Advertisement

UnderTracker: Binary Hardening Through Execution Flow Verification

  • Rajesh ShrivastavaEmail author
  • Chittaranjan Hota
  • Govind Mittal
  • Zahid Akhtar
Conference paper
  • 56 Downloads
Part of the Communications in Computer and Information Science book series (CCIS, volume 1186)

Abstract

Programs are developed in a manner so that they execute and fulfill their intended purpose. In doing so, programmers trust the language to help them achieve their goals. Binary hardening is one such concept, which prevents program behavior deviation and conveys the intention of the programmer. Therefore, to maintain the integrity of the program, measures need to be taken to prevent code-tampering. The proposed approach enforces code verification from instruction-to-instruction by using the programmer’s intended control flow. UnderTracker enforces execution flow at the instruction cache by utilizing the read-only data-cache available in the program. The key idea is to place a control transfer code in data-cache and to call it from instruction cache via labels. UnderTracker injects labels into the binary without affecting the semantics of the program. After the code execution starts, it verifies every control point’s legality before passing the control to the next instruction, by passively monitoring the execution flow. This paper proposes an efficient technique, called UnderTracker, to strengthen the binary integrity of an I/O intensive running program, with the nominal overhead of only 5–6% on top of the normal execution.

Keywords

Superblock Execution flow verification Systems security 

Notes

Acknowledgement

This work is supported by the Ministry of Electronics and Information Technology (MeitY), Govt. of India and the Netherlands Organization for Scientific research (NWO), Netherlands.

References

  1. 1.
    Marco-Gisbert, H., Ripoll, I.: Preventing brute force attacks against stack canary protection on networking servers. In: 2013 12th IEEE International Symposium on Network Computing and Applications (NCA), pp. 243–250. IEEE (2013)Google Scholar
  2. 2.
    Wei, T., Wang, T., Duan, L., Luo, J.: Secure dynamic code generation against spraying. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 738–740. ACM (2010)Google Scholar
  3. 3.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM (2010)Google Scholar
  4. 4.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(1), 4 (2009)CrossRefGoogle Scholar
  5. 5.
    Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. (CSUR) 50(1), 16 (2017)CrossRefGoogle Scholar
  6. 6.
    Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE (2013)Google Scholar
  7. 7.
    Qiang, W., Huang, Y., Zou, D., Jin, H., Wang, S., Sun, G.: Fully context-sensitive CFI for COTS binaries. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 435–442. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59870-3_28CrossRefGoogle Scholar
  8. 8.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27–38. ACM (2008)Google Scholar
  9. 9.
    Prandini, M., Ramilli, M.: Return-oriented programming. IEEE Secur. Priv. 10(6), 84–87 (2012)CrossRefGoogle Scholar
  10. 10.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., Boneh, D.: Hacking blind. In: 2014 IEEE Symposium on Security and Privacy, pp. 227–242. IEEE (2014)Google Scholar
  11. 11.
    Wurster, G., Van Oorschot, P.C., Somayaji, A.: A generic attack on checksumming-based software tamper resistance. In: IEEE Symposium on Security and Privacy, 2005, pp. 127–138. IEEE (2005)Google Scholar
  12. 12.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security Symposium, pp. 447–462 (2013)Google Scholar
  13. 13.
    Wang, M., Yin, H., Bhaskar, A.V., Su, P., Feng, D.: Binary code continent: finer-grained control flow integrity for stripped binaries. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 331–340. ACM (2015)Google Scholar
  14. 14.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)Google Scholar
  15. 15.
    Zhang, M., Sekar, R.: Control flow and code integrity for COTS binaries: an effective defense against real-world ROP attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 91–100. ACM (2015)Google Scholar
  16. 16.
    Agrawal, H., et al.: Detecting hidden logic bombs in critical infrastructure software. In: International Conference on Cyber Warfare and Security. Academic Conferences International Limited (2012). Page 1Google Scholar
  17. 17.
    Dang, T.H.Y., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 555–566. ACM (2015)Google Scholar
  18. 18.
    Ding, R., Qian, C., Song, C., Harris, B., Kim, T., Lee, W.: Efficient protection of path-sensitive control security. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC, pp. 131–148. USENIX Association (2017)Google Scholar
  19. 19.
    Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security Symposium, pp. 161–176 (2015)Google Scholar
  20. 20.
    Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. VLSI Syst. 24(11), 3193–3207 (2016) CrossRefGoogle Scholar
  21. 21.
    Andriesse, D., Bos, H., Slowinska, A.: Parallax: implicit code integrity verification using return-oriented programming. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 125–135. IEEE (2015)Google Scholar
  22. 22.
    Shrivastava, R., Hota, C., Shrivastava, P.: Protection against code exploitation using ROP and check-summing in IoT environment. In: 2017 5th International Conference on Information and Communication Technology (ICoICT 2017), Melaka, Malaysia, May 2017Google Scholar
  23. 23.
    Hota, C., Shrivastava, R.K., Shipra, S.: Tamper-resistant code using optimal ROP gadgets for IoT devices. In: 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 570–575. IEEE (2017)Google Scholar
  24. 24.
    Shrivastava, R.K., Mishra, S., Barua, S., Hota, C.: Resilient complex event processing in IoT using side-channel information. In: Proceedings of the 10th International Conference on Security of Information and Networks, pp. 80–87. ACM (2017)Google Scholar
  25. 25.
    Christensen, H.K., Brodal, G.S.: Algorithms for finding dominators in directed graphs. Ph.D. thesis, Aarhus Universitet, Datalogisk Institut (2016)Google Scholar
  26. 26.
    Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst. (TOPLAS) 1(1), 121–141 (1979)CrossRefGoogle Scholar
  27. 27.
    Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: runtime intrusion prevention evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 41–50. ACM (2011)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Rajesh Shrivastava
    • 1
    Email author
  • Chittaranjan Hota
    • 1
  • Govind Mittal
    • 2
  • Zahid Akhtar
    • 3
  1. 1.Birla Institute of Technology and Science, Pilani, Hyderabad CampusHyderabadIndia
  2. 2.Birla Institute of Technology and SciencePilaniIndia
  3. 3.University of MemphisMemphisUSA

Personalised recommendations