Constructing trustworthy computer systems requires validating that every executed piece of code is genuine and that the programs do exactly what they are supposed to do. However, pre-execution code integrity validations can fail to detect run-time compromises, such as code injection, return and jump-oriented programming, and illegal linking of code to compromised library functions. In this dissertation, we propose and investigate three distinct mechanisms for authenticating code execution at run-time. The common goal of these techniques is to detect run-time compromises, irrespective of the specific type of attack that may have been carried out. Thus, these solutions are universal and are in sharp contrast to piecemeal solutions that have been proposed to detect specific types of attacks that compromise execution.
Our first technique does not rely on specialized hardware support within the platform and uses a challenge-response mechanism to verify the signature of the execution program running on a remote host. The execution signature at randomly chosen points in the code is verified against a reference. This technique is limited in its use of run time modifications of the binary and has a high execution overhead. Our next technique attempts to avoid these limitations by performing run-time authentication of control flow by using existing hardware support in contemporary CPUs for branch tracing, a mechanism that was originally added to support debugging. As the program executes, its trace of taken branches, as logged by the tracing hardware is verified against a reference control flow graph, that has edges corresponding to control flow paths, by a separated and trusted control thread. The execution overhead for full authentication of the control flow path is considerable. However, used judiciously, this mechanism can authenticate the full control flow path in critical functions, such as frequent systems calls, with a reasonably low execution overhead, as low as 20% of 30%. This technique does not require any modification of the binaries, so reentrancy is ensured.
The final mechanism for execution recognizes and addresses the need for full execution authentication with a low overhead, where both code integrity and control flow integrity are simultaneously validated. This mechanism, called REV (Run-time Execution Validator) can be retrofitted into an existing out-of-order CPU pipeline. Prior to presenting REV, we also formulate the ideal requirements of a mechanism for authenticating execution and use it later to see if REV meets these requirements. REV not only authenticates the control flow path and instructions along the instructions along the execution path but it also prevents the results of compromised executions from propagating to memory. REV offers a scalable solution that handles multiple execution modules, irrespective of their sizes and does not require any binary modification, nor access to the source code. The assessment of REV using a cycle-accurate simulator shows that execution overhead is limited to an average of less than 2% on the SPEC benchmarks. REV thus meets all of the requirements of an ideal mechanism for authenticating code and control flow integrity at run-time.
|Commitee:||Fowler, Mark, Madden, Patrick, Yang, Ping|
|School:||State University of New York at Binghamton|
|School Location:||United States -- New York|
|Source:||DAI-B 75/01(E), Dissertation Abstracts International|
|Keywords:||Code integrity, Computer security, Control flow integrity, Execution authentication, Execution verification, Trusted systems|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be