TY - GEN
T1 - Enforcing system-wide control flow integrity for exploit detection and diagnosis
AU - Prakash, Aravind
AU - Yin, Heng
AU - Liang, Zhenkai
PY - 2013
Y1 - 2013
N2 - Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also the OS kernel to compromise a system. A main trait of such exploits is manipulation of control flow. There is a pressing need to diagnose such exploits. Existing solutions that monitor control flow either have large overhead or high false positives and false negatives, hence making their deployment impractical. In this paper, we present Total-CFI, an efficient and practical tool built on a software emulator, capable of exploit detection by enforcing system-wide Control Flow Integrity (CFI). Total-CFI performs punctual guest OS view reconstruction to identify key guest kernel semantics like processes, code modules and threads. It incorporates a novel thread stack identification algorithm that identifies the stack boundaries for different threads in the system. Furthermore, Total-CFI enforces a CFI policy - a combination of whitelist based and shadow call stack based approaches to monitor indirect control flows and detect exploits. We provide a proof-of-concept implementation of Total-CFI on DECAF, built on top of Qemu. We tested 25 commonly used programs and 7 recent real world exploits on Windows OS and found 0 false positives and 0 false negatives respectively. The boot time overhead was found to be no more than 64.1% and the average memory overhead was found to be 7.46KB per loaded module, making it feasible for hardware integration.
AB - Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also the OS kernel to compromise a system. A main trait of such exploits is manipulation of control flow. There is a pressing need to diagnose such exploits. Existing solutions that monitor control flow either have large overhead or high false positives and false negatives, hence making their deployment impractical. In this paper, we present Total-CFI, an efficient and practical tool built on a software emulator, capable of exploit detection by enforcing system-wide Control Flow Integrity (CFI). Total-CFI performs punctual guest OS view reconstruction to identify key guest kernel semantics like processes, code modules and threads. It incorporates a novel thread stack identification algorithm that identifies the stack boundaries for different threads in the system. Furthermore, Total-CFI enforces a CFI policy - a combination of whitelist based and shadow call stack based approaches to monitor indirect control flows and detect exploits. We provide a proof-of-concept implementation of Total-CFI on DECAF, built on top of Qemu. We tested 25 commonly used programs and 7 recent real world exploits on Windows OS and found 0 false positives and 0 false negatives respectively. The boot time overhead was found to be no more than 64.1% and the average memory overhead was found to be 7.46KB per loaded module, making it feasible for hardware integration.
KW - exploit detection
KW - exploit diagnosis
KW - software security
KW - virtual machine introspection
KW - vulnerability detection
UR - http://www.scopus.com/inward/record.url?scp=84877996319&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84877996319&partnerID=8YFLogxK
U2 - 10.1145/2484313.2484352
DO - 10.1145/2484313.2484352
M3 - Conference contribution
AN - SCOPUS:84877996319
SN - 9781450317672
T3 - ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security
SP - 311
EP - 322
BT - ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security
T2 - 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013
Y2 - 8 May 2013 through 10 May 2013
ER -