Branch Regulation:Low-Overhead Protection from Code Reuse Attacks

Paper InformationBranch Regulation:Low-Overhead Protection from Code Reuse Attacks

in Proceedings of the 39th annual international symposium on Com-puter architecture (ISCA ’12), June 2012.

Authors:Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry PonomarevDepartment of Computer ScienceState University of New York at Binghamtonfmkayaalp, mozsoy, nael, dimag@cs.binghamton.edu

Abstract• While software based full control flow integrity

(CFI) checking can protect against CRAs(Code Re-use Attacks), it includes significant overhead

• We propose branch regulation (BR), a lightweight hardware-supported protection mechanism against the CRAs that addresses all limitations of software CFI

Background Knowledge : CRA (Code Reuse Attack)

Background Knowledge : ROP (Return-Oriented Programming) at-tack

• One of the most common CRA.

• So, The attacker should identify gadgets, which are sequences of instructions in the victim pro-gram (including any linked in libraries, ex> libc, libm) that end with a return.

Background Knowledge : ROP (Return-Oriented Programming) at-tack

Background Knowledge : JOP (JUMP-Oriented Programming) attack

• A New Class of Code-Reuse Attack

• Thwarts certain Anti-ROP defences (Anti-ROP defenses check only stack pointer value )

• JOP used statements ending with Indirect Jump Call

• Instead of stack uses a dispatcher table to jump to different locations

• No known defenses against ROP prevent JOP at-tacks, there is a critical need for techniques that prevent JOP attacks with low overhead.

Background Knowledge : Comparison between ROP and JOP

Background Knowledge : CFI (Control Flow In-tegrity)

This is powerful defense solution mechanism– Control-Flow Integrity (CFI)

• Execution of a program dynamically follows only cer-tain paths, in accordance with a static policy (a Con-trol-Flow Graph)

• Dynamic checks & machine code rewriting– Control-Flow Graph (CFG)

• defined by analysis ahead of time– source code analysis, binary analysis, execution pro-

filing

Enforcing full CFI at the branch level should completely protect from ROP and JOP attacks but CFI shows 22% performance loss for a larger set of benchmarks from SPEC 2006 suite

Branch Regulation (BR)

• A technique that defends against CRAs by enforc-ing simple control flow invariants present in func-tion-based programming languages.

• By providing simple hardware

• BR works by enforcing 3 rules (RET, Indirect JMP, CALL)

•

Branch Regulation (BR) – Enforcing BR Rules

Unintended Branches

Branch Regulation (BR) – Why Hardware ?

1. for performance (binary size and execution time)

2. More importantly for security reasons

• Unintended branch will not appear in the CFG and will not be checked by the software CFI im-plementation

Branch Regulation (BR) – Unintented Branch exam-ple

BR Implementation Details - Architectural Support for BR

• BR checks are performed in hardware.

Performance Evaluation of BR (1)• Look inside

Performance Evaluation of BR (2)• Look inside

Conclusion• In this paper, we presented Branch Regulation (BR), a new low-overhead defense mechanism against Code Reuse Attacks (CRAs).

• BR limits the target addresses of branches to be either within the same function or at the start of another function

• It reduce the ability of the attacker to find ex-ploitable gadgets needed for the CRA with small overhead (2% performance loss, about 1% binary size increase)