RopSteg: Program steganography with return oriented programming

Kangjie Lu, Siyang Xiong, Debin Gao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

31 Scopus citations


Many software obfuscation techniques have been proposed to hide program instructions or logic and to make reverse engineering hard. In this paper, we introduce a new property in software obfuscation, namely program steganography, where certain instructions are "diffused" in others in such a way that they are non-existent until program execution. Program steganography does not raise suspicion in program analysis, and conforms to the W ⊕ X and mandatory code signing security mechanisms. We further implement Rop- Steg, a novel software obfuscation system, to provide (to a certain degree) program steganography using return-oriented programming. We apply RopSteg to eight Windows executables and evaluate the program steganography property in the corresponding obfuscated programs. Results show that RopSteg achieves program steganography with a small overhead in program size and execution time. RopSteg is the fist attempt of driving return-oriented programming from the "dark side", i.e., using return-oriented programming in a non-attack application. We further discuss limitations of RopSteg in achieving program steganography.

Original languageEnglish (US)
Title of host publicationCODASPY 2014 - Proceedings of the 4th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery
Number of pages8
StatePublished - Jan 1 2014
Event4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014 - San Antonio, TX, United States
Duration: Mar 3 2014Mar 5 2014


Other4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014
Country/TerritoryUnited States
CitySan Antonio, TX


  • Code obfuscation
  • Program steganography
  • Return-oriented programming
  • Watermarking


Dive into the research topics of 'RopSteg: Program steganography with return oriented programming'. Together they form a unique fingerprint.

Cite this