IBM recently announced a software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for top malware.
The Security Intelligence article states that “almost 90 percent of exploit-based software attacks use the hostile ROP technique in the chain of attack.” The story also referenced a blog I wrote in June about how McAfee and Microsoft have developed a hardware-based solution. Leading companies are looking to prevent these types of attacks.
This problem is real, and will likely be a favorite method of attackers because of its effectiveness and stealth properties. Because ROP malware uses parts of trusted code, it is very difficult to detect and stop. Software solutions have tried in the past to stem the problem, but have largely been unsuccessful. Software fighting software is just too even a fight; attackers need to find only one way around preventive solutions to win. I hope the IBM solution has a positive effect, but am concerned about its long-term viability.
In the end, I believe the future of ROP security will be based on features embedded beneath the software, operating systems, virtual machines, and even the firmware. It will be located in the hardware processor itself. Hardware remains outside the maneuvering zone of software hackers, and thus can give a definitive advantage to securing the system from ROP-based attacks. The architecture can be designed to give advantages to secure computing practices, help operating system be more secure, and compensate for vulnerable software.
Regardless of where the solution lies, it is very important for innovative minds to continue to work on taking the fangs out of ROP attacks.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.