Countering code injection attacks with TLB and I/O monitoring

Dongkyun Ahn, Gyungho Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)


This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.

Original languageEnglish
Title of host publication2010 IEEE International Conference on Computer Design, ICCD 2010
Number of pages6
Publication statusPublished - 2010
Event28th IEEE International Conference on Computer Design, ICCD 2010 - Amsterdam, Netherlands
Duration: 2010 Oct 32010 Oct 6

Publication series

NameProceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors
ISSN (Print)1063-6404


Other28th IEEE International Conference on Computer Design, ICCD 2010


  • Code injection attack
  • Cyber attack detection
  • Translation look-aside buffer
  • Virtual address translation

ASJC Scopus subject areas

  • Hardware and Architecture
  • Electrical and Electronic Engineering


Dive into the research topics of 'Countering code injection attacks with TLB and I/O monitoring'. Together they form a unique fingerprint.

Cite this