Abstract
Control-flow hijacking attacks are a very dangerous threat to software security in that they can hijack the programs execution to execute malicious code. There have been many solutions proposed for countering these attacks, but majority of them suffer from the following limitations: (1) Some methods could be bypassed by advanced code reuse attacks; (2) Some methods will incur considerable performance cost; (3) Some methods need to modify the target program. To address these problems, we present APIdefender, a kernel-based solution to defeat control-flow attacks. Our method is compatible with the existing software and hardware. The basic idea of our approach is to confine the sensitive API invocations by comparing the invocation context with the baseline information that is obtained by offline analysis. To perform the run-time enforcement for the API invocations, we leverage some commodity hardware features. The experiments show that APIdefender can detect malicious API invocations effectively with a little performance overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
The exploit database (2015). http://www.exploit-db.com/
Ropgadget (2015). http://shell-storm.org/project/ROPgadget/
Abadi, M., Budiu, M., Erlingsson, l., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, pp. 340–353, November 2005. doi:10.1145/1102120.1102165
Backes, M., Rnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Conference on Security Symposium, pp. 433–447 (2014)
Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Twenty-Seventh Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, pp. 353–362, 5–9 December 2011. doi:10.1145/2076732.2076783
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX Symposium on Operating Systems Design and Implementation, OSDI, San Diego, California, USA, Proceedings, pp. 209–224, 8–10 December 2008
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: detecting return-oriented programming malicious code. In: International Conference on Information Systems Security, ICISS 2009, Kolkata, India, Proceedings, pp. 163–177, 14–18 December 2009. doi:10.1007/978-3-642-10772-6_13
Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: ACM Conference on Data and Application Security and Privacy, pp. 50–61 (2016). doi:10.1145/2857705.2857726
Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: a generic and practical approach for defending against ROP attacks. In: Network and Distributed System Security Symposium (2014). doi:10.14722/ndss.2014.23156
Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy, pp. 763–780 (2015). doi:10.1109/sp.2015.52
Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones (2012)
Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: hardware-assisted flow integrity extension. In: Design Automation Conference, p. 74 (2015). doi:10.1145/2744769.2744847
Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, Hong Kong, China, pp. 40–51, March 2011. doi:10.1145/1966913.1966920
Gupta, A., Habibi, J., Kirkpatrick, M.S., Bertino, E.: Marlin: mitigating code reuse attacks using code randomization. IEEE Trans. Dependable Secure Comput. 12(3), 326–337 (2015). doi:10.1109/tdsc.2014.2345384
Jacobson, E.R., Bernat, A.R., Williams, W.R., Miller, B.P.: Detecting code reuse attacks with a model of conformant program execution. In: Jürjens, J., Piessens, F., Bielova, N. (eds.) ESSoS 2014. LNCS, vol. 8364, pp. 1–18. Springer, Cham (2014). doi:10.1007/978-3-319-04897-0_1
Kayaalp, M., Ozsoy, M., Ghazaleh, N.A., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Trans. Comput. 63(5), 1144–1156 (2014). doi:10.1109/tc.2012.269
Li, J., Wang, Z., Bletsch, T., Srinivasan, D.: Comprehensive and efficient protection of Kernel control data. IEEE Trans. Inf. Forensics Secur. 6(4), 1404–1417 (2011). doi:10.1109/tifs.2011.2159712
Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS Symposium (2015). doi:10.14722/ndss.2015.23271
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Conference on Security, pp. 447–462 (2013)
van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Patharmor: practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 927–940, CCS 2015, NY, USA. ACM, New York (2015). doi:10.1145/2810103.2813673
Veen, V.V.D., Giuffrida, C., Goktas, E., Contag, M., Pawoloski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: Symposium on Security and Privacy, pp. 934–953 (2016). doi:10.1109/sp.2016.60
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security, pp. 157–168 (2012). doi:10.1145/2382196.2382216
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12 (2012). doi:10.1109/dsn.2012.6263958
Yutao, L., Peitao, S., Xinran, W., Haibo, C., Binyu, Z., Haibing, G.: Transparent and efficient CFI enforcement with intel processor trace. In: IEEE Symposium on High Performance Computer Architecture (2017). doi:10.1109/hpca.2017.18
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., Mccamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy. IEEE, pp. 559–573 (2013). doi:10.1109/sp.2013.44
Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: USENIX Conference on Security, pp. 337–352 (2013). doi:10.1145/2818000.2818016
Acknowledgments
This work was supported in part by National Natural Science Foundation of China (NSFC) under Grant No. 61602035, the National Key R&D Program of China under Grant No. 2016YFB0800700, the Opening Project of Shanghai Key Laboratory of Integrated Administration Technologies for Information Security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Tian, D., Qi, D., Zhan, L., Yin, Y., Hu, C., Xue, J. (2017). A Practical Method to Confine Sensitive API Invocations on Commodity Hardware. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)