Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Similar presentations


Presentation on theme: "Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in."— Presentation transcript:

1 Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in Huntsville {milenkm | milenka |

2 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 2/26 Introduction Most of today’s computing platforms connected to the Internet  security is a critical issue Even more so in the future One of the major security problems: the execution of the unauthorized code Attack examples: buffer overflow (heap, stack) format string attack

3 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 3/26 Introduction Available chip area: predominantly used for faster execution Dedicated processor resources should be used to provide more secure execution Hardware-supported techniques: lower overhead We propose processor extensions that allow execution of trusted instructions only, by verifying instruction block signatures

4 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 4/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

5 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 5/26 Related Work Two categories of defense techniques: Software-based Static: detect defects in the code in compile-time Dynamic: detect/prevent attacks in run-time With hardware support

6 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 6/26 Related Work Static software techniques Completely automated tools for code analysis Precise but not scalable Lightweight but imprecise Programmer-assisted tools Dynamic software techniques Augment the code for run-time attack detection and/or prevention Compilers, safe language dialects, binary modification Monitoring program behavior System calls, performance monitoring registers Code and address obfuscation Randomized virtual addresses, code scrambling

7 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 7/26 Related Work Software-based techniques: performance overhead, false positives/negatives Defense with hardware support Xu et al.(2002), Lee at al. (2003), Ozdaganoglu et al. (2003): Secure stack Kirovski et al. (2002): Secure Program Execution Framework (SPEF): code transformed using a secret processor key Suh et al. (2004): Prevent any change in control flow based on data from “spurious” channels

8 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 8/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

9 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 9/26 Mechanism for Trusted Instruction Execution A block of instructions is protected by its signature Signatures are calculated during secure program installation Signature verification is overlapped with execution Verification is performed only for a block that caused at least one instruction cache miss

10 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 10/26 Signature Architecture Implementations Signature placement embedded protected block basic block SIGEB embedded, basic block cache block SIGEC embedded, cache block table protected block cache block SIGTC table, cache block basic block SIGTB table, basic block

11 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 11/26 SIGTB: Processor/Memory Modifications IBST L1I L1D MMU Datapath FPUs IF Control IBST_M Code Heap Stack IBSVU Memory Processor

12 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 12/26 SIGTB: Compilation and Program Installation Signatures are generated during secure installation using a MISR with coefficients dependent on a secret processor key, and then encrypted Source code Compilation Binary BB list Installation BB_M Binary

13 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 13/26 SIGTB: Program Execution CB.SA - NewIB IBSVU IBST LB.SLB.SA ICacheMiss Combinational Logic (MISR) IR NewIB CB.S NewIB PCSA

14 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 14/26 SIGTB: Program Execution CB.SA - NewIB IBSVU IBST LB.SLB.SA ICacheMiss Combinational Logic (MISR) IR NewIB CB.S NewIB PCSA

15 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 15/26 SIGEB: Compilation and Program Installation Source code Compilation Binary BB list Installation Binary + Sigs

16 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 16/26 SIGEC: Compilation and Program Installation No compiler support needed, no change of the ISA Original Binary Installation Binary + Sigs

17 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 17/26 SIGEC: Program Execution Signatures“stripped” before block enters the cache... CB i Sig i Binary W0W0 W1W1 W2W2 W3W3... W 15 Sig IBSV MemoryCache Controller To cache memory

18 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 18/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

19 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 19/26 Preliminary Results: Methodology SPEC CPU2000 benchmarks SIGTB, SIGEB: functional trace-driven simulator SIGEC: modified SimpleScalar sim-outorder latency due to additional memory accesses latency due to TLB misses L1 cache: 32K, 64B line, 4 way, LRU Code expansion effects – not included

20 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 20/26 Preliminary Results: Measures SIGTB: Number of IBST misses IBST miss causes additional memory accesses SIGEB: Number of cache misses Signatures are fetched into cache with instructions SIGEC: IPC

21 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 21/26 Preliminary Results: SIGTB

22 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 22/26 Preliminary Results: SIGEB

23 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 23/26 Preliminary Results: SIGEC

24 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 24/26 Pros & Cons Compiler support Hardware complexity Performance overhead Crypto security Cache -less ISA change SIGEBYesLowMedium to highMediumYes SIGECNoLow MediumNo SIGTBYesMedium HighYesNo SIGTCNoMediumLow to mediumHighNo

25 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 25/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

26 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 26/26 Conclusion Contributions: Proposal of an architecture for trusted program execution Three implementations of the proposed extensions Initial performance evaluation: promising Future work Cycle-by-cycle detailed simulation The effects of signature decryption and context switching Power analysis


Download ppt "Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in."

Similar presentations


Ads by Google