Abstract
Recently, code-reuse attack (CRA) is becoming the most prevalent attack vector which reuses fragments of existing code to make up malicious code. Recent studies show that CRAs especially jump-oriented programming (JOP) attacks are hard and costly to detect and protect from, especially on CISC processors. One reason for this is that the instructions of CISC architecture are of variable-length, and lots of unintended but legal instructions can be exploited by starting from in the middle of a legal instruction. This feature of CISC architectures makes the finding of so called gadgets for CRAs is much easier than that of RISC architectures. Most of previous studies for mitigating CRA on CISC processors rely on software-only means to tackle the unintended instruction problem, which makes their approaches either very costly or can only be applied under restricted conditions. In this paper, we propose two hardware supported techniques. The first, which is the main contribution of this paper, is to eliminate the execution of an unintended instruction. This technique only requires a few modifications to the processor and operating system. Furthermore, the proposed mechanism has little performance impact on the examined SPEC CPU 2006 benchmarks (-0.093% ~2.993%). Second, we propose using hardware control-flow locking as a complementary technique to our protection mechanism. By using the two techniques together, an attacker will have little chance to carry out CRAs on a CISC processor.
Chapter PDF
Similar content being viewed by others
References
Symantec: Internet Security Threat Report (2014). http://www.symantec.com/security_response/publications/threatreport.jsp
One, A.: Smashing the stack for fun and profit. Phrack Magazine 7(49), 14–16 (1996)
Scut, T.T.: Exploiting format string vulnerabilities (2001)
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguard TM: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th Conference on USENIX Security Symposium, vol. 12, pp. 91–104, August 2003
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Hinton, H: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Usenix Security, vol. 98, pp. 63–78 (1998)
Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer overflows: attacks and defenses for the vulnerability of the decade. In: Proceedings of DARPA Information Survivability Conference and Exposition, DISCEX 2000, vol. 2, pp. 119–129. IEEE (2000)
Etoh, H., Yoda, K.: GCC extension for protecting applications from stack-smashing attacks (2014). http://www.research.ibm.com/trl/projects/security/ssp/
Shield, S.: A stack smashing technique protection tool for Linux (2014). http://www.angelfire.com/sk/stackshield/
Pax Team: Non-executable pages design and implementation. http://paxgrsecurity.net/docs/pageexec.txt
Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005). http://www.suse.de/krahmer/no-nx.pdf
McDonald, J.: Defeating Solaris/SPARC non-executable stack protection. Bugtraq (1999)
Microsoft. KB 875352: A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server (2003). http://support.microsoft.com/KB/875352 (September 2006)
Designer, S.: Linux kernel patch from the Openwall project. http://www.openwall.com/linux
OpenBSD Foundation. OpenBSD 3.3 release (2003). http://www.openbsd.org/33.html
Solar Designer.: Return-to-libc attack. Technical report, bugtraq (1997)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications security, pp. 552–561. ACM (2007)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks.: In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54 (2009)
Chen, P., **ao, H., Shen, X., Yin, X., Mao, B., **e, L.: DROP: detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with return-less kernels. In: Proceedings of the 5th European Conference on Computer systems, pp. 195–208. ACM (2010)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 30–40. ACM (2011)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM. (2010)
Chen, P., **ng, X., Mao, B., **e, L., Shen, X., Yin, X.: Automatic construction of jump-oriented programming shellcode (on the x86). In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 20–29. ACM (2011)
McGregor, J.P., Karig, D.K., Shi, Z., Lee, R.B.: A processor architecture defense against buffer overflow attacks. In: Proceedings of the IEEE International Conference on Information Technology: Research and Education, ITRE 2003, pp. 243–250 (2003)
Lee, R.B., Karig, D.K., McGregor, J.P., Shi, Z.: Enlisting hardware architecture to thwart malicious code injection. In: Hutter, D., Müller, G., Stephan, W., Ullmann, M. (eds.) Security in Pervasive Computing. LNCS, vol. 2802, pp. 237–252. Springer, Heidelberg (2004)
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM (2011)
Xu, J., Kalbarczyk, Z., Patel, S., Iyer, R.K.: Architecture support for defending against buffer overflow attacks. In: Workshop on Evaluating and Architecting Systems for Dependability (2002)
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. pp. 40–51. ACM. (2011)
Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the first ACM Workshop on Secure Execution of Untrusted Code, pp. 19–26. ACM (2009)
Chen, P., **ng, X., Han, H., Mao, B., **e, L.: Efficient detection of the return-oriented programming malicious code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010)
Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: Low-overhead protection from code reuse attacks. In: International Symposium on Computer Architecture (ISCA) (2012)
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: IEEE Symposium on Security and Privacy, pp. 571–585. IEEE (2012)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy (SP), pp. 601–615 (2012)
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), pp. 49–58. ACM (2010)
Huang, Z., Zheng, T., Shi, Y., Li, A.: A Dynamic detection method against ROP and JOP. In: International Conference on Systems and Informatics (ICSAI) (2012)
Jacobson, E.R., Bernat, A.R., Williams, W.R., Miller, B.P.: Detecting code reuse attacks with a model of conformant program execution. In: Jürjens, J., Piessens, F., Bielova, N. (eds.) ESSoS. LNCS, vol. 8364, pp. 1–18. Springer, Heidelberg (2014)
Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 353–362. ACM (2011)
University of Virginia, Pin. http://www.cs.virginia.edu/kim/publicity/pin
Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: SCRAP: Architecture for signature-based protection from code reuse attacks. In: IEEE 19th International Symposium on High Performance Computer Architecture (HPCA), pp. 258–269, February 23-27, 2013
McCamant, S., Morrisett, G.: Efficient, verifiable binary sandboxing for a CISC architecture. In: MIT Technical Report. MIT-CSAIL-TR-2005-030 (2005)
Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Ormandy, T., Fullagar, N.: Native client: A sandbox for portable, untrusted x86 native code. In: 30th IEEE Symposium on Security and Privacy, vol. 53(1), pp. 79–93 (2009)
Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2 (2013)
Udis86 Disassembler Library for x86/x86-64. http://udis86.sourceforgenet/
Binkert, N., Beckmann, B., Black, G., Reinhardt, S.K., Saidi, A., Basu, A., Wood, D.A.: The gem5 simulator. Computer Architecture News 39, 1–7 (2011)
Henning, J.L.: Spec cpu2006 benchmark descriptions. ACM SIGARCH Computer Architecture News, 1–17 (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Zhang, Z., Lü, Y., Chen, Y., Lü, Y., Shi, Y. (2015). Mitigating Code-Reuse Attacks on CISC Architectures in a Hardware Approach. In: Federrath, H., Gollmann, D. (eds) ICT Systems Security and Privacy Protection. SEC 2015. IFIP Advances in Information and Communication Technology, vol 455. Springer, Cham. https://doi.org/10.1007/978-3-319-18467-8_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-18467-8_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-18466-1
Online ISBN: 978-3-319-18467-8
eBook Packages: Computer ScienceComputer Science (R0)