Enforcing system-wide control flow integrity for exploit detection and diagnosis

ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

Volumn , Issue , 2013, Pages 311-322

  Prakash, Aravind ^a   Yin, Heng ^a   Liang, Zhenkai ^b  

^a SYRACUSE UNIVERSITY   (United States)

^b NATIONAL UNIVERSITY OF SINGAPORE   (Singapore)

Author keywords

exploit detection; exploit diagnosis; software security; virtual machine introspection; vulnerability detection

Indexed keywords

CONTROL-FLOW INTEGRITIES; DETECTION AND DIAGNOSIS; HARDWARE INTEGRATIONS; IDENTIFICATION ALGORITHMS; MEMORY OVERHEADS; SOFTWARE SECURITY; VIRTUAL MACHINE INTROSPECTION; VULNERABILITY DETECTION;

ALGORITHMS; SEMANTICS;

SECURITY OF DATA;

EID: 84877996319     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2484313.2484352     Document Type: Conference Paper

References (40)

1. DECAF: Binary Analysis Platform. Sycurelab, Syracuse University. http://code.google.com/p/decaf-platform/.
2. ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13, 1 (Nov. 2009), 4:1-4:40.
3. AKRITIDIS, P., CADAR, C., RAICIU, C., COSTA, M., AND CASTRO, M. Preventing memory error exploits with wit. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008), SP '08.
4. BAHRAM, S., JIANG, X., WANG, Z., GRACE, M., LI, J., SRINIVASAN, D., RHEE, J., AND XU, D. Dksm: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE International Symposium on Reliable Distributed Systems (SRDS'10) (2010).
5. BAIARDI, F., AND SGANDURRA, D. Building trustworthy intrusion detection through vm introspection. In Proceedings of the Third International Symposium on Information Assurance and Security (2007), IEEE Computer Society.
6. BELLARD, F. Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track (April 2005).
7. CADAR, C., DUNBAR, D., AND ENGLER, D. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation (OSDI'08).
8. CASTRO, M., COSTA, M., AND HARRIS, T. Securing software by enforcing data-flow integrity. In Proceedings of the 7th symposium on Operating systems design and implementation, OSDI '06.
9. CHAUDHURI, A., NALDURG, P., AND RAJAMANI, S. A type system for data-flow integrity on windows vista. SIGPLAN Not. 43, 12 (Feb. 2009), 9-20.
10. CHEN, P. M., AND NOBLE, B. D. When virtual is better than real. In Proceedings of the Eighth Workshop on Hot Topics in Operating Systems (2001).
11. CHEN, S., XU, J., NAKKA, N., KALBARCZYK, Z., AND IYER, R. Defeating memory corruption attacks via pointer taintedness detection. In Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on (2005).
12. CHEN, S., XU, J., SEZER, E. C., GAURIAR, P., AND IYER, R. K. Non-control-data attacks are realistic threats. In Proceedings of the 14th conference on USENIX Security Symposium (2005), SSYM'05.
13. CLAUSE, J., LI, W., AND ORSO, A. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA'07).
14. COSTA, M. Vigilante: End-to-end containment of internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05).
15. COSTA, M., CASTRO, M., ZHOU, L., ZHANG, L., AND PEINADO, M. Bouncer: securing software by blocking bad input. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07).
16. DAVI, L., DMITRIENKO, R., EGELE, M., FISCHER, T., HOLZ, T., HUND, R., NÃIJRNBERGER, S., AND REZA SADEGHI, A. Mocfi: A framework to mitigate control-flow attacks on smartphones. In In Proceedings of the Network and Distributed System Security Symposium (NDSS'12).
17. DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (May 2011).
18. FU, Y., AND LIN, Z. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (San Francisco, CA, May 2012).
19. GARFINKEL, T., AND ROSENBLUM, M. A virtual machine introspection based architecture for intrusion detection. In Proceedings of Network and Distributed Systems Security Symposium (NDSS'03) (February 2003).
20. GODEFROID, P., KLARLUND, N., AND SEN, K. Dart: directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation (2005), PLDI '05, ACM.
21. GODFROID, P., LEVIN, M. Y., AND MOLNAR, D. Automated whitebox fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08) (February 2008).
22. GU, Y., FU, Y., PRAKASH, A., LIN, Z., AND YIN, H. Os-sommelier: memory-only operating system fingerprinting in the cloud. In Proceedings of the Third ACM Symposium on Cloud Computing, SoCC '12.
23. JIANG, X., WANG, X., AND XU, D. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS'07) (October 2007).
24. KANG, M. G., MCCAMANT, S., POOSANKAM, P., AND SONG, D. Dta++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).
25. KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. P. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium (2002), USENIX Association.
26. LIN, Z., RHEE, J., ZHANG, X., XU, D., AND JIANG, X. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).
27. NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS'05).
28. NICOLAS FALLIERE, LIAM O MURCHU, E. C. Symantec stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security-response/ whitepapers/w32-stuxnet-dossier.pdf.
29. PETRONI, N. L., JR., FRASER, T., MOLINA, J., AND ARBAUGH, W. A. Copilot - a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium (2004).
30. PORTOKALIDIS, G., SLOWINSKA, A., AND BOS, H. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys 2006 (April 2006).
31. RUSSINOVICH, M., SOLOMON, D. A., AND IONESCU, A. Windows Internals. 5th Ed. Microsoft press, 2009.
32. SEN, K., MARINOV, D., AND AGHA, G. Cute: a concolic unit testing engine for c. In Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering (2005).
33. WAHBE, R., LUCCO, S., ANDERSON, T. E., AND GRAHAM, S. L. Efficient software-based fault isolation. In Proceedings of the 14th SymPosium on Operating System Principles (1993).
34. WARTELL, R., MOHAN, V., HAMLEN, K. W., AND LIN, Z. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12.
35. WEI, T., ZHANG, C., CHEN, Z., DUAN, L., SZEKERES, L., MCCAMANT, S., AND SONG, D. Fpgate: The last building block for a practical cfi solution, technical report for microsoft bluehat prize contest. Tech. rep., Apr 2012.
36. XIA, Y., LIU, Y., CHEN, H., AND ZANG, B. Cfimon: Detecting violation of control flow integrity using performance counters. In Dependable Systems and Networks (DSN) 2012.
37. YAN, L. K., AND YIN, H. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX conference on Security symposium - 2012, USENIX Association.
38. YIN, H., POOSANKAM, P., HANNA, S., AND SONG, D. HookScout: Proactive binary-centric hook detection. In Proceedings of Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'10) (July 2010).
39. YIN, H., SONG, D., MANUEL, E., KRUEGEL, C., AND KIRDA, E. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS'07).
40. ZHANG, M., PRAKASH, A., LI, X., LIANG, Z., AND YIN, H. Identifying and analyzing pointer misuses for sophisticated memory-corruption exploit diagnosis. In Proceedings of 19th Annual Network & Distributed System Security Symposium (2012).