Advertisement

Efficient and Practical Control Flow Monitoring for Program Security

  • Nai Xia
  • Bing Mao
  • Qingkai Zeng
  • Li Xie
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4435)

Abstract

Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a program’s source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs’ dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.

Keywords

Control Flow Dynamic Profiling Program Vulnerability Source Code Instrumentation Static Analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    One, A.: Smashing The Stack For Fun And Profit. Phrack 7(49) (1996)Google Scholar
  2. 2.
    Lamagra Argamal.Ftpd: the advisory version. bugtraq mailing list (23 June, 2000)http://www.securityfocus.com/archive/1/66544
  3. 3.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proc of the Usenix Security Symposium (2002)Google Scholar
  4. 4.
    Abadi, M., Budiu, M., Erlingsson, ú., Ligatti, J.: Control-flow integrity. ACM Conference on Computer and Communications Security  (2005)Google Scholar
  5. 5.
    Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proc of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  6. 6.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 144–155. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  7. 7.
    Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 62–77. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  8. 8.
    Basu, S., Uppuluri, P.: Proxy-annotated control flow graphs: Deterministic context-sensitive monitoring for intrusion detection. In: Ghosh, R.K., Mohanty, H. (eds.) ICDCIT 2004. LNCS, vol. 3347, pp. 353–362. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Feng, H., Giffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.: Formalizing sensitivity in static analysis for intrusion detection. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 194–210. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  10. 10.
    Giffin, J., Jha, S., Miller, B.: Efficient context-sensitive intrusion detection. In: NDSS 2004. Proc. of the Network and Distributed System Security Symposium (2004)Google Scholar
  11. 11.
    Lam, L., Chiueh, T.: Automatic extraction of accurate application-specific sandboxing policy. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Gopalakrishna, R., Spafford, E., Vitek, J.: Efficient intrusion detection using automaton inlining. In: Proc. of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  13. 13.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the Effectiveness of Address Space Randomization. In: ACM Conference on Computer Security 2004, ACM Press, New York (2004)Google Scholar
  14. 14.
    Sovarel, A.N., Evans, D., Paul, N.: Where’s the FEEB? The Effectiveness of Instruction Set Randomization. In: Proc. of the 14th USENIX Security Symposium (July 31–August 5) Baltimore, MD (2005)Google Scholar
  15. 15.
    Erlingsson, Ú., Schneider, F.: IRM enforcement of java stack inspection. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 246–255 (2000)Google Scholar
  16. 16.
    McCamant, S., Morrisett, G.: Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, MIT Laboratory for Computer Science (2005)Google Scholar
  17. 17.
    Hind, M., Pioli, A.: Which pointer analysis should I use? In: Proc. of the International Symposium on Software Testing and Analysis (2000)Google Scholar
  18. 18.
    Steensgaard, B.: Points-to Analysis in Almost Linear Time. In: Proc. Symposium on Principles of Programming Languages (1996)Google Scholar
  19. 19.
    PaX Team. PaX address space layout randomiza-tion(ASLR), http://pax.grsecurity.net/docs/aslr.txt
  20. 20.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS. Proc of the 10th ACM Conference on Computer and Communications Security, ACM Press, New York (2003)Google Scholar
  21. 21.
    Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Proc. of the 10th ACM Conference on Computer and Communications Security (2003)Google Scholar
  22. 22.
    “Solar Designer”. Non-Executable User Stack, http://www.false.com/security/linux-stack/
  23. 23.
    Necula, G.C., McPeak, S., Rahul, S.P., et al.: CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In: Horspool, R.N. (ed.) CC 2002 and ETAPS 2002. LNCS, vol. 2304, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Pozo, R., Miller, B.: SciMark 2.0. (June 20, 2000), http://math.nist.gov/scimark
  25. 25.
    Wilander, J., Kamkar, M.: A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention. In: NDSS 2003. Proc of the 10th Network and Distrib-uted System Security Symposium, San Diego, California (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Nai Xia
    • 1
  • Bing Mao
    • 1
  • Qingkai Zeng
    • 1
  • Li Xie
    • 1
  1. 1.State Key Laboratory for Novel Software TechnologyNanjing UniversityNanjingChina

Personalised recommendations