Signature-Based Protection from Code Reuse Attacks

IEEE Transactions on Computers

Volumn 64, Issue 2, 2015, Pages 533-546

  Kayaalp, Mehmet ^a   Schmitt, Timothy ^a   Nomani, Junaid ^a   Ponomarev, Dmitry ^a   Ghazaleh, Nael Abu ^a  

^a State University of New York at Binghamton   (United States)

Author keywords

code reuse attacks; Processor architectures; support for security

Indexed keywords

BINS; CORROSION RESISTANT ALLOYS;

BINARY COMPATIBILITIES; CODE REUSE; PERFORMANCE COSTS; PROCESSOR ARCHITECTURES; SIGNATURE BASED DETECTIONS; SIGNATURE-BASED APPROACH; SOFTWARE-CONFIGURABLE; SUPPORT FOR SECURITIES;

CODES (SYMBOLS);

EID: 84960462471     PISSN: 00189340     EISSN: None     Source Type: Journal    
DOI: 10.1109/TC.2013.230     Document Type: Article

References (63)

1. W. Baer and A. Parkinson, "Cyberinsurance in IT security management," IEEE Secur. Privacy, vol. 5, no. 3, pp. 50-56, May/Jun. 2007.
2. National Institute of Standards and Technology. (2012). NIST National Vulnerability Database [Online]. Available: http://nvd.nist.gov.
3. D. Dhurjati and V. Adve, "Backwards-compatible array bounds checking forCwith very low overhead," in Proc. Int. Conf. Softw. Eng. (ICSE), 2006, pp. 162-171 [Online]. Available: http://doi.acm.org/10.1145/1134285.1134309.
4. J. Devietti, C. Blundell, M. M. K. Martin, S. Zdancewic, "Hardbound: Architectural support for spatial safety of the C programming language," in Proc. Int. Conf. Archit. Support Program. Languages Oper. Syst. (ASPLOS), 2008, pp. 103-114 [Online]. Available: http://doi.acm.org/10.1145/1346281.1346295.
5. G. E. Suh, J. W. Lee, D. Zhang, S. Devadas, "Secure program execution via dynamic information flow tracking," in Proc. Int. Conf. Archit. Support Program. Languages Oper. Syst. (ASPLOS), 2004, pp. 85-96 [Online]. Available: http://doi.acm.org/10.1145/1024393.1024404.
6. M. Dalton, H. Kannan, C. Kozyrakis, "Raksha: A flexible information flow architecture for software security," in Proc. Ann. Int. Symp. Comput. Archit. (ISCA), 2007, pp. 482-493 [Online]. Available: http://doi.acm.org/10.1145/1024393.1024404http://doi.acm.org/10.1145/1250662.1250722.
7. Aleph One. (1996, Nov.) "Smashing the Stack for Fun and Profit," Phrack Magazine, vol. 7, no. 49, pp. 14-16 [Online]. Available: http://phrack.org/issues/49/14.html
8. J. Pincus and B. Baker, "Beyond stack smashing: Recent advances in exploiting buffer overruns," IEEE Secur. Privacy, vol. 2, no. 4, pp. 20-27, Jul. 2004 [Online]. Available: http://dl.acm.org/citation. cfm?id=1018027.1018271.
9. C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, "StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proc. USENIX Secur., 1998, vol. 7, pp. 346-355.
10. A. Baratloo, N. Singh, T. Tsai, "Transparent run-time defense against stack smashing attacks," in Proc. USENIX Ann. Tech. Conf., 2000, pp. 251-262.
11. T. cker Chiueh and F.-H. Hsu, "RAD: A compile-time solution to buffer overflow attacks," in Proc. Int. Conf. Distrib. Comput. Syst. (ICDCS'01), 2001, pp. 409-417.
12. M. Prasad and T. cker Chiueh, "A binary rewriting defense against stack based overflow attacks," in Proc. USENIX Ann. Tech. Conf., 2003, pp. 211-224.
13. P. Team. (2003, May). Pax Non-Executable Pages Design & Implementation [Online]. Available: http://pax.grsecurity.net/docs/noexec. txt.
