Augmenting Branch Predictor to Secure Program Execution

Although there are various ways to exploit software vulnerabilities for malicious attacks, the attacks always result in unexpected behavior in program execution, deviating from what the programmer/user intends to do. Program execution blindly follows the execution path specified by control flow transfer instructions with the targets generated at run-time without any validation. An enhancement is therefore proposed to secure program execution by introducing a validation mechanism over control flow transfer instructions at micro-architecture level. The proposed scheme, as a behavior-based protection, treats a triplet of the indirect branch's location, its target address, and the execution path preceding it as a behavior signature of program execution and validates it at run-time. The first two pieces of information can prevent an adversary from overwriting control data and introducing foreign code or impossible targets to redirect an indirect branch. The last one is necessary to defeat the attacks that use a legitimate target but follow an unintended execution path. Interestingly, the branch predictor is found to contain the signature information already and doing a portion of the validation when resolving the branch, thus greatly reducing the validation frequency. An enhancement of branch target buffer (BTB) entry together with a signature table implemented in the form of a Bloom filter in hardware is proposed to incorporate the validation into the processor's pipeline, providing a new defense in the processor architecture to secure program execution.

[1]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[2]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[3]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[4]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Brad Calder,et al.  Automatically characterizing large scale program behavior , 2002, ASPLOS X.

[6]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[7]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[9]  Gyungho Lee,et al.  Encoded Program Counter: Self-Protection from Buffer Overflow Attacks , 2000, International Conference on Internet Computing.

[10]  Debin Gao,et al.  Gray-box extraction of execution graphs for anomaly detection , 2004, CCS '04.

[11]  Zhao Zhang,et al.  Microarchitectural Protection Against Stack-Based Buffer Overflow Attacks , 2006, IEEE Micro.

[12]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[13]  M. V. Ramakrishna,et al.  A Performance Study of Hashing Functions for Hardware Applications , 1994 .

[14]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[15]  George Varghese,et al.  Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[16]  Yale N. Patt,et al.  Alternative implementations of two-level adaptive branch prediction , 1992, ISCA '92.

[17]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[18]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[19]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[20]  Norman P. Jouppi,et al.  CACTI: an enhanced cache access and cycle time model , 1996, IEEE J. Solid State Circuits.

[21]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[22]  R. Sekar,et al.  Dataflow anomaly detection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[23]  Gyungho Lee,et al.  Architectural Support for Run-Time Validation of Control Flow Transfer , 2006, 2006 International Conference on Computer Design.

[24]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[25]  Yale N. Patt,et al.  Retrospective: alternative implementations of two-level adaptive training branch prediction , 1998, ISCA '98.

[26]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[27]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.