Please use this identifier to cite or link to this item: https://doi.org/10.1145/2484313.2484352
Title: Enforcing system-wide control flow integrity for exploit detection and diagnosis
Authors: Prakash, A.
Yin, H.
Liang, Z. 
Keywords: exploit detection
exploit diagnosis
software security
virtual machine introspection
vulnerability detection
Issue Date: 2013
Source: Prakash, A.,Yin, H.,Liang, Z. (2013). Enforcing system-wide control flow integrity for exploit detection and diagnosis. ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security : 311-322. ScholarBank@NUS Repository. https://doi.org/10.1145/2484313.2484352
Abstract: Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also the OS kernel to compromise a system. A main trait of such exploits is manipulation of control flow. There is a pressing need to diagnose such exploits. Existing solutions that monitor control flow either have large overhead or high false positives and false negatives, hence making their deployment impractical. In this paper, we present Total-CFI, an efficient and practical tool built on a software emulator, capable of exploit detection by enforcing system-wide Control Flow Integrity (CFI). Total-CFI performs punctual guest OS view reconstruction to identify key guest kernel semantics like processes, code modules and threads. It incorporates a novel thread stack identification algorithm that identifies the stack boundaries for different threads in the system. Furthermore, Total-CFI enforces a CFI policy - a combination of whitelist based and shadow call stack based approaches to monitor indirect control flows and detect exploits. We provide a proof-of-concept implementation of Total-CFI on DECAF, built on top of Qemu. We tested 25 commonly used programs and 7 recent real world exploits on Windows OS and found 0 false positives and 0 false negatives respectively. The boot time overhead was found to be no more than 64.1% and the average memory overhead was found to be 7.46KB per loaded module, making it feasible for hardware integration. © 2013 ACM.
Source Title: ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security
URI: http://scholarbank.nus.edu.sg/handle/10635/78125
ISBN: 9781450317672
DOI: 10.1145/2484313.2484352
Appears in Collections:Staff Publications

Show full item record
Files in This Item:
There are no files associated with this item.

SCOPUSTM   
Citations

13
checked on Mar 7, 2018

Page view(s)

48
checked on Apr 20, 2018

Google ScholarTM

Check

Altmetric


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.