Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Published byTiara Hogwood Modified over 10 years ago

Similar presentations

Presentation on theme: "Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in."— Presentation transcript:

1 Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in Huntsville Email: {milenkm | milenka | jovanov}@ece.uah.edu

2 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 2/26 Introduction Most of today’s computing platforms connected to the Internet  security is a critical issue Even more so in the future One of the major security problems: the execution of the unauthorized code Attack examples: buffer overflow (heap, stack) format string attack

3 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 3/26 Introduction Available chip area: predominantly used for faster execution Dedicated processor resources should be used to provide more secure execution Hardware-supported techniques: lower overhead We propose processor extensions that allow execution of trusted instructions only, by verifying instruction block signatures

4 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 4/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

5 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 5/26 Related Work Two categories of defense techniques: Software-based Static: detect defects in the code in compile-time Dynamic: detect/prevent attacks in run-time With hardware support

6 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 6/26 Related Work Static software techniques Completely automated tools for code analysis Precise but not scalable Lightweight but imprecise Programmer-assisted tools Dynamic software techniques Augment the code for run-time attack detection and/or prevention Compilers, safe language dialects, binary modification Monitoring program behavior System calls, performance monitoring registers Code and address obfuscation Randomized virtual addresses, code scrambling

7 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 7/26 Related Work Software-based techniques: performance overhead, false positives/negatives Defense with hardware support Xu et al.(2002), Lee at al. (2003), Ozdaganoglu et al. (2003): Secure stack Kirovski et al. (2002): Secure Program Execution Framework (SPEF): code transformed using a secret processor key Suh et al. (2004): Prevent any change in control flow based on data from “spurious” channels

8 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 8/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

9 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 9/26 Mechanism for Trusted Instruction Execution A block of instructions is protected by its signature Signatures are calculated during secure program installation Signature verification is overlapped with execution Verification is performed only for a block that caused at least one instruction cache miss

10 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 10/26 Signature Architecture Implementations Signature placement embedded protected block basic block SIGEB embedded, basic block cache block SIGEC embedded, cache block table protected block cache block SIGTC table, cache block basic block SIGTB table, basic block

11 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 11/26 SIGTB: Processor/Memory Modifications IBST L1I L1D MMU Datapath FPUs IF Control IBST_M Code Heap Stack IBSVU Memory Processor

12 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 12/26 SIGTB: Compilation and Program Installation Signatures are generated during secure installation using a MISR with coefficients dependent on a secret processor key, and then encrypted Source code Compilation Binary BB list Installation BB_M Binary

13 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 13/26 SIGTB: Program Execution CB.SA - NewIB IBSVU IBST LB.SLB.SA ICacheMiss Combinational Logic (MISR) IR NewIB CB.S NewIB PCSA

14 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 14/26 SIGTB: Program Execution CB.SA - NewIB IBSVU IBST LB.SLB.SA ICacheMiss Combinational Logic (MISR) IR NewIB CB.S NewIB PCSA

15 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 15/26 SIGEB: Compilation and Program Installation Source code Compilation Binary BB list Installation Binary + Sigs

16 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 16/26 SIGEC: Compilation and Program Installation No compiler support needed, no change of the ISA Original Binary Installation Binary + Sigs

17 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 17/26 SIGEC: Program Execution Signatures“stripped” before block enters the cache... CB i Sig i Binary W0W0 W1W1 W2W2 W3W3... W 15 Sig IBSV MemoryCache Controller To cache memory

18 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 18/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

19 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 19/26 Preliminary Results: Methodology SPEC CPU2000 benchmarks SIGTB, SIGEB: functional trace-driven simulator SIGEC: modified SimpleScalar sim-outorder latency due to additional memory accesses latency due to TLB misses L1 cache: 32K, 64B line, 4 way, LRU Code expansion effects – not included

20 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 20/26 Preliminary Results: Measures SIGTB: Number of IBST misses IBST miss causes additional memory accesses SIGEB: Number of cache misses Signatures are fetched into cache with instructions SIGEC: IPC

