View
217
Download
0
Category
Tags:
Preview:
Citation preview
Title of Selected Paper:
IMPRES: Integrated Monitoring for Processor Reliability and Security
Authors: Roshan G. Ragel and Sri Parameswaran
Presented by:Arjun Prakash
Outline
• What is Code Injection Attack?• Related Work • Motivation• IMPRES Architecture – An overview
• Software Instrumentation• Code Injection Attack Detection• Check-summing at Runtime
• Contribution and Limitations• Code Integrity Violation Model• Encryption Hardware• Design Flow• Evaluation• Summary
Format String Vulnerabilities
Stack Based Buffer Overflows
Heap Based Buffer Overflows
Attacks violating software integrity (dynamically changing instructions with the intention of gainingaccess to a program) . Insertion of harmful instructions into the program stream.
Dangling Pointer References
Code Injection Attacks
47% of vulnera
bilities
reporte
d from 1994-
2004 were
code
injection
Examples for Code Injection Attack (1)
Return Address Overwriting
buffer[0]
buffer[1]
...
...
buffer[L-1]
other_local_vars
saved FP g()
return address g()
argN
...
arg0
local variable f()
local variable f()
local variable f()
saved FP f()
return address f()
Lower Addresses
Higher Addresses
Stac
k G
row
th
StackFrame
g()
StackFrame
f()
Malicious Code
corrupted return address
argN
...
arg0
local variable f()
local variable f()
local variable f()
saved FP f()
return address f()
#define L 100
int f(){
...
...g(p,q);......
}
int g(char *str1, char *str2){
...
...
...char buffer[L];......strcpy(buffer, str1);......
}
(a) Vulnerable Code (b) Stack Layout (b) Return Address Overwriting
Buffe
r Ove
rflow
Heap Based Buffer Overflow
Size of Previous Heap Segment
Size of Heap Segment0
Injected Code
Size of Previous Heap Segment
Size of Heap Segment1
Next Pointer
Prev Pointer
Old user data
Lower Addresses
Higher Addresses
Size of Previous Heap Segment
Size of Heap Segment2
Next Pointer
Prev Pointer
Old user data
Size of Previous Heap Segment
Size of Heap Segment3
Next Pointer
Prev Pointer
Old user data
Segment0
Segment1
Segment2
Segment3
Buffe
r Ove
rflow
Return Address
Saved FramePointer
Local variable
Local variable
Stack Frame of the current function
Higher Addresses
Stac
k Gr
owth
Examples for Code Injection Attack (2)
Related Work
Existing work on Code Injection detection can be categorized into:
• Software based• Static Technique
• Detect Vulnerability at compile time (automated static code analysis)
• Dynamic Technique• Methods to prove program behaves as expected at runtime• Software constructs to prove program behavior
• Hardware based (Usually attack specific)• Use of additional co-processor• Addition co-processor & hardware tables• Embedded Micro Monitoring - MicroInstruction routines to
perform in-line security monitoring (only partial support)
Motivation
Software ApproachHuge Code-size OverheadHigh Performance PenaltyCheck-summing is
susceptible to code injection attacks
Application Binary
InstrumentedApplication
Binary
Processor
Monitoring Hardware
External Interface
Solutions to Code Injection Attacks
• Hardware Approach– High Area Impact– Interfacing Problem– Memory/table limitations– Scalability Problems
IMPRES is a novel Hardware/Software
technique at the granularity if micro-
instructions to reduce overheads
considerably
SoftwareInstrumentation
Compile
Assemble & Link
ApplicationSource Code
Code Injection
Code InjectionDetection
IMPRESHARDWARE
Secure
IMPRES Architecture: An Overview
InstrumentedBinary
Loading
