A Hardware-Software Platform for Intrusion Prevention

Preventing execution of unauthorized software on a given computer plays a pivotal role in system security. The key problem is that although a program at the beginning of its execution can be verified as authentic, its execution flow can be redirected to externally injected malicious code using, for example, a buffer overflow exploit. We introduce a novel, simplified, hardware-assisted intrusion prevention platform. Our platform introduces overlapping of program execution and MAC verification. It partitions a program binary into blocks of instructions. Each block is signed using a keyed MAC that is attached as a footer to the block. When the control flow reaches a particular block, its instructions are speculatively executed, while dedicated hardware verifies the attached MAC at run-time. The computation state is preserved during speculative execution using a mediating buffer placed between the processor and L1 data cache. Upon MAC verification, the results from this buffer are propagated externally. Central to this paper is the proposal of a novel optimization technique that initially identifies instructions that are likely to stall execution, and reorders basic blocks within a given instruction block to minimize the execution overhead. While the presented optimization technique is problem specific, it is flexible such that it can be adjusted for different optimization goals. Preliminary results showed that our optimization methods produced an average overhead reduction of 60% on the SPEC2000 benchmark suite and Microsoft Visual FoxPro.

[1]  J. Larus Whole program paths , 1999, PLDI '99.

[2]  Donn Seeley Password cracking: a game of wits , 1989, CACM.

[3]  Josep Torrellas,et al.  Optimizing instruction cache performance for operating system intensive workloads , 1995, Proceedings of 1995 1st IEEE Symposium on High Performance Computer Architecture.

[4]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[5]  Russell W. Quong,et al.  An empirical study on how program layout affects cache miss rates , 1999, PERV.

[6]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[7]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[8]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[9]  Murray Hill,et al.  Lint, a C Program Checker , 1978 .

[10]  Yang Meng Tan,et al.  LCLint: a tool for using specifications to check code , 1994, SIGSOFT '94.

[11]  Miodrag Potkonjak,et al.  Enabling trusted software integrity , 2002, ASPLOS X.

[12]  Peter J. Denning,et al.  The internet worm , 1991 .

[13]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[14]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[15]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[16]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[17]  Glenn Reinman,et al.  Just say no: benefits of early cache miss determination , 2003, The Ninth International Symposium on High-Performance Computer Architecture, 2003. HPCA-9 2003. Proceedings..

[18]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[19]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[20]  Leon J. Osterweil,et al.  Omega—A Data Flow Analysis Tool for the C Programming Language , 1985, IEEE Transactions on Software Engineering.

[21]  Leon J. Osterweil,et al.  Omega -- A Data Flow Analysis Tool for the C Programming Language ; CU-CS-217-82 , 1982 .