Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
-
Upload
sharon-waters -
Category
Documents
-
view
218 -
download
0
Transcript of Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Paper Information
Branch Regulation:Low-Overhead Protection from Code Reuse Attacks
in Proceedings of the 39th annual international symposium on Com-puter architecture (ISCA ’12), June 2012.
Authors:Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry PonomarevDepartment of Computer ScienceState University of New York at Binghamtonfmkayaalp, mozsoy, nael, [email protected]
Abstract
• While software based full control flow integrity (CFI) checking can protect against CRAs(Code Re-use Attacks), it includes significant overhead
• We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI
Background Knowledge : ROP (Return-Oriented Programming) at-tack
• One of the most common CRA.
• So, The attacker should identify gadgets, which are sequences of instructions in the victim pro-gram (including any linked in libraries, ex> libc, libm) that end with a return.
Background Knowledge : JOP (JUMP-Oriented Programming) attack
• A New Class of Code-Reuse Attack
• Thwarts certain Anti-ROP defences (Anti-ROP defenses check only stack pointer value )
• JOP used statements ending with Indirect Jump Call
• Instead of stack uses a dispatcher table to jump to different locations
• No known defenses against ROP prevent JOP at-tacks, there is a critical need for techniques that prevent JOP attacks with low overhead.
Background Knowledge : CFI (Control Flow In-tegrity)
This is powerful defense solution mechanism– Control-Flow Integrity (CFI)
• Execution of a program dynamically follows only cer-tain paths, in accordance with a static policy (a Con-trol-Flow Graph)
• Dynamic checks & machine code rewriting
– Control-Flow Graph (CFG)• defined by analysis ahead of time
– source code analysis, binary analysis, execution pro-filing
Enforcing full CFI at the branch level should completely protect from ROP and JOP attacks but CFI shows 22% performance loss for a larger set of benchmarks from SPEC 2006 suite
Branch Regulation (BR)
• A technique that defends against CRAs by enforc-ing simple control flow invariants present in func-tion-based programming languages.
• By providing simple hardware
• BR works by enforcing 3 rules (RET, Indirect JMP, CALL)
•
Branch Regulation (BR) – Why Hardware ?
1. for performance (binary size and execution time)
2. More importantly for security reasons
• Unintended branch will not appear in the CFG and will not be checked by the software CFI im-plementation
Conclusion
• In this paper, we presented Branch Regulation (BR), a new low-overhead defense mechanism against Code Reuse Attacks (CRAs).
• BR limits the target addresses of branches to be either within the same function or at the start of another function
• It reduce the ability of the attacker to find ex-ploitable gadgets needed for the CRA with small overhead (2% performance loss, about 1% binary size increase)