HoneyGadget: A Deception Based Approach for Detecting Code Reuse Attacks

Abstract

Code reuse attacks such as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) are the prevalent attack techniques which reuse code snippets named gadget in vulnerable applications and hijack control flow to achieve malicious behaviors. Existing defense techniques for code reuse attacks attempt to prevent illegal control flow transition or make locating gadgets a hard work. However, decades of the arms race proved the ability to detect and prevent advanced attacks is still outdated. In this paper, we propose HoneyGadget, a deception based approach for detecting code reuse attacks. HoneyGadget works by inserting honey gadgets into the application as decoys and keep track of their addresses once the application is loaded. During the execution phase, HoneyGadget traces the execution records using Last Branch Record (LBR), compares the LBR records with the maintained address list, and alarms code reuse attacks if some records match. HoneyGadget not only prevents code reuse attacks, but also provides LBR records for researchers to analyze patterns of these attacks. We have developed a fully functioning prototype of HoneyGadget. Our evaluation results show that HoneyGadget can capture code reuse attacks effectively and only incurs a modest performance overhead.