CFIMon:使用性能计数器检测控制流完整性的违反

IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012) Pub Date : 2012-06-25 DOI:10.1109/DSN.2012.6263958

Yubin Xia, Yutao Liu, Haibo Chen, B. Zang

{"title":"CFIMon:使用性能计数器检测控制流完整性的违反","authors":"Yubin Xia, Yutao Liu, Haibo Chen, B. Zang","doi":"10.1109/DSN.2012.6263958","DOIUrl":null,"url":null,"abstract":"Many classic and emerging security attacks usually introduce illegal control flow to victim programs. This paper proposes an approach to detecting violation of control flow integrity based on hardware support for performance monitoring in modern processors. The key observation is that the abnormal control flow in security breaches can be precisely captured by performance monitoring units. Based on this observation, we design and implement a system called CFIMon, which is the first non-intrusive system that can detect and reason about a variety of attacks violating control flow integrity without any changes to applications (either source or binary code) or requiring special-purpose hardware. CFIMon combines static analysis and runtime training to collect legal control flow transfers, and leverages the branch tracing store mechanism in commodity processors to collect and analyze runtime traces on-the-fly to detect violation of control flow integrity. Security evaluation shows that CFIMon has low false positives or false negatives when detecting several realistic security attacks. Performance results show that CFIMon incurs only 6.1% performance overhead on average for a set of typical server applications.","PeriodicalId":236791,"journal":{"name":"IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"193","resultStr":"{\"title\":\"CFIMon: Detecting violation of control flow integrity using performance counters\",\"authors\":\"Yubin Xia, Yutao Liu, Haibo Chen, B. Zang\",\"doi\":\"10.1109/DSN.2012.6263958\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many classic and emerging security attacks usually introduce illegal control flow to victim programs. This paper proposes an approach to detecting violation of control flow integrity based on hardware support for performance monitoring in modern processors. The key observation is that the abnormal control flow in security breaches can be precisely captured by performance monitoring units. Based on this observation, we design and implement a system called CFIMon, which is the first non-intrusive system that can detect and reason about a variety of attacks violating control flow integrity without any changes to applications (either source or binary code) or requiring special-purpose hardware. CFIMon combines static analysis and runtime training to collect legal control flow transfers, and leverages the branch tracing store mechanism in commodity processors to collect and analyze runtime traces on-the-fly to detect violation of control flow integrity. Security evaluation shows that CFIMon has low false positives or false negatives when detecting several realistic security attacks. Performance results show that CFIMon incurs only 6.1% performance overhead on average for a set of typical server applications.\",\"PeriodicalId\":236791,\"journal\":{\"name\":\"IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012)\",\"volume\":\"37 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-06-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"193\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN.2012.6263958\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2012.6263958","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 193

摘要

许多经典的和新兴的安全攻击通常会向受害程序引入非法控制流。本文提出了一种基于硬件支持性能监控的现代处理器控制流完整性检测方法。关键的观察结果是，性能监控单元可以精确地捕获安全漏洞中的异常控制流。基于这种观察，我们设计并实现了一个名为CFIMon的系统，它是第一个非侵入式系统，可以检测和推断违反控制流完整性的各种攻击，而无需更改应用程序(无论是源代码还是二进制代码)，也不需要特殊用途的硬件。CFIMon结合静态分析和运行时训练来收集合法的控制流转移，并利用商品处理器中的分支跟踪存储机制来实时收集和分析运行时跟踪，以检测违反控制流完整性的行为。安全评估表明，CFIMon在检测多种实际安全攻击时具有较低的假阳性或假阴性。性能结果表明，对于一组典型的服务器应用程序，CFIMon平均只带来6.1%的性能开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

CFIMon: Detecting violation of control flow integrity using performance counters

Many classic and emerging security attacks usually introduce illegal control flow to victim programs. This paper proposes an approach to detecting violation of control flow integrity based on hardware support for performance monitoring in modern processors. The key observation is that the abnormal control flow in security breaches can be precisely captured by performance monitoring units. Based on this observation, we design and implement a system called CFIMon, which is the first non-intrusive system that can detect and reason about a variety of attacks violating control flow integrity without any changes to applications (either source or binary code) or requiring special-purpose hardware. CFIMon combines static analysis and runtime training to collect legal control flow transfers, and leverages the branch tracing store mechanism in commodity processors to collect and analyze runtime traces on-the-fly to detect violation of control flow integrity. Security evaluation shows that CFIMon has low false positives or false negatives when detecting several realistic security attacks. Performance results show that CFIMon incurs only 6.1% performance overhead on average for a set of typical server applications.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012)

自引率

0.00%

发文量