Automated software attack recovery using rollback and huddle

Abstract

While research into building robust and survivable networks has steadily intensified in recent years, similar efforts at the application level and below have focused primarily on attack discovery, ignoring the larger issue of how to gracefully recover from an intrusion at that level. Our work attempts to bridge this inherent gap between theory and practice through the introduction of a new architectural technique, which we call rollback and huddle. Inspired by concepts made popular in the world of software debug, we propose the inclusion of extra on-chip hardware for the efficient storage and tracing of execution contexts. Upon the detection of some software protection violation, the application is restarted at the last known safe checkpoint (the rollback part). During this deterministic replay, an additional hw/sw module is then loaded that can increase the level of system monitoring, log more detailed information about any future attack source, and potentially institute a live patch of the vulnerable part of the software executable (the huddle part). Our experimental results show that this approach could have a practical impact on modern computing system architectures, by allowing for the inclusion of low-overhead software security features while at the same time incorporating an ability to gracefully recover from attack.

This is a preview of subscription content, access via your institution.

References

  1. 1.

    Abadi M, Budiu M, Erlingsson U, Ligatti J (2005) Control-flow integrity: Principles, implementations, and applications. In: Proceedings of the ACM conference on computer and communications security (CCS), pp 340–353

  2. 2.

    Bernstein DJ (2004) Unix security holes. Available at http://cr.yp.to/2004-494.html

  3. 3.

    Castro M, Costa M, Harris T (2006) Securing software by enforcing data-flow integrity. In: Proceedings of the workshop on architecture and system support for improving software dependability (ASID), pp 42–51

  4. 4.

    CERT (2004) US-CERT cyber security bulletin sb04-357. Available at http://www.us-cert.gov/cas/bulletins/SB04-357.html

  5. 5.

    Corliss M, Lewis EC, Roth A (2005) Using DISE to protect return addresses from attack. Comput Archit News 33(1):65–72

    Article  Google Scholar 

  6. 6.

    Cowan C, Pu C, Maier D, Hinton H, Walpole J, Bakke P, Beattie S, Grier A, Wagle P, Zhang Q (1998) Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the USENIX security symposium, pp 63–78

  7. 7.

    Cowan C, Beattie S, Johansen J, Wagle P (2003) Pointguard: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the USENIX security symposium, pp 91–104

  8. 8.

    Crandall J, Wu SF, Chong F (2006) Minos: Architectural support for protecting control data. ACM Trans Archit Code Optim 3(4):359–389

    Article  Google Scholar 

  9. 9.

    de Oliveira DAS, Crandall JR, Wassermann G, Wu SF, Su Z, Chong FT (2006) Execrecorder: Vm-based full-system replay for attack analysis and system recovery. In: ASID ’06: Proceedings of the 1st workshop on architectural and system support for improving software dependability, pp 66–71

  10. 10.

    Dyer J, Lindemann M, Perez R, Sailer R, van Doorn L, Smith S, Weingart S (2001) Building the IBM 4758 secure coprocessor. Computer 34(10):57–66

    Article  Google Scholar 

  11. 11.

    Feng H, Kolesnikov O, Fogla P, Lee W, Gong W (2003) Anomaly detection using call stack information. In: Proceedings of the IEEE symposium on security and privacy, pp 62–75

  12. 12.

    Gao D, Reiter MK, Song D (2004) Gray-box extraction of execution graphs for anomaly detection. In: Proceedings of the ACM conference on computer and communications security (CCS), pp 318–329

  13. 13.

    Ghosh A, O’Connor T, McGraw G (1998) An automated approach for identifying potential vulnerabilities in software. In: Proceedings of the IEEE symposium on security and privacy, pp 104–114

  14. 14.

    Guthaus M, Ringenberg J, Ernst D, Austin T, Mudge T, Brown R (2001) MiBench: A free, commercially representative embedded benchmark suite. In: Proceedings of the international workshop on workload characterization (WWC), pp 3–14

  15. 15.

    Kiriansky VL (2003) Secure execution environment via program shepherding. Master’s thesis, Massachusetts Institute of Technology

  16. 16.

