2014 | OriginalPaper | Buchkapitel
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
verfasst von : Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller
Erschienen in: Engineering Secure Software and Systems
Verlag: Springer International Publishing
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Code reuse attacks circumvent traditional program protection mechanisms such as
$W \bigoplus X$
by constructing exploits from code already present within a process. Existing techniques to defend against these attacks provide ad hoc solutions or lack in features necessary to provide comprehensive and adoptable solutions. We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against anticipated attacks. We define
conformant program execution
(
${\mathcal{CPE}}$
) as a set of requirements on program states. We demonstrate that code reuse attacks violate these requirements and thus can be detected; further, new exploit variations will not circumvent
${\mathcal{CPE}}$
. To provide an efficient and adoptable solution, we also define
observed conformant program execution
, which validates program state at system call invocations; we demonstrate that this relaxed model is sufficient to detect code reuse attacks. We implemented our algorithm in a tool, ROPStop, which operates on unmodified binaries, including running programs. In our testing, ROPStop accurately detected real exploits while imposing low overhead on a set of modern applications: 5.3% on SPEC CPU2006 and 6.3% on an Apache HTTP Server.