Hardware-Assisted Application Misbehavior Detection
Resumo
Programming is an error-prone task, which may result in application misbehavior. From the safety point of view, crashes are undesirable as they affect user experience, whereas from the security point of view, vulnerability exploitation can lead to security violations. Although fuzzing and other testing techniques help to minimize undesirable events, they do not eliminate them. As an additional “protection” layer, real-time monitoring can help in handling cases of previously unaddressed violations. However, approaches like Control Flow Integrity (CFI) are too specific to be extended to the general case. To overcome this challenge, we propose a hardware-assisted flow learning technique able to profile and detect deviations from the standard behavior, thus ensuring proper application execution.
Referências
Arora, D., Ravi, S., Raghunathan, A., and Jha, N. K. (2005). Secure embedded processing through hardware-assisted run-time monitoring. In Design, Automation and Test in Europe, pages 178–183 Vol. 1.
Böhme, M., Pham, V.-T., and Roychoudhury, A. (2016). Coverage-based greybox fuzzing as markov chain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 1032–1043, New York, NY, USA. ACM.
Botacin, M., Geus, P. L. D., and Grégio, A. (2018). Enhancing branch monitoring for security purposes: From control flow integrity to malware analysis and debugging. ACM Trans. Priv. Secur., 21(1):4:1–4:30.
Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. (2014). Ropecker: A generic and practical approach for defending against rop attacks. .
Das, S., Xiao, H., Liu, Y., and Zhang, W. (2016). Online malware defense using attack behavior model. In 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pages 1322–1325.
DHS (2013). Software assurance. [link].
DoD (2005). Secure software engineering. [link].
Forbes (2017). Google just discovered a massive web leak... and you might want to change all your passwords. [link].
Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14), pages 417–432, San Diego, CA. USENIX Association.
Google. Política de privacidade do google. [link].
Gordon-Ross, A. and Vahid, F. (2003). Frequent loop detection using efficient non-intrusive on-chip hardware. In Proceedings of the 2003 International Conference on Compilers, Architecture and Synthesis for Embedded Systems, CASES ’03, pages 117–124, New York, NY, USA. ACM.
Guardian, T. (2015). Us aviation authority: Boeing 787 bug could cause ’loss of control’. [link].
Kaspersky (2017). Era of exploits: number of attacks using software vulnerabilities on the rise. [link].
Knaps (2015). Easy file sharing web server 7.2 - remote buffer overflow (seh) (dep bypass with rop). [link]. Access Date: 2017.
Li, Y., Chen, B., Chandramohan, M., Lin, S.-W., Liu, Y., and Tiu, A. (2017). Steelix: Program-state based binary fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2017, pages 627–637, New York, NY, USA. ACM.
Morana, M. (2010). Vulnerability analysis, secure development and risk management of web 2.0 applications. [link].
Ozsoy, M., Donovick, C., Gorelik, I., Abu-Ghazaleh, N., and Ponomarev, D. (2015). Malware-aware processors: A framework for efficient online malware detection. In 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA), pages 651–661.
Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent ROP exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 447–462, Washington, D.C. USENIX.
Pham, V.-T., Böhme, M., and Roychoudhury, A. (2016). Model-based whitebox fuzzing for program binaries. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, pages 543–553, New York, NY, USA. ACM.
R., J. (2013). Processor tracing. [link]. Access Date: May/2017.
Register, T. (2011). Finance software bug causes $217m in investor losses. [link].
Shye, A., Iyer, M., Reddi, V. J., and Connors, D. A. (2005). Code coverage testing using hardware performance monitoring support. In Proceedings of the Sixth International Symposium on Automated Analysis-driven Debugging, AADEBUG’05, pages 159–163, New York, NY, USA. ACM.
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., and Pike, G. (2014). Enforcing forward-edge control-flow integrity in GCC & LLVM. In 23rd USENIX Security Symposium (USENIX Security 14), pages 941–955, San Diego, CA. USENIX Association.
Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., and Vasudevan, A. (2012). Down to the bare metal: Using processor features for binary analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pages 189–198, New York, NY, USA. ACM.
ZDNet (2016). Windows 10 telemetry secrets: Where, when, and why microsoft collects your data. [link].
Zhang, T., Zhuang, X., Pande, S., and Lee, W. (2004). Hardware supported anomaly detection: down to the control flow level. [link].