14. S. Andersen, "Part 3: Memory protection technologies," Changes to Functionality in Microsoft WindowsXPService Pack 2. Microsoft Corp., 2004 [Online]. Available: http://technet.microsoft.com/en-us/library/bb457155.aspx.
15. H. Shacham, "The geometry of innocent flesh on the bone: Returninto-libc without function calls (on the x86)," in Proc. ACM Conf. Comput. Commun. Secur. (CCS), Oct. 2007, pp. 552-561.
16. E. Buchanan, R. Roemer, H. Shacham, S. Savage, "When good instructions go bad: Generalizing return-oriented programming to RISC," in Proc. ACM Conf. Comput. Commun. Secur. (CCS), 2008, pp. 27-38 [Online]. Available: http://doi.acm.org/10.1145/1455770.1455776.
17. A. Francillon and C. Castelluccia, "Code injection attacks on harvard-architecture devices," in Proc.ACMConf. Comput. Commun. Secur. (CCS), 2008, pp. 15-26.
18. F. Lindner. (2009). Developments in Cisco IOs forensics. Confidence 2.0. Presentation. [Online]. Available: http://www.recurity-labs.com/content/pub/FX-Router-Exploitation.pdf.
19. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, H. Shacham, "Can DREs provide long-lasting security? The case of return-oriented programming and theAVCadvantage," in Proc. Conf. Electron. Voting Technol./Workshop Trustworthy Elections (EVT/WOTE), Aug. 2009 [Online]. Available: https://cs.ucsd.edu/~scheckow/papers/evt2009.html.
20. L. Davi, A. Dmitrienko, A.-R. Sadeghi, M. Winandy, "Returnoriented programming without returns on ARM," Syst. Secur. Lab, Ruhr University Bochum, Bochum, Germany, Tech. Rep. HGI-TR-2010-002, 2010 [Online]. Available: http://www.ei.rub.de/media/trust/veroeffentlichungen/2010/07/21/ROP-without-Returnson-ARM.pdf.
21. R. G. Roemer, "Finding the bad in good code: Automated returnoriented programming exploit discovery," Master's thesis, Univ. California, San Diego, CA,USA[Online]. Available: https://cseweb. ucsd.edu/~rroemer/doc/thesis.pdf, 2009.
22. R. Hund, T. Holz, F. C. Freiling, "Returnoriented rootkits: Bypassing kernel code integrity protection mechanisms," in Proc. USENIX Secur., 2009, pp. 383-398.
23. T. Dullien and T. Kornau, "Aframework for automated architectureindependent gadget search," in Proc. 4th USENIXWorkshop Offensive Technol. (WOOT), 2010.
24. T. Avgerinos, E. J. Schwartz, D. Brumle, "Q: Exploit hardening made easy," in Proc. USENIX Secur., 2011, pp. 379-394.
25. L. Davi, A.-R. Sadeghi, M. Winandy, "Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks," in Proc. ACM Workshop Scalable Trusted Comput. (STC), 2009, pp. 49-54 [Online]. Available: http://doi. acm.org/10.1145/1655108.1655117.
26. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, L. Xie, "Drop: Detecting return-oriented programming malicious code," in Proc. Int. Conf. Inf. Syst. Secur. (ICISS), 2009, pp. 163-177 [Online]. Available: http://dx.doi.org/10.1007/978-3-642-10772-6-13.
27. J. Li, Z. Wang, X. Jiang, M. Grace, S. Bahram, "Defeating returnoriented rootkits with 'return-less' kernels," in Proc. EuroSys, 2010, pp. 195-208 [Online]. Available: http://doi.acm.org/10.1145/1755913.1755934.
28. J. Xu, Z. Kalbarczyk, S. Patel, R. K. Iyer, "Architecture support for defending against buffer overflow attacks," in Proc. Workshop Eval. Archit. Syst. Dependability, 2002, pp. 52-62.