21 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 21/26 Preliminary Results: SIGTB

22 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 22/26 Preliminary Results: SIGEB

23 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 23/26 Preliminary Results: SIGEC

24 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 24/26 Pros & Cons Compiler support Hardware complexity Performance overhead Crypto security Cache -less ISA change SIGEBYesLowMedium to highMediumYes SIGECNoLow MediumNo SIGTBYesMedium HighYesNo SIGTCNoMediumLow to mediumHighNo

25 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 25/26 Overview Introduction Related work Processor extensions for trusted instruction execution Preliminary results Conclusion

26 LaCASALaCASA WASSA 2004 st r2,(r3) mul r3,3 st r2,(r3) ld r1,(r3) add r1,r2 jmp (r1) 26/26 Conclusion Contributions: Proposal of an architecture for trusted program execution Three implementations of the proposed extensions Initial performance evaluation: promising Future work Cycle-by-cycle detailed simulation The effects of signature decryption and context switching Power analysis

Download ppt "Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in."

Similar presentations

Performance Evaluation of Cache Replacement Policies for the SPEC CPU2000 Benchmark Suite Hussein Al-Zoubi.

Performance Evaluation of Cache Replacement Policies for the SPEC CPU2000 Benchmark Suite Hussein Al-Zoubi.
ECOE 560 Design Methodologies and Tools for Software/Hardware Systems Spring 2004 Serdar Taşıran.

ECOE 560 Design Methodologies and Tools for Software/Hardware Systems Spring 2004 Serdar Taşıran.
Dynamic Thread Assignment on Heterogeneous Multiprocessor Architectures Pree Thiengburanathum Advanced computer architecture Oct 24, 2007 1.

Dynamic Thread Assignment on Heterogeneous Multiprocessor Architectures Pree Thiengburanathum Advanced computer architecture Oct 24,
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
UPC Microarchitectural Techniques to Exploit Repetitive Computations and Values Carlos Molina Clemente LECTURA DE TESIS, (Barcelona,14 de Diciembre de.

UPC Microarchitectural Techniques to Exploit Repetitive Computations and Values Carlos Molina Clemente LECTURA DE TESIS, (Barcelona,14 de Diciembre de.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Helper Threads via Virtual Multithreading on an experimental Itanium 2 processor platform. Perry H Wang et. Al.

Helper Threads via Virtual Multithreading on an experimental Itanium 2 processor platform. Perry H Wang et. Al.
Presented By Srinivas Sundaravaradan. MACH µ-Kernel system based on message passing Over 5000 cycles to transfer a short message Buffering IPC L3 Similar.

Presented By Srinivas Sundaravaradan. MACH µ-Kernel system based on message passing Over 5000 cycles to transfer a short message Buffering IPC L3 Similar.
COMP3221: Microprocessors and Embedded Systems Lecture 2: Instruction Set Architecture (ISA) Lecturer: Hui Wu Session.

COMP3221: Microprocessors and Embedded Systems Lecture 2: Instruction Set Architecture (ISA) Lecturer: Hui Wu Session.
2/15/2006Software-Hardware Cooperative Memory Disambiguation, Alok Garg, HPCA 20061 Software-Hardware Cooperative Memory Disambiguation Ruke Huang, Alok.

2/15/2006"Software-Hardware Cooperative Memory Disambiguation", Alok Garg, HPCA Software-Hardware Cooperative Memory Disambiguation Ruke Huang, Alok.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Improving the Performance of Object-Oriented Languages with Dynamic Predication of Indirect Jumps José A. Joao *‡ Onur Mutlu ‡* Hyesoon Kim § Rishi Agarwal.

Improving the Performance of Object-Oriented Languages with Dynamic Predication of Indirect Jumps José A. Joao *‡ Onur Mutlu ‡* Hyesoon Kim § Rishi Agarwal.
On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

Similar presentations

Ads by Google