Processor Control Flow Monitoring Using Signatured Instruction Streams
IEEE Transactions on Computers
Points-to analysis in almost linear time
POPL '96 Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Which pointer analysis should I use?
Proceedings of the 2000 ACM SIGSOFT international symposium on Software testing and analysis
Architectural support for copy and tamper resistant software
ASPLOS IX Proceedings of the ninth international conference on Architectural support for programming languages and operating systems
Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution
ICCD '04 Proceedings of the IEEE International Conference on Computer Design
Anomalous path detection with hardware support
Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems
IMPRES: integrated monitoring for processor reliability and security
Proceedings of the 43rd annual Design Automation Conference
Framework for instruction-level tracing and analysis of program executions
Proceedings of the 2nd international conference on Virtual execution environments
Establishing the genuinity of remote computer systems
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Side effects are not sufficient to authenticate software
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Intrusion detection using sequences of system calls
Journal of Computer Security
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Decoupling dynamic program analysis from execution in virtual environments
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
When good instructions go bad: generalizing return-oriented programming to RISC
Proceedings of the 15th ACM conference on Computer and communications security
DARE: A Framework for Dynamic Authentication of Remote Executions
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Hardware-assisted run-time monitoring for secure program execution on embedded processors
IEEE Transactions on Very Large Scale Integration (VLSI) Systems
Control-flow integrity principles, implementations, and applications
ACM Transactions on Information and System Security (TISSEC)
Orthrus: efficient software integrity protection on multi-cores
Proceedings of the fifteenth edition of ASPLOS on Architectural support for programming languages and operating systems
Efficient and practical control flow monitoring for program security
ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Return-oriented programming without returns
Proceedings of the 17th ACM conference on Computer and communications security
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Jump-oriented programming: a new class of code-reuse attack
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Exploiting hardware advances for software testing and debugging (NIER track)
Proceedings of the 33rd International Conference on Software Engineering
Practical Considerations in Control-Flow Integrity Monitoring
ICSTW '11 Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops
Proceedings of the Second Asia-Pacific Workshop on Systems
CODESSEAL: Compiler/FPGA approach to secure applications
ISI'05 Proceedings of the 2005 IEEE international conference on Intelligence and Security Informatics
CFIMon: Detecting violation of control flow integrity using performance counters
DSN '12 Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Control-flow integrity principles, implementations, and applications
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
We propose and experimentally evaluate a technique of authenticating the execution of a program through the continuous run-time validation of control flow. Control flow authentication is useful in detecting security violations that alter the normal flow of control at run time through techniques such as call stack smashing, return and jump-oriented programming. Our technique relies on the use of existing support for branch tracing in contemporary processors, typified by the branch trace store (BTS) mechanism of contemporary Intel x86 server Platforms. In contrast to existing techniques that require code modification, either statically or at run-time, our technique requires no modifications to the binaries, thus preserving binary compatibility. In this paper, we demonstrate how the existing hardware support for branch tracing can be used to perform control flow validation covering each and every executed control flow instruction in an application or the kernel as they run. Although the performance overhead for full and continuous control flow authentication for an entire application is significant, we show how the technique can be used judiciously to selectively perform full and continuous control flow validation of critical functions with a tolerable overhead. As an example of this selective approach, we show how our technique detects security compromises introduced by kernel rootkits with a tolerable overhead.