29. J. McGregor, D. Karig, Z. Shi, R. Lee, "A processor architecture defense against buffer overflow attacks," in Proc. Int. Conf. Inf. Technol. Res. Edu. (ITRE), Aug. 2003, pp. 243-250.
30. S. Sinnadurai, "Runtime binary analysis for security," M.S. thesis, Dept. Comput. Sci., Nat. Univ. Singapore, Singapore, 2007.
31. T. Bletsch, X. Jiang, V. W. Freeh, Z. Liang, "Jump-oriented programming: A new class of code-reuse attack," in Proc. ACM Symp. Inf. Comput. Commun. Secur. (ASIACCS), 2011, pp. 30-40 [Online]. Available: http://doi.acm.org/10.1145/1966913.1966919.
32. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, M. Winandy, "Return-oriented programming without returns," in Proc. ACM Conf. Comput. Commun. Secur. (CCS), Oct. 2010, pp. 559-72.
33. P. Chen, X. Xing, B. Mao, L. Xie, X. Shen, X. Yin, "Automatic construction of jump-oriented programming shellcode (on the x86)," in Proc. ACM Symp. Inf. Comput. Commun. Secur. (ASIACCS), 2011, pp. 20-29 [Online]. Available: http://doi.acm.org/10.1145/1966913.1966918.
34. Apple Inc. (2012). iOS Security [Online]. Available: http://www. apple.com/ipad/business/docs/iOS-Security-Oct12.pdf, retrieved Oct. 2013.
35. SOGETI ESEC R&D Lab. (2012). Analysis of the Jailbreakme v3 Font Exploit [Online]. Available: http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit, retrieved Sept. 2012.
36. M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti, "Control-flow integrity," in Proc. ACM Conf. Comput. Commun. Secur. (CCS), 2005, pp. 340-353.
37. T. Bletsch, X. Jiang, V. Freeh, "Mitigating code-reuse attacks with control-flow locking," in Proc. 27th Ann. Comput. Secur. Appl. Conf. (ACSAC'11), 2011, pp. 353-362 [Online]. Available: http://doi. acm.org/10.1145/2076732.2076783.
38. B. Yee, D. Sehr, G. Dardyk, J. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, N. Fullagar, "Native client: A sandbox for portable, untrusted x86 native code," in Proc. 30th IEEE Symp. Secur. Privacy, 2009, pp. 79-93.
39. M. Kayaalp, T. Schmitt, J. Nomani, D. Ponomarev, N. Abu-Ghazaleh, "SCRAP: Architecture for signature-based protection from code reuse attacks," in Proc. Int. Symp. High-Perform. Comput. Archit. (HPCA), 2013, pp. 258-269.
40. The Open Group. (2004). IEEE Std 10031 [Online]. Available: http://pubs.opengroup.org/onlinepubs/009695399/functions/setjmp.html.
41. M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh, D. Ponomarev, "Branch regulation: Low overhead mitigation of code reuse attacks," in Proc. Ann. Int. Symp. Comput. Archit. (ISCA), 2012, pp. 94-105.
42. M. T. Yourst, "Ptlsim: A cycle accurate full system x86-64 microarchitectural simulator," in Proc. Int. Symp. Perform. Anal. Syst. Softw. (ISPASS), 2007, pp. 23-34.
43. C. D. Spradling, "Spec cpu2006 benchmark tools," SIGARCH Comput. Archit. News, vol. 35, no. 1, pp. 130-134, 2007.
44. C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, K. Hazelwood, "Pin: Building customized program analysis tools with dynamic instrumentation," in Proc. ACM SIGPLAN Conf. Program. Language Des. Implementation (PLDI'05), 2005, pp. 190-200.
45. J. Salwan. (2012). The Shell Storm Linux Shellcode Repository [Online]. Available: http://www.shell-storm.org/shellcode/shellcode-linux. php, accessed Sep. 2012.
46. C. Cowan, S. Beattie, J. Johansen, P. Wagle, "Pointguardtm: Protecting pointers from buffer overflow vulnerabilities," in Proc. USENIX Secur., 2003, p. 7 [Online]. Available: http://dl.acm.org/citation.cfm?id=1251353.1251360.
