TY - GEN
T1 - Countering code injection attacks with TLB and I/O monitoring
AU - Ahn, Dongkyun
AU - Lee, Gyungho
PY - 2010
Y1 - 2010
N2 - This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.
AB - This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.
KW - Code injection attack
KW - Cyber attack detection
KW - Translation look-aside buffer
KW - Virtual address translation
UR - http://www.scopus.com/inward/record.url?scp=78650750541&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78650750541&partnerID=8YFLogxK
U2 - 10.1109/ICCD.2010.5647696
DO - 10.1109/ICCD.2010.5647696
M3 - Conference contribution
AN - SCOPUS:78650750541
SN - 9781424489350
T3 - Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors
SP - 370
EP - 375
BT - 2010 IEEE International Conference on Computer Design, ICCD 2010
T2 - 28th IEEE International Conference on Computer Design, ICCD 2010
Y2 - 3 October 2010 through 6 October 2010
ER -