Advertisement

Gadget Weighted Tagging: A Flexible Framework to Protect Against Code Reuse Attacks

  • Liwei Chen
  • Mengyu Ma
  • Wenhao Zhang
  • Gang Shi
  • Dan Meng
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 502)

Abstract

The code reuse attack (CRA) has become one of the most common attack methods. In this paper, we propose gadget weighted tagging (GWT), a flexible framework to protect against CRAs. In GWT, we firstly find all possible gadgets, which can be used in CRAs. Then, we attach weighted tags to these gadgets based on the lengths and types of the gadgets, and the weighted values are configurable. At last, GWT monitors the weighted tag information at runtime to detect and prevent CRAs. Furthermore, combining with the rule-based CFI, GWT+CFI can precisely confirm the gadget start and greatly reduce the number of possible gadgets, compared to the baseline GWT. We implement a hardware/software co-design framework to support GWT and GWT+CFI. The results show that the performance overheads of GWT and GWT+CFI are 2.31% and 3.55% respectively, and GWT can defeat variants of CRAs, especially those generated by automated tools.

Keywords

Code Length Weighted Score Performance Overhead Normal Program Normal Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgement

This work is partially supported by the National Natural Science Foundation of China (No. 61602469).

References

  1. 1.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: Proceedings of the 20th USENIX Conference on Security (SEC), pp. 25–40 (2011)Google Scholar
  2. 2.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 30–40 (2011)Google Scholar
  3. 3.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13, 4:1–4:40 (2009)CrossRefGoogle Scholar
  4. 4.
    Burow, N., Carr, S.A., Brunthaler, S., Payer, M., Nash, J., Larsen, P., Franz, M.: Control-flow integrity: precision, security, and performance. CoRR. abs/1602.04056 (2016)Google Scholar
  5. 5.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Conference on Security (SEC), pp. 447–462 (2013)Google Scholar
  6. 6.
    Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attack. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  7. 7.
    Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: SCRAP: architecture for signature-based protection from code reuse attacks. In: Proceedings of the 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA), pp. 258–269 (2013)Google Scholar
  8. 8.
    Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: Proceedings of the 23rd USENIX Conference on Security Symposium (SEC), pp. 417–432 (2014)Google Scholar
  9. 9.
    Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: low-overhead protection from code reuse attacks. In: Proceedings of the 39th Annual International Symposium on Computer Architecture (ISCA), pp. 94–105 (2012)Google Scholar
  10. 10.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP), pp. 559–573 (2013)Google Scholar
  11. 11.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22nd USENIX Conference on Security (SEC), pp. 337–352 (2013)Google Scholar
  12. 12.
    Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (SP), pp. 575–589 (2014)Google Scholar
  13. 13.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: Proceedings of the 23rd USENIX Conference on Security Symposium (SEC), pp. 385–399 (2014)Google Scholar
  14. 14.
    Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the 23rd USENIX Conference on Security Symposium (SEC), pp. 401–416 (2014)Google Scholar
  15. 15.
    Davi, L., Koeberl, P., Sadeghi, A.-R.: Hardware-assisted fine-grained control-flow integrity: towards efficient protection of embedded systems against software exploitation. In: Proceedings of the 51st Design Automation Conference (DAC), pp. 1–6 (2014)Google Scholar
  16. 16.
    Evans, I., Long, F., Otgonbaatar, U., Shrobe, H., Rinard, M., Okhravi, H., Sidiroglou-Douskos, S.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 901–913 (2015)Google Scholar
  17. 17.
    Conti, M., Crane, S., Davi, L., Franz, M., Larsen, P., Negro, M., Liebchen, C., Qunaibit, M., Sadeghi, A.-R.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 952–963 (2015)Google Scholar
  18. 18.
    Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: Proceedings of the 24th USENIX Conference on Security (SEC) (2015)Google Scholar
  19. 19.
    Henning, J.L.: SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News. 34, 1–17 (2006)CrossRefGoogle Scholar
  20. 20.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 190–200 (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Liwei Chen
    • 1
    • 2
  • Mengyu Ma
    • 1
    • 2
  • Wenhao Zhang
    • 1
    • 2
  • Gang Shi
    • 1
    • 2
  • Dan Meng
    • 1
    • 2
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.University of Chinese Academy of SciencesBeijingChina

Personalised recommendations