliably. It is in effect equivalent to breaking the gadget chain. We have implemented Twisted-Stack as a compiler-based solution. And, we have evaluated Twisted-Stack using SPEC CPU2006 benchmark suites which measure the CPU-bound performance overhead. In our experiments, Twisted-Stack imposes a run-time overhead of 28% and a file-size overhead of 44%.