30 research outputs found
SOFIA : software and control flow integrity architecture
Microprocessors used in safety-critical systems are extremely sensitive to software vulnerabilities, as their failure can lead to injury, damage to equipment, or environmental catastrophe. This paper proposes a hardware-based security architecture for microprocessors used in safety-critical systems. The proposed architecture provides protection against code injection and code reuse attacks. It has mechanisms to protect software integrity, perform control flow integrity, prevent execution of tampered code, and enforce copyright protection. We are the first to propose a mechanism to enforce control flow integrity at the finest possible granularity. The proposed architectural features were added to the LEON3 open source soft microprocessor, and were evaluated on an FPGA running a software benchmark. The results show that the hardware area is 28.2% larger and the clock is 84.6% slower, while the software benchmark has a cycle overhead of 13.7% and a total execution time overhead of 110% when compared to an unmodified processor
ROPocop - Dynamic Mitigation of Code-Reuse Attacks
Control-flow attacks, usually achieved by exploiting a buffer-overflow
vulnerability, have been a serious threat to system security for over fifteen
years. Researchers have answered the threat with various mitigation techniques,
but nevertheless, new exploits that successfully bypass these technologies
still appear on a regular basis.
In this paper, we propose ROPocop, a novel approach for detecting and
preventing the execution of injected code and for mitigating code-reuse attacks
such as return-oriented programming (RoP). ROPocop uses dynamic binary
instrumentation, requiring neither access to source code nor debug symbols or
changes to the operating system. It mitigates attacks by both monitoring the
program counter at potentially dangerous points and by detecting suspicious
program flows.
We have implemented ROPocop for Windows x86 using PIN, a dynamic program
instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite
show an average overhead of 2.4x, which is comparable to similar approaches,
which give weaker guarantees. Real-world applications show only an initially
noticeable input lag and no stutter. In our evaluation our tool successfully
detected all 11 of the latest real-world code-reuse exploits, with no false
alarms. Therefore, despite the overhead, it is a viable, temporary solution to
secure critical systems against exploits if a vendor patch is not yet
available
Unsupervised Anomaly-based Malware Detection using Hardware Features
Recent works have shown promise in using microarchitectural execution
patterns to detect malware programs. These detectors belong to a class of
detectors known as signature-based detectors as they catch malware by comparing
a program's execution pattern (signature) to execution patterns of known
malware programs. In this work, we propose a new class of detectors -
anomaly-based hardware malware detectors - that do not require signatures for
malware detection, and thus can catch a wider range of malware including
potentially novel ones. We use unsupervised machine learning to build profiles
of normal program execution based on data from performance counters, and use
these profiles to detect significant deviations in program behavior that occur
as a result of malware exploitation. We show that real-world exploitation of
popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can
be detected with nearly perfect certainty. We also examine the limits and
challenges in implementing this approach in face of a sophisticated adversary
attempting to evade anomaly-based detection. The proposed detector is
complementary to previously proposed signature-based detectors and can be used
together to improve security.Comment: 1 page, Latex; added description for feature selection in Section 4,
results unchange
Об обнаружении атак типа повторного использования исполнимого кода
When exploiting software vulnerabilities such as buffer overflows, code reuse techniques are often used today. Such attacks allow you to bypass the protection against the execution of code in the stack, which is implemented at the software and hardware level in modern information systems. At the heart of these attacks lies the detection, in the vulnerable program of suitable areas, of executable code — gadgets — and chaining these gadgets into chains. The article proposes a way to protect applications from attacks that use code reuse. For this purpose, features that distinguish the chains of gadgets from typical chains of legal basic blocks of the program are highlighted. The appearance of an atypical chain of the base block during program execution may indicate the execution of a malicious code. An algorithm for identifying atypical chains has been developed. A feature of the algorithm is that it is focused on identifying all currently known techniques of re-execution of the code. The developed algorithm is based on a modified QEMU virtualization system. One of the hallmarks of the chain of gadgets is the execution at the end of the chain of instructions of the processor used to call the function of the operating system. For the Linux operating system based on the x86/64 architecture, experiments have been conducted showing the importance of this feature in detecting the execution of the malicious code.При эксплуатации уязвимостей программного обеспечения типа переполнения буфера в настоящее время часто используется техника повторного использования кода. Такие атаки позволяют обходить защиту от исполнения кода в стеке, реализуемую на программно-аппаратном уровне в современных информационных системах. В основе атак лежит нахождение в уязвимой программе подходящих участков исполнимого кода - гаджетов - и сцепление этих гаджетов в цепочки. В статье предлагается способ защиты приложений от атак, использующих повторное использование кода. Способ основан на выделении свойств, которые позволяют отличить цепочки гаджетов от типичных цепочек легальных базовых блоков программы. Появление во время выполнения программы нетипичной цепочки базовых блоков может свидетельствовать о выполнении вредоносного кода. Одним из свойств цепочки гаджетов является исполнение в конце цепочки специальной инструкции процессора, используемой для вызова функции операционной системы. Для операционной системы Linux на базе архитектуры x86/64 проведены эксперименты, показывающие важность этого свойства при выявлении исполнения вредоносного кода. Разработан алгоритм выявления нетипичных цепочек, который позволяет выявлять все известные на настоящий момент техники повторного использования кода