CFIMon: Detecting violation of control flow integrity using performance counters

Proceedings of the International Conference on Dependable Systems and Networks

Volumn , Issue , 2012, Pages

  Xia, Yubin ^a,b   Liu, Yutao ^a,b   Chen, Haibo ^a   Zang, Binyu ^b  

^a SHANGHAI JIAO TONG UNIVERSITY   (China)

^b FUDAN UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

COMMODITY PROCESSORS; CONTROL FLOWS; FALSE NEGATIVES; FALSE POSITIVE; HARDWARE SUPPORTS; LEGAL CONTROLS; MODERN PROCESSORS; NON-INTRUSIVE; ON-THE-FLY; PERFORMANCE COUNTERS; PERFORMANCE MONITORING; RUNTIMES; SECURITY ATTACKS; SECURITY BREACHES; SECURITY EVALUATION; SERVER APPLICATIONS;

COMPUTER HARDWARE; CRIME; HARDWARE;

STATIC ANALYSIS;

EID: 84866672217     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/DSN.2012.6263958     Document Type: Conference Paper

References (47)

1. C. Zou, W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proc. CCS, 2002, pp. 138-147.
2. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer worm," IEEE Security & Privacy, vol. 1, no. 4, pp. 33-39, 2003.
3. M. Bailey, E. Cooke, D. Watson, F. Jahanian, and J. Nazario, "The Blaster Worm: Then and Now," IEEE Security & Privacy, vol. 3, no. 4, pp. 26-31, 2005.
4. PITAC Team, "Cybersecurity: A crisis of prioritization." President's Information Technology Advisory Committee (PITAC), Tech. Rep., Feb. 2005.
5. R. Wojtczuk, "The advanced return-into-lib (c) exploits: Pax case study," Phrack Magazine, Volume 0x0b, Issue 0x3a, Phile# 0x04 of 0x0e, 2001.
6. H. Shacham, "The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)," in Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007, pp. 552-561.
7. T. Bletsch, X. Jiang, V. Freeh, and Z. Liang, "Jump-oriented programming: A new class of code-reuse attack," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 2011, pp. 30-40.
8. C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proc. Usenix Security, 1998.
9. C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier, "FormatGuard: Automatic protection from printf format string vulnerabilities," in Proc. Usenix Security, 2001.
10. L. Davi, A.-R. Sadeghi, and M. Winandy, "Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks," in Proceedings of the 2009 ACM workshop on Scalable trusted computing, 2009, pp. 49-54.
11. S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns," in Proc. CCS, 2010, pp. 559-572.
12. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating return-oriented rootkits with Return-Less kernels," in Proc. Eurosys, 2010, pp. 195-208.
13. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-flow integrity principles, implementations, and applications," ACM Transactions on Information and System Security (TISSEC), vol. 13, no. 1, pp. 1-40, 2009.
14. T. Bletsch, X. Jiang, and V. Freeh, "Mitigating code-reuse attacks with control-flow locking," in Proc. ACSAC, 2011.
15. T. Zhang, X. Zhuang, S. Pande, and W. Lee, "Anomalous path detection with hardware support," in Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems. ACM, 2005, pp. 43-54.
16. M. Budiu, Ú. Erlingsson, and M. Abadi, "Architectural support for software-based protection," in Proc. Workshop on Architectural and system support for improving software dependability, 2006, p. 51.
17. Y. Shi and G. Lee, "Augmenting branch predictor to secure program execution," in Dependable Systems and Networks, 2007. DSN'07. 37th Annual IEEE/IFIP International Conference on. IEEE, 2007, pp. 10-19.
18. J. Anderson, L. Berc, J. Dean, S. Ghemawat, M. Henzinger, S. Leung, R. Sites, M. Vandevoorde, C. Waldspurger, and W. Weihl, "Continuous profiling: where have all the cycles gone?" ACM SIGOPS Operating Systems Review, vol. 31, no. 5, p. 14, 1997.
19. J. Dean, J. Hicks, C. Waldspurger, W. Weihl, and G. Chrysos, "ProfileMe: Hardware support for instruction-level profiling on out-of-order processors," in Proc. MICRO, 1997, pp. 292-302.
