Control Flow and Code Integrity for COTS binaries

Zhang, Mingwei; Sekar, R.

doi:10.1145/2818000.2818016

Cited by 202 publications

(365 citation statements)

References 30 publications

Supporting

Mentioning

364

Contrasting

Order By: Relevance

“…In response, attackers have evolved to use the so-called code-reuse attacks (CRAs). CRAs, including both return-oriented [57] and jump-oriented [11] variations remain open vulnerabilities and active research topics, despite some promising solutions [48,70,36,37]. An orthogonal line of research pursues protection of application secrets even in the presence of compromised system software layers and malware [23,25,42].…”

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

118

View full text Add to dashboard Cite

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

show abstract

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

118

View full text Add to dashboard Cite

show abstract

“…The low-level detector is always on, identifying processes that are likely to be malware to prioritize the second level. The second level could consist of a more sophisticated semantic detector, or even a protection mechanism, such as a Control Flow Integrity (CFI) monitor [39] or a Software Fault Isolation (SFI) [31] monitor, that prevents a suspicious process from overstepping its boundaries. The first level thus serves to prioritize the operation of the second level so that the available resources are directed at processes that are suspicious, rather than applied arbitrarily to all processes.…”

Section: Online Detection Effectivenessmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.

show abstract

“…Control flow integrity (CFI) is a widely researched runtime enforcement technique that can provide practical protection against code injection and code reuse attacks [3,61,62]. CFI provides runtime enforcement of the intended control flow transfers by disallowing transfers that are not present in the application's control flow graph (CFG).…”

Section: Introductionmentioning

confidence: 99%

“…However, precise enforcement of CFI can have a large overhead [3]. This has motivated the development of more practical variants of CFI that have lower performance overhead but enforce weaker restrictions [61,62]. For example, control transfer checks are relaxed to allow transfers to any valid jump targets as opposed to the correct target.…”

Section: Introductionmentioning

confidence: 99%

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

117

View full text Add to dashboard Cite

Abstract-Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware; on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proofof-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.

show abstract

Control Flow and Code Integrity for COTS binaries

Cited by 202 publications

References 30 publications

Malware-aware processors: A framework for efficient online malware detection

Malware-aware processors: A framework for efficient online malware detection

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Contact Info

Product

Resources

About