1 / 17

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. Branch Regulation: Low-Overhead Protection from Code Reuse Attacks in Proceedings of the 39th annual international symposium on Computer architecture (ISCA ’12), June 2012. Authors:

dalia
Télécharger la présentation

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Branch Regulation:Low-Overhead Protection from Code Reuse Attacks

  2. Branch Regulation: Low-Overhead Protection from Code Reuse Attacks in Proceedings of the 39th annual international symposium on Computer architecture (ISCA ’12), June 2012. Authors: Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton fmkayaalp, mozsoy, nael, dimag@cs.binghamton.edu Paper Information

  3. Abstract • While software based full control flow integrity (CFI) checking can protect against CRAs(Code Reuse Attacks), it includes significant overhead • We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI

  4. Background Knowledge : CRA (Code Reuse Attack)

  5. Background Knowledge :ROP (Return-Oriented Programming) attack • One of the most commonCRA. • So, The attacker should identify gadgets, which are sequences of instructions in the victim program (including any linked in libraries, ex> libc, libm) that end with a return.

  6. Background Knowledge :ROP (Return-Oriented Programming) attack

  7. Background Knowledge :JOP (JUMP-Oriented Programming) attack • A New Class of Code-Reuse Attack • Thwarts certain Anti-ROP defences (Anti-ROP defenses check only stack pointer value ) • JOP used statements ending with Indirect Jump Call • Instead of stack uses a dispatcher table to jump to different locations • No known defenses against ROP prevent JOP attacks, there is a critical need for techniques that prevent JOP attacks with low overhead.

  8. Background Knowledge : Comparison between ROP and JOP

  9. Background Knowledge : CFI (Control Flow Integrity) This is powerful defense solution mechanism • Control-Flow Integrity (CFI) • Execution of a program dynamically follows only certain paths, in accordance with a static policy (a Control-Flow Graph) • Dynamic checks & machine code rewriting • Control-Flow Graph (CFG) • defined by analysis ahead of time • source code analysis, binary analysis, execution profiling Enforcing full CFI at the branch level should completely protect from ROP and JOP attacks but CFI shows 22% performance loss for a larger set of benchmarks from SPEC 2006 suite

  10. Branch Regulation (BR) • A technique that defends against CRAs by enforcing simple control flow invariants present in function-based programming languages. • By providing simple hardware • BR works by enforcing 3 rules (RET, Indirect JMP, CALL)

  11. Branch Regulation (BR) – Enforcing BR Rules Unintended Branches

  12. Branch Regulation (BR) – Why Hardware ? for performance (binary size and execution time) More importantly for security reasons Unintended branch will not appear in the CFG and will not be checked by the software CFI implementation

  13. Branch Regulation (BR) – Unintented Branch example

  14. BR Implementation Details - Architectural Support for BR • BR checks are performed in hardware.

  15. Performance Evaluation of BR (1) Look inside

  16. Performance Evaluation of BR (2) Look inside

  17. Conclusion • In this paper, we presented Branch Regulation (BR), a new low-overhead defense mechanism against Code Reuse Attacks (CRAs). • BR limits the target addresses of branches to be either within the same function or at the start of another function • It reduce the ability of the attacker to find exploitable gadgets needed for the CRA with small overhead (2% performance loss, about 1% binary size increase)

More Related