Abstract:Code reuse attacks (CRAs) and their defense technologies have been the hot topic in network security field. However, current defense technologies usually focus on a single type of attacks and can be easily bypassed by other attacks. This paper presents a method called RCMon to defend CRAs based on running characteristics monitoring to overcome this problem. RCMon defines the running characteristics model (RCMod) according to the realize theory of CRAs and designs a safety verification automaton to verify whether current status meets the constraints in the RCMod. When RCMon is implemented, monitor code is instrumented into the target executable directly so that target program will trap in the Hypervisor when it runs to monitoring nodes, then the construction of running characteristics databse and safety verifications will be both performed by the Hypervisor. The experiment results show that RCMon can effectively detect and defense mostly CRAs, and induces average 22% performance penalty.