92 research outputs found
SOFIA : software and control flow integrity architecture
Microprocessors used in safety-critical systems are extremely sensitive to software vulnerabilities, as their failure can lead to injury, damage to equipment, or environmental catastrophe. This paper proposes a hardware-based security architecture for microprocessors used in safety-critical systems. The proposed architecture provides protection against code injection and code reuse attacks. It has mechanisms to protect software integrity, perform control flow integrity, prevent execution of tampered code, and enforce copyright protection. We are the first to propose a mechanism to enforce control flow integrity at the finest possible granularity. The proposed architectural features were added to the LEON3 open source soft microprocessor, and were evaluated on an FPGA running a software benchmark. The results show that the hardware area is 28.2% larger and the clock is 84.6% slower, while the software benchmark has a cycle overhead of 13.7% and a total execution time overhead of 110% when compared to an unmodified processor
ROPocop - Dynamic Mitigation of Code-Reuse Attacks
Control-flow attacks, usually achieved by exploiting a buffer-overflow
vulnerability, have been a serious threat to system security for over fifteen
years. Researchers have answered the threat with various mitigation techniques,
but nevertheless, new exploits that successfully bypass these technologies
still appear on a regular basis.
In this paper, we propose ROPocop, a novel approach for detecting and
preventing the execution of injected code and for mitigating code-reuse attacks
such as return-oriented programming (RoP). ROPocop uses dynamic binary
instrumentation, requiring neither access to source code nor debug symbols or
changes to the operating system. It mitigates attacks by both monitoring the
program counter at potentially dangerous points and by detecting suspicious
program flows.
We have implemented ROPocop for Windows x86 using PIN, a dynamic program
instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite
show an average overhead of 2.4x, which is comparable to similar approaches,
which give weaker guarantees. Real-world applications show only an initially
noticeable input lag and no stutter. In our evaluation our tool successfully
detected all 11 of the latest real-world code-reuse exploits, with no false
alarms. Therefore, despite the overhead, it is a viable, temporary solution to
secure critical systems against exploits if a vendor patch is not yet
available
Analyzing the Gadgets Towards a Metric to Measure Gadget Quality
Current low-level exploits often rely on code-reuse, whereby short sections
of code (gadgets) are chained together into a coherent exploit that can be
executed without the need to inject any code. Several protection mechanisms
attempt to eliminate this attack vector by applying code transformations to
reduce the number of available gadgets. Nevertheless, it has emerged that the
residual gadgets can still be sufficient to conduct a successful attack.
Crucially, the lack of a common metric for "gadget quality" hinders the
effective comparison of current mitigations. This work proposes four metrics
that assign scores to a set of gadgets, measuring quality, usefulness, and
practicality. We apply these metrics to binaries produced when compiling
programs for architectures implementing Intel's recent MPX CPU extensions. Our
results demonstrate a 17% increase in useful gadgets in MPX binaries, and a
decrease in side-effects and preconditions, making them better suited for ROP
attacks.Comment: International Symposium on Engineering Secure Software and Systems,
Apr 2016, London, United Kingdo
Lockdown: Dynamic Control-Flow Integrity
Applications written in low-level languages without type or memory safety are
especially prone to memory corruption. Attackers gain code execution
capabilities through such applications despite all currently deployed defenses
by exploiting memory corruption vulnerabilities. Control-Flow Integrity (CFI)
is a promising defense mechanism that restricts open control-flow transfers to
a static set of well-known locations. We present Lockdown, an approach to
dynamic CFI that protects legacy, binary-only executables and libraries.
Lockdown adaptively learns the control-flow graph of a running process using
information from a trusted dynamic loader. The sandbox component of Lockdown
restricts interactions between different shared objects to imported and
exported functions by enforcing fine-grained CFI checks. Our prototype
implementation shows that dynamic CFI results in low performance overhead.Comment: ETH Technical Repor
Execution Integrity with In-Place Encryption
Instruction set randomization (ISR) was initially proposed with the main goal
of countering code-injection attacks. However, ISR seems to have lost its
appeal since code-injection attacks became less attractive because protection
mechanisms such as data execution prevention (DEP) as well as code-reuse
attacks became more prevalent.
In this paper, we show that ISR can be extended to also protect against
code-reuse attacks while at the same time offering security guarantees similar
to those of software diversity, control-flow integrity, and information hiding.
We present Scylla, a scheme that deploys a new technique for in-place code
encryption to hide the code layout of a randomized binary, and restricts the
control flow to a benign execution path. This allows us to i) implicitly
restrict control-flow targets to basic block entries without requiring the
extraction of a control-flow graph, ii) achieve execution integrity within
legitimate basic blocks, and iii) hide the underlying code layout under
malicious read access to the program. Our analysis demonstrates that Scylla is
capable of preventing state-of-the-art attacks such as just-in-time
return-oriented programming (JIT-ROP) and crash-resistant oriented programming
(CROP). We extensively evaluate our prototype implementation of Scylla and show
feasible performance overhead. We also provide details on how this overhead can
be significantly reduced with dedicated hardware support
- …