    Lie D, Thekkath C, Mitchell M, Lincoln P, Boneh D, Mitchell J, Horowitz M (2000) Architectural support for copy and tamper resistant software. In: Proceedings of the 9th international conference on architectural support for programming languages and operating systems (ASPLOS-IX), pp 168–177

  17. 17.

    Necula G, McPeak S, Weimer W (2002) CCured: Type-safe retrofitting of legacy code. In: Proceedings of the ACM symposium on principles of programming languages (POPL), pp 128–139

  18. 18.

    Ozdoganoglu H, Vijaykumar T, Brodley C, Jalote A, Kuperman B (2003) SmashGuard: A hardware solution to prevent security attacks on the function return address. Technical Report TR-ECE 03-13, School of Electrical and Computer Engineering, Purdue University

  19. 19.

    Park Y-J, Zhang Z, Lee G (2006) Microarchitectural protection against stack-based buffer overflow attacks. IEEE Micro 26(4):62–71

    Article  Google Scholar 

  20. 20.

    Prvulovic M, Zhangzy Z, Torrellas J (2002) ReVive: Cost-effective architectural support for rollback recovery in shared-memory multiprocessors. In: Proceedings of the international symposium on computer architecture (ISCA), pp 111–122

  21. 21.

    Sekar R, Bendre M, Dhurjati D, Bollineni P (2001) A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of the IEEE symposium on security and privacy, pp 144–155

  22. 22.

    Shi W, Lee H-HS, Falk L, Ghosh M (2006) An integrated framework for dependable and revivable architectures using multicore processors. SIGARCH Comput Archit News 34(2):102–113

    Article  Google Scholar 

  23. 23.

    Smirnov A, cker Chiueh T (2005) Dira: Automatic detection, identification, and repair of control-hijacking attacks. In: Proceedings of the 12th annual network and distributed system security symposium

  24. 24.

    Sorin D, Martin M, Hill M, Wood D (2002) SafetyNet: Improving the availability of shared memory multiprocessors with global checkpoint/recovery. In: Proceedings of international symposium on computer architecture (ISCA), pp 123–134

  25. 25.

    Suh GE, Lee JW, Zhang D, Devadas S (2004) Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th international conference on architectural support for programming languages and operating systems, pp 84–96

  26. 26.

    Suh GE, O’Donnell C, Sachdev I, Devadas S (2005) Design and implementation of the AEGIS single-chip secure processor using physical random functions. In: Proceedings of the international symposium on computer architecture (ISCA), pp 25–36

  27. 27.

    Teodorescu R, Torrellas J (2005) Prototyping architectural support for program rollback using FPGAs. In: Proceedings of the international symposium on field-programmable custom computing machines (FCCM), pp 23–32

  28. 28.

    Tuck N, Calder B, Varghese G (2004) Hardware and binary modification support for code pointer protection from buffer overflow. In: Proceedings of the international symposium on microarchitecture (MICRO), pp 209–220

  29. 29.

    Wagner D, Dean D (2001) Intrusion detection via static analysis. In: Proceedings of the IEEE symposium on security and privacy, p 156

  30. 30.

    Wilander J, Kamkar M (2003) A comparison of publicly available tools for dynamic buffer overflow prevention. In: Proceedings of the network and distributed system security symposium, pp 149–162

  31. 31.

    Xu M, Bodik R, Hill M (2003) A flight data recorder for enabling full-system multiprocessor deterministic replay. Comput Archit News 31(2):122–135

    Article  Google Scholar 

  32. 32.

    Yang J, Zhang Y, Gao L (2003) Fast secure processor for inhibiting software piracy and tampering. In: Proceedings of the 36th international symposium on microarchitecture (MICRO), pp 351–360

  33. 33.

    Yourst M (2007) Ptlsim: A cycle accurate full system x86-64 microarchitectural simulator. In: Proceedings of the IEEE symposium on performance analysis of systems and software (ISPASS), pp 23–34

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Joseph Zambreno.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Sathre, J., Zambreno, J. Automated software attack recovery using rollback and huddle. Des Autom Embed Syst 12, 243–260 (2008). https://doi.org/10.1007/s10617-008-9020-4

Download citation

Keywords

  • Attack detection
  • Checkpoint and rollback
  • Buffer overflows
  • Hardware support