47. H. Etoh and K. Yoda, "Propolice: Improved stack-smashing attack detection," in Proc. IPSJ SIG Notes Comput. Secur., Oct. 2001, pp. 4034-4041.
48. Vendicator. (2001, Jan.) Stack shield technical info file v0.7 [Online]. Available: http://www.angelfire.com/sk/stackshield/.
49. M. Frantzen and M. Shuey, "StackGhost: Hardware facilitated stack protection," in Proc. USENIX Secur., 2001, p. 5 [Online]. Available: http://dl.acm.org/citation.cfm?id=1251327.1251332.
50. S. Ghose, L. Gilgeous, P. Dudnik, A. Aggarwal, C. Waxman, "Architectural support for low overhead detection of memory violations," in Proc. Conf. Des. Autom. Test Eur. (DATE), 2009, pp. 652-657.
51. S. Nagarakatte, M. Martin, S. Zdancewic, "Watchdog: Hardware for safe and secure manual memory management and full memory safety," in Proc. Ann. Int. Symp. Comput. Archit. (ISCA), 2012, pp. 189-200.
52. M. Ozsoy, D. Ponomarev, N. Abu-Ghazaleh, T. Suri, "SIFT: A low-overhead dynamic information flow tracking architecture for SMT processors," in Proc. Conf. Comput. Frontiers (CF), May 2011.
53. J. Newsome and D. Song, "Dynamic taint analysis for automatic detection, analysis, signature generation of exploits on commodity software," in Proc. Symp. Netw. Distrib. Syst. Secur. (NDSS), Feb. 2005.
54. F. Qin, C. Wang, Z. Li, H.-S. Kim, Y. Zhou, Y. Wu, "Lift: A lowoverhead practical information flow tracking system for detecting security attacks," in Proc. Ann. IEEE/ACM Int. Symp. Microarchit. (MICRO), 2006, pp. 135-148 [Online]. Available: http://dx.doi.org/10.1109/MICRO.2006.29.
55. M. Castro, M. Costa, T. Harris, "Securing software by enforcing data-flow integrity," in Proc. Symp. Oper. Syst. Des. Implementation (OSDI), 2006, pp. 147-160 [Online]. Available: http://dl.acm.org/citation.cfm?id=1298455.1298470.
56. S. Designer. (1997). "Return-to-Libc" Attack [Online]. Available: http://insecure.org/sploits/linux.libc.return.lpr.sploit.html
57. Negral. (2001). The Advanced Return-Into-Lib(C) Attacks [Online]. Available: http://www.phrack.org/issues.html?issue=58 id=4, retrieved Jun. 2012.
58. M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, P. Ning, "On the expressiveness of return-into-libc attacks," in Proc. Int. Conf. Recent Adv. Intrusion Detection (RAID), Sep. 2011, pp. 121-141.
59. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, E. Kirda, "Gfree: Defeating return-oriented programming through gadget-less binaries," in Proc. Ann. Comput. Secur. Appl. Conf. (ACSAC), 2010, pp. 49-58.
60. P. Team. (2003, Mar.). Pax Address Space Layout Randomization (ASLR) [Online]. Available: http://pax.grsecurity.net/docs/aslr. txt.
61. E. D. Berger and B. G. Zorn, "Diehard: Probabilistic memory safety for unsafe languages," in Proc. Conf. Program. Language Des. Implementation (PLDI), 2006, pp. 158-168 [Online]. Available: http://doi. acm.org/10.1145/1133981.1134000.
62. O. Whitehouse. (2007). "An analysis of address space layout randomization on windows vista," Symantec Adv. Threat Res., pp. 1-14, 2007 [Online]. Available: http://www.symantec.com/avcenter/reference/Address-Space-Layout-Randomization.pdf
63. T. Newsham. (2000, Sep.) Format String Attacks [Online]. Available: http://julianor.tripod.com/bc/tn-usfs.pdf.