Leveraging speculative architectures for run-time program validation

Program execution can be tampered by malicious attackers through exploiting software vulnerabilities. Changing the program behavior by compromising control data and decision data has become the most serious threat to computer systems security. Although several hardware approaches have been presented to validate program execution, they mostly suffer great hardware area or poor ambiguity handling. In this paper, we propose a new hardware-based approach by leveraging the existing speculative architectures for run-time program validation. The on-chip branch target buffer (BTB) is utilized as a cache of the legitimate control flow transfers stored in a secure memory region. In addition, the BTB is extended to store the correct program path information. At each indirect branch site, the BTB is used to validate the decision history of conditional branches before it, and more information about the future decision path is fetched to monitor the execution path at run-time. Implementation of this approach is transparent to the upper operating system and programs. Thus, it is applicable to legacy code. Due to good code locality of the executable programs and effectiveness of branch prediction, the frequency of run-time control flow validations against the secure off-chip memory is low. Our experimental results show a negligible performance penalty and small storage overhead with ambiguity reduced.

[1]  Gyungho Lee,et al.  Encoding Function Pointers and Memory Arrangement Checking against Buffer Overflow Attack , 2002, ICICS.

[2]  Todd M. Austin,et al.  SimpleScalar: An Infrastructure for Computer System Modeling , 2002, Computer.

[3]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[4]  Srivaths Ravi,et al.  Secure embedded processing through hardware-assisted run-time monitoring , 2005, Design, Automation and Test in Europe.

[5]  Shufu Mao,et al.  Hardware Support for Secure Processing in Embedded Systems , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[6]  Zhijie Jerry Shi,et al.  Microarchitectural Support for Program Code Integrity Monitoring in Application-specific Instruction Set Processors , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[7]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[8]  Chris H. Perleberg,et al.  Branch Target Buffer Design and Optimization , 1993, IEEE Trans. Computers.

[9]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[10]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[11]  Yunsi Fei,et al.  Leveraging speculative architectures for run-time program validation , 2008, ICCD.

[12]  John Wilander,et al.  A Comparison of Publicly Available Tools for Static Intrusion Prevention , 2002 .

[13]  Daniel A. Jimenez Piecewise Linear Branch Prediction , 2005, ISCA 2005.

[14]  David Kaeli,et al.  A reliable return address stack: microarchitectural features to defeat stack smashing , 2005, CARN.

[15]  Hsien-Hsin S. Lee,et al.  InfoShield: a security architecture for protecting information usage in memory , 2006, The Twelfth International Symposium on High-Performance Computer Architecture, 2006..

[16]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[17]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[18]  George Varghese,et al.  Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[19]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[20]  Frederic T. Chong,et al.  Minos: Architectural support for protecting control data , 2006, TACO.

[21]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[22]  Cheng Wang,et al.  Dynamic binary control-flow errors detection , 2005, CARN.

[23]  Hai Lin,et al.  Compiler-assisted architectural support for program code integrity monitoring in application-specific instruction set processors , 2007, 2007 25th International Conference on Computer Design.

[24]  Daniel A. Jiménez,et al.  Piecewise linear branch prediction , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[25]  Zhao Zhang,et al.  Microarchitectural Protection Against Stack-Based Buffer Overflow Attacks , 2006, IEEE Micro.

[26]  Trevor N. Mudge,et al.  The bi-mode branch predictor , 1997, Proceedings of 30th Annual International Symposium on Microarchitecture.

[27]  Gyungho Lee,et al.  Architectural Support for Run-Time Validation of Control Flow Transfer , 2006, 2006 International Conference on Computer Design.

[28]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[29]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[30]  Chris Wilkerson,et al.  Improving branch prediction by dynamic dataflow-based identification of correlated branches from a large global history , 2003, ISCA '03.

[31]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[32]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[33]  Gyungho Lee,et al.  Augmenting Branch Predictor to Secure Program Execution , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[34]  Christoph C. Michael,et al.  Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report , 2000, Recent Advances in Intrusion Detection.

[35]  Sri Parameswaran,et al.  Hardware assisted pre-emptive control flow checking for embedded processors to improve reliability , 2006, Proceedings of the 4th International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS '06).

[36]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.