Countering code injection attacks with TLB and I/O monitoring

Dongkyun Ahn, Kyung Ho Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.

Original languageEnglish
Title of host publicationProceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors
Pages370-375
Number of pages6
DOIs
Publication statusPublished - 2010 Dec 1
Event28th IEEE International Conference on Computer Design, ICCD 2010 - Amsterdam, Netherlands
Duration: 2010 Oct 32010 Oct 6

Other

Other28th IEEE International Conference on Computer Design, ICCD 2010
CountryNetherlands
CityAmsterdam
Period10/10/310/10/6

    Fingerprint

Keywords

  • Code injection attack
  • Cyber attack detection
  • Translation look-aside buffer
  • Virtual address translation

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Hardware and Architecture

Cite this

Ahn, D., & Lee, K. H. (2010). Countering code injection attacks with TLB and I/O monitoring. In Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors (pp. 370-375). [5647696] https://doi.org/10.1109/ICCD.2010.5647696