DOI QR코드

DOI QR Code

Defending Non-control-data Attacks using Influence Domain Monitoring

  • Zhang, Guimin (State Key Laboratory of Mathematical Engineering and Advanced Computing) ;
  • Li, Qingbao (State Key Laboratory of Mathematical Engineering and Advanced Computing) ;
  • Chen, Zhifeng (State Key Laboratory of Mathematical Engineering and Advanced Computing) ;
  • Zhang, Ping (State Key Laboratory of Mathematical Engineering and Advanced Computing)
  • Received : 2017.09.17
  • Accepted : 2018.03.01
  • Published : 2018.08.31

Abstract

As an increasing number of defense methods against control-data attacks are deployed in practice, control-data attacks have become challenging, and non-control-data attacks are on the rise. However, defense methods against non-control-data attacks are still deficient even though these attacks can produce damage as significant as that of control-data attacks. We present a method to defend against non-control-data attacks using influence domain monitoring (IDM). A definition of the data influence domain is first proposed to describe the characteristics of a variable during its life cycle. IDM extracts security-critical non-control data from the target program and then instruments the target for monitoring these variables' influence domains to ensure that corrupted variables will not be used as the attackers intend. Therefore, attackers may be able to modify the value of one security-critical variable by exploiting certain memory corruption vulnerabilities, but they will be prevented from using the variable for nefarious purposes. We evaluate a prototype implementation of IDM and use the experimental results to show that this method can defend against most known non-control-data attacks while imposing a moderate amount of performance overhead.

