Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Recent Advances in Intrusion Detection

RAID 2015: Research in Attacks, Intrusions, and Defenses pp 66–85Cite as

Hardware-Assisted Fine-Grained Code-Reuse Attack Detection

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Abstract

Code-reuse attacks have become the primary exploitation technique for system compromise despite of the recently introduced Data Execution Prevention technique in modern platforms. Different from code injection attacks, they result in unintended control-flow transfer to victim programs without adding malicious code. This paper proposes a practical scheme named as CFIGuard to detect code-reuse attacks on user space applications. CFIGuard traces every branch execution by leveraging hardware features of commodity processors, and then validates the traces based on fine-grained control flow graphs. We have implemented a prototype of CFIGuard on Linux and the experiments show that it only incurs around 2.9 % runtime overhead for a set of typical server applications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. IDA: http://www.hex-rays.com/ida/index.shtml

  2. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: CCS 2005 (2005)

    Google Scholar 

  3. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: A theory of secure control flow. In: Lau, K.-K., Banach, R. (eds.) ICFEM 2005. LNCS, vol. 3785, pp. 111–124. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Andersen, S., Abella, V.: Data Execution Prevention: Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies (2004)

    Google Scholar 

  5. Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX 2014 (2014)

    Google Scholar 

  6. Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: SP 2014 (2014)

    Google Scholar 

  7. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS 2011 (2011)

    Google Scholar 

  8. Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: SP 2014 (2014)

    Google Scholar 

  9. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX 2014 (2014)

    Google Scholar 

  10. Casteel, K.: A Systematic Analysis of Defenses Against Code Reuse Attacks. Ph. D. thesis, Massachusetts Institute of Technology (2013)

    Google Scholar 

  11. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: NDSS 2014 (2014)

    Google Scholar 

  12. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX 1998 (1998)

    Google Scholar 

  13. Davi, L., Lehmann, D., Sadeghi, A.-R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX 2014 (2014)

    Google Scholar 

  14. Designer, S.: Getting around non-executable stack (and fix). Bugtraq (1997)

    Google Scholar 

  15. Gupta, A., Kerr, S., Kirkpatrick, M.S., Bertino, E.: Marlin: making it harder to fish for gadgets. In: CCS 2012 (2012)

    Google Scholar 

  16. Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: SP 2014 (2014)

    Google Scholar 

  17. Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: USENIX 2014 (2014)

    Google Scholar 

  18. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.: ILR: where’d my gadgets go? In: SP 2012 (2012)

    Google Scholar 

  19. Intel: Intel 64 and IA-32 Intel Architecture software developer’s manual (2001)

    Google Scholar 

  20. Jang, D., Tatlock, Z., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: NDSS 2014 (2014)

    Google Scholar 

  21. Mccamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: USENIX 2006 (2006)

    Google Scholar 

  22. Nergal: The advanced return-into-lib (c) exploits: PaX case study. Phrack Magazine, Volume 0x0b, Issue 0x3a, Phile# 0x04 of 0x0e (2001)

    Google Scholar 

  23. Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: CCS 2013 (2013)

    Google Scholar 

  24. Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI 2014 (2014)

    Google Scholar 

  25. Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: SP 2012 (2012)

    Google Scholar 

  26. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX 2013 (2013)

    Google Scholar 

  27. Payer, M., Gross, T.R.: String oriented programming: when ASLR is not enough. In: PPREW 2013 (2013)

    Google Scholar 

  28. Prakash, A., Hu, X., Yin, H.: vfGuard: strict protection for virtual function calls in COTS C++ binaries. In: NDSS 2015 (2015)

    Google Scholar 

  29. Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)

    Google Scholar 

  30. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS 2007 (2007)

    Google Scholar 

  31. Shioji, E., Kawakoya, Y., Iwamura, M., Hariu, T.: Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks. In: ACSAC 2012 (2012)

    Google Scholar 

  32. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: SP 2013 (2013)

    Google Scholar 

  33. PaX Team: PaX address space layout randomization (ASLR) (2003)

    Google Scholar 

  34. PaX Team: PaX non-executable pages design & implementation (2003)

    Google Scholar 

  35. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX 2014 (2014)

    Google Scholar 

  36. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121–141. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  37. Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: SP 2010 (2010)

    Google Scholar 

  38. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: CCS 2012 (2012)

    Google Scholar 

  39. Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: runtime intrusion prevention evaluator. In: ACSAC 2011 (2011)

    Google Scholar 

  40. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: DSN 2012 (2012)

    Google Scholar 

  41. Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native client: a sandbox for portable, untrusted x86 native code. In: SP 2009 (2009)

    Google Scholar 

  42. Zhang, C., Song, C., Chen, K.Z., Chen, Z., Song, D.: VTint: defending virtual function tables integrity. In: NDSS 2015 (2015)

    Google Scholar 

  43. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: SP 2013 (2013)

    Google Scholar 

  44. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX 2013 (2013)

    Google Scholar 

Download references

Acknowledgments

This work has been partly supported by National NSF of China under Grant No. 61170070, 61572248, 61431008, 61321491; National Key Technology R&D Program of China under Grant No. 2012BAK26B01.

Author information

Authors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China

    Pinghai Yuan & Qingkai Zeng

  2. Department of Computer Science and Technology, Nanjing University, Nanjing, China

    Pinghai Yuan & Qingkai Zeng

  3. School of Information Systems, Singapore Management University, Singapore, Singapore

    Xuhua Ding

Authors
  1. Pinghai Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qingkai Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xuhua Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pinghai Yuan .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Yuan, P., Zeng, Q., Ding, X. (2015). Hardware-Assisted Fine-Grained Code-Reuse Attack Detection. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation