Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

Slides:

Advertisements

Similar presentations

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Evaluating Indirect Branch Handling Mechanisms in Software Dynamic Translation Systems Jason D. Hiser, Daniel Williams, Wei Hu, Jack W. Davidson, Jason.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Architecture Support for Security Peter Chapman Michael Maass.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Improving the Performance of Object-Oriented Languages with Dynamic Predication of Indirect Jumps José A. Joao *‡ Onur Mutlu ‡* Hyesoon Kim § Rishi Agarwal.

On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

Precision Going back to constant prop, in what cases would we lose precision?

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

CFIMon: Detecting Violation of Control Flow Integrity using Performance Counters Yubin Xia, Yutao Liu, Haibo Chen, Binyu Zang in DSN 2012 A.C. Chen 2012/09/18.

SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.

Meltem Ozsoy*, Caleb Donovick*, Iakov Gorelik*,

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Korea Univ B-Fetch: Branch Prediction Directed Prefetching for In-Order Processors 컴퓨터 · 전파통신공학과 최병준 1 Computer Engineering and Systems Group.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.

1 UCR Code Reuse Attacks (II) Slide credits: some slides and figures adapted from David Brumley, AC Chen, and others.

Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Predicated Static Single Assignment (PSSA) Presented by AbdulAziz Al-Shammari

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

Exploitation possibilities of memory related vulnerabilities

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.

Ensemble Learning for Low-level Hardware-supported Malware Detection

Introduction to Information Security ROP – Recitation 5.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.

Design and implementation Chapter 7 – Lecture 1. Design and implementation Software design and implementation is the stage in the software engineering.

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.

Introduction to Information Security

Mitigation against Buffer Overflow Attacks

Remix: On-demand Live Randomization

HDFI: Hardware-Assisted Data-flow Isolation

Jump-Oriented Programming

EnGarde: Mutually Trusted Inspection of SGX Enclaves

New Cache Designs for Thwarting Cache-based Side Channel Attacks

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR

Continuous, Low Overhead, Run-Time Validation of Program Executions

Analysis models and design models

Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,

rePLay: A Hardware Framework for Dynamic Optimization

Presentation transcript:

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks

Paper Information Branch Regulation: Low-Overhead Protection from Code Reuse Attacks in Proceedings of the 39th annual international symposium on Computer architecture (ISCA ’12), June Authors: Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton fmkayaalp, mozsoy, nael,

Abstract While software based full control flow integrity (CFI) checking can protect against CRAs(Code Reuse Attacks), it includes significant overhead We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI

Background Knowledge : CRA (Code Reuse Attack)

Background Knowledge : ROP (Return-Oriented Programming) attack One of the most common CRA. So, The attacker should identify gadgets, which are sequences of instructions in the victim program (including any linked in libraries, ex> libc, libm) that end with a return.

Background Knowledge : ROP (Return-Oriented Programming) attack

Background Knowledge : JOP (JUMP-Oriented Programming) attack A New Class of Code-Reuse Attack Thwarts certain Anti-ROP defences (Anti-ROP defenses check only stack pointer value ) JOP used statements ending with Indirect Jump Call Instead of stack uses a dispatcher table to jump to different locations No known defenses against ROP prevent JOP attacks, there is a critical need for techniques that prevent JOP attacks with low overhead.

Background Knowledge : Comparison between ROP and JOP

Background Knowledge : CFI (Control Flow Integrity) This is powerful defense solution mechanism –Control-Flow Integrity (CFI) Execution of a program dynamically follows only certain paths, in accordance with a static policy (a Control-Flow Graph) Dynamic checks & machine code rewriting –Control-Flow Graph (CFG) defined by analysis ahead of time –source code analysis, binary analysis, execution profiling Enforcing full CFI at the branch level should completely protect from ROP and JOP attacks but CFI shows 22% performance loss for a larger set of benchmarks from SPEC 2006 suite

Branch Regulation (BR) A technique that defends against CRAs by enforcing simple control flow invariants present in function-based programming languages. By providing simple hardware BR works by enforcing 3 rules (RET, Indirect JMP, CALL)

Branch Regulation (BR) – Enforcing BR Rules Unintended Branches

Branch Regulation (BR) – Why Hardware ? 1.for performance (binary size and execution time) 2.More importantly for security reasons U nintended branch will not appear in the CFG and will not be checked by the software CFI implementation

Branch Regulation (BR) – Unintented Branch example

BR Implementation Details - Architectural Support for BR BR checks are performed in hardware.

Performance Evaluation of BR (1) Look inside

Performance Evaluation of BR (2) Look inside

Conclusion In this paper, we presented Branch Regulation (BR), a new low-overhead defense mechanism against Code Reuse Attacks (CRAs). BR limits the target addresses of branches to be either within the same function or at the start of another function It reduce the ability of the attacker to find exploitable gadgets needed for the CRA with small overhead ( 2% performance loss, about 1% binary size increase)