Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu- Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton Presented at the 39 th International Symposium on Computer Architecture (ISCA), June 11 th 2012
36
Embed
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks
Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh
and Dmitry Ponomarev
Department of Computer Science
State University of New York at Binghamton
Presented at the 39th International Symposium
on Computer Architecture (ISCA), June 11th 2012
Attack Classification from NIST Database
Stack, Heap and other overflows
Denial of service26%
Memory Corruption15%
Bypass a restriction4%
Gain Privileges3%
Directory Traversal2%
Obtain information1% Other
1%
*2009 – 2010 CVE Records (Vulnerability level 8 – 10)
ISCA 2012 2
48%
ISCA 2012 3
Buffer Overflow and Code Injection Attack: Example
• Use solutions preventing buffer overflows – Bounds Checking– Information Flow Tracking
• Can ensure the legitimacy of jump targets at runtime – Difficult to do
• Need to construct a Control Flow Graph
– Control Flow Integrity (CFI)• Abadi et al, USENIX Security 2005
ISCA 2012 12
Control Flow Integrity
• Generate Control Flow Graph– Unique labels for edges
• Instrument the code with checks– Each indirect branch checks target for a label
...cmp [ecx], 12345678hjne error_label
lea ecx, [ecx+4]jmp ecx...
...mov eax, [esp+4]...
...jmp ecx...
...<data 12345678h>mov eax, [esp+4]...
Source Destination
CFI instrumentation
Added instructions
ISCA 2012 13
CFI Limitations
• Need to construct Control Flow Graph– No publicly available tools for constructing CFG from
binaries• Need access to source code
• Runtime performance overhead due to extra instructions – About 20% for SPEC 2K6 Benchmarks
• Problems with dynamic linking
• Does not handle unintended instructions
ISCA 2012 14
Where Do Jump Targets Go?
• Typical use of indirect jump instruction– To efficiently implement switch-case statements
• Target is in the same function
– To support dynamic linking• Target is a function entry point
Key Observation:
Legitimate jump targets ARE NOT in the middle of another function
ISCA 2012 15
Our Proposal: Branch Regulation
• Enforce the following rules:– Returns go to the correct addresses– Jumps target same functions or function entry points– Calls target function entry points
• Use hardware checks for enforcement– Low performance overhead (around 2%)– Unintended instructions are handled– No CFG needed– Requires minimal binary annotations