Please use this identifier to cite or link to this item:
|Title:||Enforcing system-wide control flow integrity for exploit detection and diagnosis|
virtual machine introspection
|Source:||Prakash, A.,Yin, H.,Liang, Z. (2013). Enforcing system-wide control flow integrity for exploit detection and diagnosis. ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security : 311-322. ScholarBank@NUS Repository. https://doi.org/10.1145/2484313.2484352|
|Abstract:||Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also the OS kernel to compromise a system. A main trait of such exploits is manipulation of control flow. There is a pressing need to diagnose such exploits. Existing solutions that monitor control flow either have large overhead or high false positives and false negatives, hence making their deployment impractical. In this paper, we present Total-CFI, an efficient and practical tool built on a software emulator, capable of exploit detection by enforcing system-wide Control Flow Integrity (CFI). Total-CFI performs punctual guest OS view reconstruction to identify key guest kernel semantics like processes, code modules and threads. It incorporates a novel thread stack identification algorithm that identifies the stack boundaries for different threads in the system. Furthermore, Total-CFI enforces a CFI policy - a combination of whitelist based and shadow call stack based approaches to monitor indirect control flows and detect exploits. We provide a proof-of-concept implementation of Total-CFI on DECAF, built on top of Qemu. We tested 25 commonly used programs and 7 recent real world exploits on Windows OS and found 0 false positives and 0 false negatives respectively. The boot time overhead was found to be no more than 64.1% and the average memory overhead was found to be 7.46KB per loaded module, making it feasible for hardware integration. © 2013 ACM.|
|Source Title:||ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security|
|Appears in Collections:||Staff Publications|
Show full item record
Files in This Item:
There are no files associated with this item.
checked on Mar 7, 2018
checked on Apr 20, 2018
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.