Branch Regulation:Low-Overhead Protection from Code Reuse Attacks
Paper InformationBranch Regulation:Low-Overhead Protection from Code Reuse Attacks
in Proceedings of the 39th annual international symposium on Com-puter architecture (ISCA ’12), June 2012.
Authors:Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry PonomarevDepartment of Computer ScienceState University of New York at Binghamtonfmkayaalp, mozsoy, nael, [email protected]
Abstract• While software based full control flow integrity
(CFI) checking can protect against CRAs(Code Re-use Attacks), it includes significant overhead
• We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI
Background Knowledge : CRA (Code Reuse Attack)
Background Knowledge : ROP (Return-Oriented Programming) at-tack
• One of the most common CRA.
• So, The attacker should identify gadgets, which are sequences of instructions in the victim pro-gram (including any linked in libraries, ex> libc, libm) that end with a return.
Background Knowledge : ROP (Return-Oriented Programming) at-tack
Background Knowledge : JOP (JUMP-Oriented Programming) attack
• A New Class of Code-Reuse Attack
• Thwarts certain Anti-ROP defences (Anti-ROP defenses check only stack pointer value )
• JOP used statements ending with Indirect Jump Call
• Instead of stack uses a dispatcher table to jump to different locations
• No known defenses against ROP prevent JOP at-tacks, there is a critical need for techniques that prevent JOP attacks with low overhead.
Background Knowledge : Comparison between ROP and JOP
Background Knowledge : CFI (Control Flow In-tegrity)
This is powerful defense solution mechanism– Control-Flow Integrity (CFI)
• Execution of a program dynamically follows only cer-tain paths, in accordance with a static policy (a Con-trol-Flow Graph)
• Dynamic checks & machine code rewriting– Control-Flow Graph (CFG)
• defined by analysis ahead of time– source code analysis, binary analysis, execution pro-
filing
Enforcing full CFI at the branch level should completely protect from ROP and JOP attacks but CFI shows 22% performance loss for a larger set of benchmarks from SPEC 2006 suite
Branch Regulation (BR)
• A technique that defends against CRAs by enforc-ing simple control flow invariants present in func-tion-based programming languages.
• By providing simple hardware
• BR works by enforcing 3 rules (RET, Indirect JMP, CALL)
•
Branch Regulation (BR) – Enforcing BR Rules
Unintended Branches
Branch Regulation (BR) – Why Hardware ?
1. for performance (binary size and execution time)
2. More importantly for security reasons
• Unintended branch will not appear in the CFG and will not be checked by the software CFI im-plementation
Branch Regulation (BR) – Unintented Branch exam-ple
BR Implementation Details - Architectural Support for BR
• BR checks are performed in hardware.
Performance Evaluation of BR (1)• Look inside
Performance Evaluation of BR (2)• Look inside
Conclusion• In this paper, we presented Branch Regulation (BR), a new low-overhead defense mechanism against Code Reuse Attacks (CRAs).
• BR limits the target addresses of branches to be either within the same function or at the start of another function
• It reduce the ability of the attacker to find ex-ploitable gadgets needed for the CRA with small overhead (2% performance loss, about 1% binary size increase)