$L2:lw $3,4356($fp)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000045beq $2,$3,$L4addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000044lw $2,4320($fp)lw $3,4320($fp)lw $2,4($2)lw $3,8($3)j $L3
$L4:li $2,0x00000001sw $2,4308($fp)lw $3,4356($fp)addu $2,$3,4lw $3,0($2)addu $16,$3,$2lb $2,0($3)j $L5
$L3:lw $3,4356($fp)addu $2,$3,4lw $3,0($2)addu $16,$3,$2lb $2,0($3)li $3,0x00000064beq $2,$3,$L7
lw $3,4356($fp)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000045beq $2,$3,$L4
li $2,0x00000001sw $2,4308($fp)lw $3,4356($fp)addu $2,$3,4lw $3,0($2)addu $16,$3,$2lb $2,0($3)j $L5
addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000044lw $2,4320($fp)lw $2,4($2)lw $3,8($3)j $L3
lw $3,4356($fp)addu $2,$3,4lw $3,0($2)addu $16,$3,$2lb $2,0($3)li $3,0x00000064beq $2,$3,$L7
chk $0,4452($30)lw $3,4356($fp)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000045beq $2,$3,$L4
chk $16,4521($30)li $2,0x00000001sw $2,4308($fp)lw $3,4356($fp)addu $2,$3,4lw $3,0($2)addu $16,$3,$2lb $2,0($3)j $L5
chk $16,215($0)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000044lw $2,4320($fp)lw $2,4($2)lw $3,8($3)j $L3
chk $0,4435($30)lw $3,4356($fp)addu $2,$3,4lw $3,0($2)addu $16,$3,$2lb $2,0($3)li $3,0x00000064beq $2,$3,$L7
(a) a code segment (b) control flow graph for the code segment (c ) control flow graph with check instructions
Software Instrumentation
A special instruction (chk), with the checksum is inserted at the beginning of each logical basic block
Chk e-checksum
Inst1
Inst2
Inst3
Inst4
Inst5
CFI
Check-summing at Runtime
e-checksum
e-checksum’
Chksum1
Encrypt
= √Chksum1-2
+
Chksum1-3+
Chksum1-4+
Chksum1-5+
ChksumBB+
A Typical Basic Block
Incremental checksum
recalculation:- Does n
ot
accumulate workload to
particular p
oints in th
e
program flow
Encryption (a time
consuming task) is used
only when it is required.
Decreases overhead!
chk $0,4452($30)lw $3,4356($fp)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000045beq $2,$3,$L4
chk #$!@% &̂*~| \ .lw $3,4356($fp)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000045beq $2,$3,$L4
Encrypt
Untrusted Code
Secure Loading
Calculate Checksum
Encrypt
#$!% &̂*~| \ .
== chk #$!@% &̂*~| \ .lw $3,4356($fp)addu $2,$3,4lw $3,0($2)lb $2,0($3)li $3,0x00000045beq $2,$3,$L4
Y
Trusted Code
Execution
Hardware key
Code Injection Attack Detection
Static time Check-summing Load time encryption using hardware secret key Runtime encrypted check-summing and
comparison fBB flag : Set only when
Check Instructions at the beginning of BBs
and micro instruction embedded into the
machine instructions server as interface
between H/w and S/w
A code injection detector which require only a rudimentary software analysis
Instruction memory transient fault detector(Single Event Upset in the instruction memory are fully detected with small latency)
Encrypted Basic Block Check-summing for code integrity violation detection
× Will only detect code injection attacks and will NOT detect any other security threats
Contributions & Limitations
Code Integrity Violation Model
chk eChkSum
Inst-1..Inst-n
CFI
BI
nonBIs
chk eChkSum’
Inst-1..Inst-n
CFI
CFI’
Inst-1..Inst-n
CFI
nonBI-0
Inst-1..Inst-n
CFI
Undefined-0
Inst-1..Inst-n
CFI
chk eChkSum
Inst-1..Inst-n
CFI’
chk eChkSum
Inst-1..Inst-n
chk eChkSum’’
chk eChkSum
Inst-1..Inst-n
nonBI-1
chk eChkSum
Inst-1..Inst-n
Undefined-1
chk eChkSum
Inst-1'..Inst-n
CFI
chk eChkSum
chk eChkSum’’’..Inst-n
CFI
chk eChkSum
CFI’’..Inst-n
CFI
chk eChkSum
Undefined-2..Inst-n
CFI
chk eChkSum
Inst-1..Inst-n
CFI
iInst-1...iInst-x
chk eChkSum
Inst-1..Inst-n
CFI
iInst-1...…...
