during the past days I have been in Puerto Rico presenting at Malware 2011. Well, Puerto Rico is an amazing place and the conference was a “cozy” and “worm” place to share knowledge about Malware. A small and “family conference” this is my definition of Malware 2011, and for this particular reason it has been a very great one ! I had the pleasure to meet a lot of interesting people from Academia as well as from main Vendors. I totally suggest to attend to next Malware, 2012 because it is a great place where you might meet Academia and Professionals. Over many interesting papers today I suggest the winner of Malware 2011 -best paper award- from Michalis Polychronakis and Angelos D. Keromitys titled: ROP Payload Detection Using Speculative Code Execution.
Overview of the scanning process. If the 4-byte value at the current position does not correspond to a mapped executable memory page, the sliding window advances one byte (a). When a valid address is found, EIP and esp are initialized appropriately and a new execution begins (b).
Their presented a way to detect ROP Payload Detection by executing the code. Their technique speculatively drives the execution of code that already exists in the address space of a targeted process, and identifies the execution of valid ROP code at runtime. They made experiments which demonstrated their theory. Good Job guys !