Detecting and Preventing ROP Attacks using Machine Learning on ARM

As the ARM processor is receiving increased attention due to the fast growth of mobile technologies and the internet-of-things (IoT), it is simultaneously becoming the target of several control flow attacks such as return-oriented programming (ROP), which uses code present in the software system in order to exploit memory bugs. While some research can detect control flow attacks on architectures like x86, the ARM architecture has been neglected. In this paper, we investigate whether ROP attack detection and prevention based on hardware performance counters (HPC) and machine learning can be effectively transferred to the ARM architecture. Given the observation that ROP attacks exhibit different micro-architectural events compared to benign executions of a software, we evaluate whether and which HPCs, which track these hardware events, are indicative on ARM to detect control flow attacks. We collect data exploiting real-world vulnerable applications running on ARM-based Raspberry Pi machines. The collected data then serves as training data for different machine learning techniques. We also implement an online monitor consisting of a modified program loader, kernel module and a classifier, which labels a program's execution as benign or under attack, and stops its execution once the latter is detected. An evaluation of our approach provides detection accuracy of 92% for the offline training and 75% for the online monitoring, which demonstrates that variations in the HPCs are indicative of attacks on ARM architectures. The performance overhead of online monitoring evaluated on 8 real-world vulnerable applications exhibits a moderate 6.2% slowdown on average. The result of our evaluation indicates that the behavioral changes in micro-architectural events of the ARM platform can play a vital role in detecting memory attacks.