Detecting Code Reuse Attacks with a Model of Conformant Program Execution

Jacobson, Emily R.; Bernat, Andrew R.; Williams, William Appleman; Miller, Barton P.

doi:10.1007/978-3-319-04897-0_1

Cited by 24 publications

(16 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Jacobson et al [19] define conformant program execution as a set of run-time checks on program states, where a state represents elements of a machine that are affected by program execution (e.g. registers and memory).…”

Section: Run-time Integrity Checkingmentioning

confidence: 99%

Software-Based Protection against Changeware

Bănescu

Pretschner

Battré³

et al. 2015

Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

We call changeware software that surreptitiously modifies resources of software applications, e.g., configuration files. Changeware is developed by malicious entities which gain profit if their changeware is executed by large numbers of end-users of the targeted software. Browser hijacking malware is one popular example that aims at changing webbrowser settings such as the default search engine or the home page. Changeware tends to provoke end-user dissatisfaction with the target application, e.g. due to repeated failure of persisting the desired configuration. We describe a solution to counter changeware, to be employed by vendors of software targeted by changeware. It combines several protection mechanisms: white-box cryptography to hide a cryptographic key, software diversity to counter automated key retrieval attacks, and run-time process memory integrity checking to avoid illegitimate calls of the developed API.

show abstract

Section: Run-time Integrity Checkingmentioning

confidence: 99%

Software-Based Protection against Changeware

Bănescu

Pretschner

Battré³

et al. 2015

Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Before the advent of CRAs, some researchers of prior work [39,40] realized that the unintended instructions could be a potential security problem, and solved it by imposing alignment in the environment of a sandbox. Since the advent of CRAs, previous CRA defenses rely on dynamic binary instrumentation tools monitoring unintended instructions without the help of hardware [34,35], which limits their practical use.…”

Section: Related Workmentioning

confidence: 99%

“…Since JOP is a recently proposed technique, there are only a few proposals that target for JOP defenses. Among these defense techniques, [34], [35] and [36] are pure software approaches. To distinguish normal program execution from CRA attacks, they rely on the software dynamic binary instrumentation.…”

Section: Related Workmentioning

confidence: 99%

Mitigating Code-Reuse Attacks on CISC Architectures in a Hardware Approach

Zhang

Lü

Chen

et al. 2015

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

Recently, code-reuse attack (CRA) is becoming the most prevalent attack vector which reuses fragments of existing code to make up malicious code. Recent studies show that CRAs especially jump-oriented programming (JOP) attacks are hard and costly to detect and protect from, especially on CISC processors. One reason for this is that the instructions of CISC architecture are of variable-length, and lots of unintended but legal instructions can be exploited by starting from in the middle of a legal instruction. This feature of CISC architectures makes the finding of so called gadgets for CRAs is much easier than that of RISC architectures. Most of previous studies for mitigating CRA on CISC processors rely on software-only means to tackle the unintended instruction problem, which makes their approaches either very costly or can only be applied under restricted conditions. In this paper, we propose two hardware supported techniques. The first, which is the main contribution of this paper, is to eliminate the execution of an unintended instruction. This technique only requires a few modifications to the processor and operating system. Furthermore, the proposed mechanism has little performance impact on the examined SPEC CPU 2006 benchmarks (-0.093% ~2.993%). Second, we propose using hardware control-flow locking as a complementary technique to our protection mechanism. By using the two techniques together, an attacker will have little chance to carry out CRAs on a CISC processor.

show abstract

“…Binary code analysis is used in a wide range of applications, including performance analysis [1,15,33], software reverse engineering [12,18], debugging [2], software reliability [31], software forensics [42] and security [19,23,36]. The analysis of binary code is a critical capability in these applications because it does not require source code to be available and targets the actual software artifact that is executed.…”

Section: Introductionmentioning

confidence: 99%

“…These code complexities influence the ability of an analyst to understand the operation and intent of a program, and the ability of a tool to correctly instrument or transform the binary program to trace, debug, test, monitor, or sandbox it. Supporting these code constructs in our own open source Dyninst tool kit [37] brings a universal benefit, as Dyninst is widely used in building debugging tools including STAT [2] and SystemTap [17], performance tools including COBI [34], Extrae [30], HPCToolKit [1], and Open|SpeedShop [45], and many other tools for security analysis [19,23,39,44,50,53] and reverse engineering [10,24,27,41,43].…”

Section: Introductionmentioning

confidence: 99%

Binary code is not easy

Meng

Miller

2016

Proceedings of the 25th International Symposium on Software Testing and Analysis

Self Cite

100

View full text Add to dashboard Cite

Binary code analysis is an enabling technique for many applications. Modern compilers and run-time libraries have introduced significant complexities to binary code, which negatively affect the capabilities of binary analysis tool kits to analyze binary code, and may cause tools to report inaccurate information about binary code. Analysts may hence be confused and applications based on these tool kits may have degrading quality. We examine the problem of constructing control flow graphs from binary code and labeling the graphs with accurate function boundary annotations. We identified several challenging code constructs that represent hard-toanalyze aspects of binary code, and show code examples for each code construct. As part of this discussion, we present new code parsing algorithms in our open source Dyninst tool kit that support these constructs, including a new model for describing jump tables that improves our ability to precisely determine the control flow targets, a new interprocedural analysis to determine when a function is non-returning, and techniques for handling tail calls. We evaluated how various tool kits fare when handling these code constructs with real software as well as test binaries patterned after each challenging code construct we found in real software. CCS Concepts •Software and its engineering → Automated static analysis; Software reverse engineering;

show abstract

Detecting Code Reuse Attacks with a Model of Conformant Program Execution

Cited by 24 publications

References 35 publications

Software-Based Protection against Changeware

Software-Based Protection against Changeware

Mitigating Code-Reuse Attacks on CISC Architectures in a Hardware Approach

Binary code is not easy

Contact Info

Product

Resources

About