Branch regulation: Low-overhead protection from code reuse attacks

Kayaalp,; Ozsoy,; Abu-Ghazaleh, Nael; Ponomarev,

doi:10.1109/isca.2012.6237009

Cited by 31 publications

(37 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In response, attackers have evolved to use the so-called code-reuse attacks (CRAs). CRAs, including both return-oriented [57] and jump-oriented [11] variations remain open vulnerabilities and active research topics, despite some promising solutions [48,70,36,37]. An orthogonal line of research pursues protection of application secrets even in the presence of compromised system software layers and malware [23,25,42].…”

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

Self Cite

118

View full text Add to dashboard Cite

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

show abstract

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

Self Cite

118

View full text Add to dashboard Cite

show abstract

“…The idea of Branch Regulation was originally presented in our paper that appeared in the 2012 International Symposium on Computer Architecture (ISCA) [17]. The current submission extends the original ISCA paper in the following ways:…”

Section: Summary Of New Materialsmentioning

confidence: 94%

Efficiently Securing Systems from Code Reuse Attacks

Kayaalp

Özsoy

Abu-Ghazaleh

et al. 2014

IEEE Trans. Comput.

Self Cite

View full text Add to dashboard Cite

Abstract-Code reuse attacks (CRAs) are recent security exploits that allow attackers to execute arbitrary code on a compromised machine. CRAs, exemplified by return-oriented and jump-oriented programming approaches, reuse fragments of the library code, thus avoiding the need for explicit injection of attack code on the stack. Since the executed code is reused existing code, CRAs bypass current hardware and software security measures that prevent execution from data or stack regions of memory. While softwarebased full control flow integrity (CFI) checking can protect against CRAs, it includes significant overhead, involves non-trivial effort of constructing a control flow graph, relies on proprietary tools and has potential vulnerabilities due to the presence of unintended branch instructions in architectures such as x86-those branches are not checked by the software CFI. We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI. BR enforces simple control flow rules in hardware at the function granularity to disallow arbitrary control flow transfers from one function into the middle of another function. This prevents common classes of CRAs without the complexity and run-time overhead of full CFI enforcement. BR incurs a slowdown of about 2% and increases the code footprint by less than 1% on the average for the SPEC 2006 benchmarks.

show abstract

“…As we discussed previously, a shadow call stack is a mechanism that has been proposed to defend against simple ROP attacks [28]- [30], [41]. SCRAP relies on a hardware implementation of the call stack, which is backed up by a larger software stack.…”

Section: Integrating State Counters Into Secure Call Stackmentioning

confidence: 99%

“…Kayaalp et al [41] propose branch regulation, a hardware supported techniques to protect against JOPs. Using binary rewriting, they insert markers at the beginning of every function, which include a magic number to mark a legal function entry, as well as the length of the function.…”

Section: Cra Attacks and Defensesmentioning

confidence: 99%

Signature-Based Protection from Code Reuse Attacks

Kayaalp

Schmitt

Nomani

et al. 2015

IEEE Trans. Comput.

Self Cite

View full text Add to dashboard Cite

Abstract-Code Reuse Attacks (CRAs) recently emerged as a new class of security exploits. CRAs construct malicious programs out of small fragments (gadgets) of existing code, thus eliminating the need for code injection. Existing defenses against CRAs often incur large performance overheads or require extensive binary rewriting and other changes to the system software. In this paper, we examine a signature-based detection of CRAs, where the attack is detected by observing the behavior of programs and detecting the gadget execution patterns. We first demonstrate that naive signature-based defenses can be defeated by introducing special "delay gadgets" as part of the attack. We then show how a software-configurable signature-based approach can be designed to defend against such stealth CRAs, including the attacks that manage to use longer-length gadgets. The proposed defense (called SCRAP) can be implemented entirely in hardware using simple logic at the commit stage of the pipeline. SCRAP is realized with minimal performance cost, no changes to the software layers and no implications on binary compatibility. Finally, we show that SCRAP generates no false alarms on a wide range of applications.

show abstract

Branch regulation: Low-overhead protection from code reuse attacks

Cited by 31 publications

References 26 publications

Malware-aware processors: A framework for efficient online malware detection

Malware-aware processors: A framework for efficient online malware detection

Efficiently Securing Systems from Code Reuse Attacks

Signature-Based Protection from Code Reuse Attacks

Contact Info

Product

Resources

About