Presentation is loading. Please wait.

Presentation is loading. Please wait.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

Published bySharon Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "Branch Regulation: Low-Overhead Protection from Code Reuse Attacks."— Presentation transcript:

1 Branch Regulation: Low-Overhead Protection from Code Reuse Attacks

2 Paper Information Branch Regulation: Low-Overhead Protection from Code Reuse Attacks in Proceedings of the 39th annual international symposium on Computer architecture (ISCA ’12), June 2012. Authors: Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton fmkayaalp, mozsoy, nael, dimag@cs.binghamton.edu

3 Abstract While software based full control flow integrity (CFI) checking can protect against CRAs(Code Reuse Attacks), it includes significant overhead We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI

4 Background Knowledge : CRA (Code Reuse Attack)

5 Background Knowledge : ROP (Return-Oriented Programming) attack One of the most common CRA. So, The attacker should identify gadgets, which are sequences of instructions in the victim program (including any linked in libraries, ex> libc, libm) that end with a return.

6 Background Knowledge : ROP (Return-Oriented Programming) attack

7 Background Knowledge : JOP (JUMP-Oriented Programming) attack A New Class of Code-Reuse Attack Thwarts certain Anti-ROP defences (Anti-ROP defenses check only stack pointer value ) JOP used statements ending with Indirect Jump Call Instead of stack uses a dispatcher table to jump to different locations No known defenses against ROP prevent JOP attacks, there is a critical need for techniques that prevent JOP attacks with low overhead.

8 Background Knowledge : Comparison between ROP and JOP

9 Background Knowledge : CFI (Control Flow Integrity) This is powerful defense solution mechanism –Control-Flow Integrity (CFI) Execution of a program dynamically follows only certain paths, in accordance with a static policy (a Control-Flow Graph) Dynamic checks & machine code rewriting –Control-Flow Graph (CFG) defined by analysis ahead of time –source code analysis, binary analysis, execution profiling Enforcing full CFI at the branch level should completely protect from ROP and JOP attacks but CFI shows 22% performance loss for a larger set of benchmarks from SPEC 2006 suite

10 Branch Regulation (BR) A technique that defends against CRAs by enforcing simple control flow invariants present in function-based programming languages. By providing simple hardware BR works by enforcing 3 rules (RET, Indirect JMP, CALL)

11 Branch Regulation (BR) – Enforcing BR Rules Unintended Branches

12 Branch Regulation (BR) – Why Hardware ? 1.for performance (binary size and execution time) 2.More importantly for security reasons U nintended branch will not appear in the CFG and will not be checked by the software CFI implementation

13 Branch Regulation (BR) – Unintented Branch example

14 BR Implementation Details - Architectural Support for BR BR checks are performed in hardware.

15 Performance Evaluation of BR (1) Look inside

16 Performance Evaluation of BR (2) Look inside

17 Conclusion In this paper, we presented Branch Regulation (BR), a new low-overhead defense mechanism against Code Reuse Attacks (CRAs). BR limits the target addresses of branches to be either within the same function or at the start of another function It reduce the ability of the attacker to find exploitable gadgets needed for the CRA with small overhead ( 2% performance loss, about 1% binary size increase)

Download ppt "Branch Regulation: Low-Overhead Protection from Code Reuse Attacks."

Similar presentations

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Evaluating Indirect Branch Handling Mechanisms in Software Dynamic Translation Systems Jason D. Hiser, Daniel Williams, Wei Hu, Jack W. Davidson, Jason.

Evaluating Indirect Branch Handling Mechanisms in Software Dynamic Translation Systems Jason D. Hiser, Daniel Williams, Wei Hu, Jack W. Davidson, Jason.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Architecture Support for Security Peter Chapman Michael Maass.

Architecture Support for Security Peter Chapman Michael Maass.
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google