Keywords

References

  1. Ted Eisenberg, IDavid Gries, Juris Hartmanis, Don Holcomb, M. S. Lynn and Thomas Santoro, "The Cornell commission: on Morris and the worm," Communications of the ACM, vol. 32, no. 6, pp. 706-709, June, 1989. https://doi.org/10.1145/63526.63530
  2. Aleph One, "Smashing the stack for fun and profit," Phrack Magazine, vol. 7, no. 49, November 8, 1996.
  3. Shuo Chen, Jun Xu, E. C. Sezer, Prachi Gauriar and R. K. Iyer, "Non-Control-Data Attacks Are Realistic Threats," in Proc. of 14th USENIX Security Symposium, pp. 177-191, July 31-August 5, 2005.
  4. Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle and Qian Zhang, "StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proc. of 7th USENIX Security Symposium, January 26-29, 1998.
  5. PaX-Team. PaX ASLR. 2003.
  6. Starr Andersen and Vincent Abella, "Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, Data Execution Prevention," Microsoft TechNet Library, September, 2004.
  7. Martin Abadi, Mihai Budiu, Ulfar Erlingsson and Jay Ligatti, "Control-flow integrity," in Proc. of 12th ACM conference on Computer and Communications Security, vol. 13, pp. 340-353, November 7-11, 2005.
  8. Miguel Castro, Manuel Costa and Tim Harris, "Securing software by enforcing data-flow integrity," in Proc. of 7th Symposium on Operating Systems Design and Implementation, pp. 147-160, November 6-8, 2006.
  9. Intel 64 and IA-32 architectures software developer's manual, December, 2017.
  10. Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner and T. R. Gross, "Control-Flow Bending: On the Effectiveness of Control-Flow Integrity," in Proc. of 24th USENIX Security Symposium, pp. 161-176, August 12-14, 2015.
  11. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi and Stelios Sidiroglou-Douskos, "Control jujutsu: On the weaknesses of fine-grained control flow integrity," in Proc. of 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 901-913, October 12-16, 2015.
  12. Arati Baliga, Vinod Ganapathy and Liviu Iftode, "Detecting kernel-level rootkits using data structure invariants," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 5, pp. 670-684, September/October, 2011. https://doi.org/10.1109/TDSC.2010.38
  13. Hong Hu, Z. L. Chua, Sendroiu Adrian, Prateek Saxena and Zhenkai Liang, "Automatic Generation of Data-Oriented Exploits," in Proc. of 24th USENIX Security Symposium, pp. 177-192, August 12-14, 2015.
  14. Hong Hu, Shweta Shinde, Sendroiu Adrian, Z. L. Chua, Prateek Saxena and Zhenkai Liang, "Data oriented programming: On the expressiveness of non-control data attacks," in Proc. of 2016 IEEE Symposium on Security and Privacy, pp. 969-986, May 22-26, 2016.
  15. G. C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak and Westley Weimer, "CCured: type-safe retrofitting of legacy software," ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 27, no.3, pp. 477-526, March, 2005. https://doi.org/10.1145/1065887.1065892
  16. Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney and Yanling Wang, "Cyclone: A Safe Dialect of C," in Proc. of 2002 USENIX Annual Technical Conference, pp. 275-288, June 10-15, 2002.
  17. Santosh Nagarakatte, Jianzhou Zhao, M. Martin and Steve Zdancewic, "SoftBound: highly compatible and complete spatial memory safety for C," ACM Sigplan Notices, vol. 44, no. 6, pp. 245-258, June, 2009. https://doi.org/10.1145/1543135.1542504
  18. Santosh Nagarakatte, Jianzhou Zhao, M. Martin and Steve Zdancewic, "CETS: compiler enforced temporal safety for C," ACM Sigplan Notices, vol. 45, no. 8, pp. 31-40, August, 2010. https://doi.org/10.1145/1707801.1706305
  19. S. A. Carr and Mathias Payer, "DataShield: Configurable Data Confidentiality and Integrity," in Proc. of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 193-204, April 2-6, 2017.
  20. Ulfar Erlingsson, Martin Abadi, Michael Vrable, Mihar Budiu and G. C. Necula, "XFI: Software guards for system address spaces," in Proc. of 7th Symposium on Operating Systems Design and Implementation, pp. 75-88, November 6-8, 2006.
  21. David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee and Brad Chen, "Adapting Software Fault Isolation to Contemporary CPU Architectures," in Proc. of 19th USENIX Security Symposium, pp. 1-12, August 11-13, 2010.
  22. Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar and Dawn Song, "Code-Pointer Integrity," in Proc. of 11th Symposium on Operating Systems Design and Implementation, pp. 147-163, October 6-8, 2014.
  23. Yajin Zhou, Xiaoguang Wang, Yue Chen and Zhi Wang, "Armlock: Hardware-based fault isolation for arm," in Proc. of 21st ACM SIGSAC Conference on Computer and Communications Security, pp. 558-569, November 3-7, 2014.
  24. Chengyu Song, Hyungon Moon, Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, Wenke Lee and Yunheung Paek, "HDFI: hardware-assisted data-flow isolation," in Proc. of 2016 IEEE Symposium on Security and Privacy, pp. 1-17, May 22-26, 2016.
  25. Isaac Evans, Sam Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard and Hamed Okhravi, "Missing the point(er): On the effectiveness of code pointer integrity," in Proc. of 2015 IEEE Symposium on Security and Privacy, pp. 781-796, May 17-21, 2015.
  26. Mauro Conti, Stephen Cranez, Lucas Daviy, Michael Franzz, Per Larsenz, Christopher Liebcheny, Marco Negroy, Mohaned Qunaibitz and Ahmad-Reza Sadeghiy, "Losing control: On the effectiveness of control-flow integrity under stack attacks," in Proc. of 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 952-963, October 12-16, 2015.
  27. G. E. Suh, J. W. Lee, David Zhang and Srinivas Devadas, "Secure program execution via dynamic information flow tracking," Acm Sigplan Notices, vol. 39, no. 11, pp. 85-96, November, 2004. https://doi.org/10.1145/1037187.1024404
  28. Shuo Chen, Jun Xu, Nithin Nakka, Zbigniew Kalbarczyk and R. K. Iyer, "Defeating memory corruption attacks via pointer taintedness detection," in Proc. of 2005 International Conference on Dependable Systems and Networks, pp. 378-387, June 28-July 1, 2005.
  29. Jingfei Kong, C. C. Zou and Huiyang Zhou, "Improving software security via runtime instruction-level taint checking," in Proc. of 1st ACM workshop on Architectural and System Support for Improving Software Dependability, pp. 18-24, October 21, 2006.
  30. Sandeep Bhatkar and R. Sekar, "Data Space Randomization," in Proc. of 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 1-22, July 10-11, 2008.
  31. Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund and Thomas Walter, "Breaking the memory secrecy assumption," in Proc. of 2nd European Workshop on System Security, pp. 1-8, March 31, 2009.
  32. Jonathan-Christofer Demay, Eric Totel and Frederic Tronel, "SIDAN: A tool dedicated to software instrumentation for detecting attacks on non-control-data," in Proc. of 4th International Conference on Risks and Security of Internet and Systems, pp. 51-58, October 19-22, 2009.
  33. Gildo Torres and Chen Liu, "Can Data-Only Exploits be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability," in Proc. of the Hardware and Architectural Support for Security and Privacy, June 18, 2016.
  34. Ben Niu and Gang Tan, "Modular control-flow integrity," ACM SIGPLAN Notices, vol. 49, no. 6, pp. 577-587, June, 2014. https://doi.org/10.1145/2666356.2594295
  35. Chris Lattner and Vikram Adve, "LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation," in Proc. of 2nd IEEE/ACM international symposium on Code generation and optimization, pp. 75-88, March 20-24, 2004.
  36. webbench-1.5.
  37. Null HTTPd Remote Heap Overflow Vulnerability.
  38. SSH CRC-32 Compensation Attack Detector Vulnerability.