20. B. Sprunt, "Pentium 4 performance-monitoring features," IEEE Micro, vol. 22, no. 4, pp. 72-82, 2002.
21. AMD, "Instruction-based sampling: A new performance analysis technique," developer.amd.com/assets/amd-ibs-paper-en.pdf.
22. I. Molnar, "Performance counters for linux, v8." http://lwn.net/Articles/336542, 2009.
23. S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer, "Non-Control-Data Attacks Are Realistic Threats," in Proc. USENIX Security, 2005.
24. Metasploit Team, "Metasploit," http://www.metasploit.com/.
25. "Exim," http://www.exim.org/.
26. B. Fitzpatrick, "Distributed caching with memcached," Linux journal, 2004.
27. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro, "Preventing memory error exploits with WIT," in IEEE Symposium on Security and Privacy, 2008, pp. 263-277.
28. G. Ammons, T. Ball, and J. Larus, "Exploiting hardware performance counters with flow and context sensitive profiling," in Proc. PLDI, 1997, pp. 85-96.
29. R. Azimi, M. Stumm, and R. Wisniewski, "Online performance analysis by statistical sampling of microprocessor performance counters," in Proc. Supercomputing, 2005, pp. 101-110.
30. L. Yuan, W. Xing, H. Chen, and B. Zang, "Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters," in 2011 ACM SIGOPS Asia-pacific Workshop on Systems, 2011.
31. A. Avritzer, R. Tanikella, K. James, R. G. Cole, and E. Weyuker, "Monitoring for security intrusion using performance signatures," in Proceedings of the first joint WOSP/SIPEW international conference on Performance engineering, 2010, pp. 93-104.
32. L. Davi, A. Sadeghi, and M. Winandy, "Ropdefender: A detection tool to defend against return-oriented programming attacks," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 2011, pp. 40-51.
33. B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser, "N-variant systems: A secretless framework for security through diversity," in Proc. USENIX Security, 2006, pp. 105-120.
34. A. Nguyen-Tuong, D. Evans, J. Knight, B. Cox, and J. Davidson, "Security through redundant data diversity," in Proc. DSN, 2008, pp. 187-196.
35. R. Huang, D. Deng, and G. Suh, "Orthrus: efficient software integrity protection on multi-cores," in Proc. ASPLOS, 2010, pp. 371-384.
36. G. Kc, A. Keromytis, and V. Prevelakis, "Countering code-injection attacks with instruction-set randomization," in Proc. CCS, 2003.
37. E. Barrantes, D. Ackley, S. Forrest, and D. Stefanović, "Randomized instruction set emulation," ACM Transactions on Information and System Security (TISSEC), vol. 8, no. 1, pp. 3-40, 2005.
38. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proc. CCS, 2004, pp. 298-307.
39. M. Castro, M. Costa, and T. Harris, "Securing software by enforcing data-flow integrity," in Proc. OSDI, 2006.
40. U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula, "XFI: Software guards for system address spaces," in Proc. OSDI, 2006, p. 88.
41. J. Crandall and F. Chong, "Minos: Control Data Attack Prevention Orthogonal to Memory Model," in Proc. MICRO, 2004.
42. W. Xu, S. Bhatkar, and R. Sekar, "Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks," in Proc. USENIX Security, 2006, pp. 121-136.
43. J. Newsome and D. Song, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," in Proc. NDSS, 2005.
44. F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, and Y. Wu, "LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks," in Proc. MICRO, 2006, pp. 135-148.
45. W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth, "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones," in Proc. OSDI, 2010.
46. H. Chen, X. Wu, L. Yuan, B. Zang, P. Yew, and F. Chong, "From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware," in Proc. ISCA, 2008, pp. 401-412.
47. H. Chen, L. Yuan, X. Wu, B. Zang, B. Huang, and P. Yew, "Control flow obfuscation with information flow tracking," in Proc. MICRO, 2009, pp. 391-400.