iInst-x
(a) Original BB (b) T01 (c) T02 (d) T03 (e) T04
(f) T05 (g) T06 (h) T07 (i) T08 (j) T09
(k) T10 (l) T11 (m) T12 (n) T13 (o) T14
Code Integrity Violation Model (2)
chk eChkSum
Inst-1'..Inst-n’
CFI
chk eChkSum
Inst-1..Inst-n
CFI
iInst-1...iInst-x
chk eChkSum’’’
Inst-1..Inst-n
CFI’’’
(a) D1 (b) D2 (c) D3
The model in the previous slide covers all the possible cases
All the combinations other than those presented in the previous slide are duplicates/subsets
Some duplicates are depicted below (D1 ε T01, D2 ε T09 and D3 ε T14)
Integrity Violation DetectionType Original Changed Error Signal
T01 chk checksum SIGCKSM
T02 chk CFI SIGCKSM
T03 chk nonBI SIGCKSM
T04 chk undefined SIGSYSM
T05 CFI another CFI SIGCKSM
T06 CFI chk SIGNCFI
T07 CFI nonBI SIGNCFI
T08 CFI undefined SIGSYSM
T09 nonBI nonBI SIGCKSM
T10 nonBI chk SIGNCFI
T11 nonBI CFI SIGCKSM
T12 nonBI undefined SIGSYSM
T13 chk & nonBIs any insts. SIG(CKSM/NCFI)
T14 whole BB any insts. SIG(CKSM/NCFI)
Encryption Hardware
INPUT
P
L 0R
0
L 1R
1
f
KEY
OUTPUT
KEY
INPUT
OUTPUT
CLK
EorD DS
RESET
L15
R15
Round: 1
Roun
ds: 2-1
6
(a) DES56 Core (b) DES56 Algorithm
RDY
64
64
64
0 1 2 3 15 16 17 18
CLK
RESET
DS
KEY
INPUT
OUTPUT
RDY
The encryption is performed in parallel to the pipeline. A single encryption takes 18 clock cycles with a clock period 20x smaller than that of the processor.
Design Flow
Select Functional Units
Resource Pool
Generate Hardware
IMPRESProcessor
ASIP Design Tool
ISA of the target architecture
Micro-instructions for
the ISA
Integrate DES56 Core
Source
Compiler Front End
Identify BBSource.s
Insert Checksum Assemble and Link
iBinaryParserCalculate Checksum
(a) Software Instrumentation
(b) IMPRES Hardware Model
Evaluation
ModelSim® Hardware Simulator
Synopsys® Design Compiler
Clock Cycle Count
Clock Period & Area
Fault Injector
iBinaryIMPRES
VerifiedHardware Model
SimpleScalar® Instruction-set
Simulator
SIGCKSM SIGNCFI SIGSYSM
Modified SimpleScalar®
Simulator
SIGCHSM - Encrypted Checksum mismatch
SIGNCFI - No Control Flow Instruction
SIGSYSM - System Error
0.00
0.50
1.00
1.50
2.00
2.50
Applications
Exec
utio
n Ti
me
(s)
Ordinary IMPRES
Performance Overhead
Average performance overhead is
Blowfish benchmark
performs better…
Why?
Hardware and Memory Overheads
0
500
1000
1500
2000
2500
3000
3500
adpcm.encode adpcm.decode blow fish.encrypt blow fish.decrypt crc32.checksum
Applications
Co
de S
ize (
lin
es)
Ordinary
IMPRES
Clock Period(ns)
Area(gates)
Leakage Power (10-6 watt)
Ordinary H/W 16.84 227077 478
IMPRES H/W 16.85 229143 483
Overhead (%) 0.06% 0.91% 1.05%
0
2000
4000
6000
8000
10000
12000
Applications
Nu
mb
er
of
Fa
ult
s
Not Act.
System
CKSM
NCFI
Total
Fault Injection Analysis
Error Detection LatencyType Activated At Detected At (/bbsize)
T01 1 bbsize bbsize-1 1
T02 1 1 0 1
T03 1 1 0 1
T04 1 1 0 1
T05 bbsize bbsize 0 1
T06 bbsize bbsize 0 1
T07 bbsize bbsize+1 1 1
T08 bbsize bbsize 0 1
T09 bbsize/2 bbsize bbsize/2 bbsize-2
T10 bbsize/2 bbsize/2 0 bbsize-2
T11 bbsize/2 bbsize/2 0 bbsize-2
T12 bbsize/2 bbsize/2 0 bbsize-2
24/12/)*)(12
01
bbsizexxT
Tx
Average Error Detection Latency =
12
01
12/)(*)T
Tx
xx
Summary and Conclusions
Code Injection Attacks are still Real IMPRES provides a low cost rudimentary solution to code
injection attacks IMPRES’s overheads and detection latency are minimum
THANK YOU!
Recommended