Countering code injection attacks with TLB and I/O monitoring

Dongkyun Ahn, Kyung Ho Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.

Original languageEnglish
Title of host publicationProceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors
Pages370-375
Number of pages6
DOIs
Publication statusPublished - 2010 Dec 1
Event28th IEEE International Conference on Computer Design, ICCD 2010 - Amsterdam, Netherlands
Duration: 2010 Oct 32010 Oct 6

Other

Other28th IEEE International Conference on Computer Design, ICCD 2010
CountryNetherlands
CityAmsterdam
Period10/10/310/10/6

Fingerprint

Binary codes
Chemical activation
Monitoring
Simulators
Internet

Keywords

  • Code injection attack
  • Cyber attack detection
  • Translation look-aside buffer
  • Virtual address translation

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Hardware and Architecture

Cite this

Ahn, D., & Lee, K. H. (2010). Countering code injection attacks with TLB and I/O monitoring. In Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors (pp. 370-375). [5647696] https://doi.org/10.1109/ICCD.2010.5647696

Countering code injection attacks with TLB and I/O monitoring. / Ahn, Dongkyun; Lee, Kyung Ho.

Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors. 2010. p. 370-375 5647696.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ahn, D & Lee, KH 2010, Countering code injection attacks with TLB and I/O monitoring. in Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors., 5647696, pp. 370-375, 28th IEEE International Conference on Computer Design, ICCD 2010, Amsterdam, Netherlands, 10/10/3. https://doi.org/10.1109/ICCD.2010.5647696
Ahn D, Lee KH. Countering code injection attacks with TLB and I/O monitoring. In Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors. 2010. p. 370-375. 5647696 https://doi.org/10.1109/ICCD.2010.5647696
Ahn, Dongkyun ; Lee, Kyung Ho. / Countering code injection attacks with TLB and I/O monitoring. Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors. 2010. pp. 370-375
@inproceedings{42aab091e7704218bd48457860bf593c,
title = "Countering code injection attacks with TLB and I/O monitoring",
abstract = "This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.",
keywords = "Code injection attack, Cyber attack detection, Translation look-aside buffer, Virtual address translation",
author = "Dongkyun Ahn and Lee, {Kyung Ho}",
year = "2010",
month = "12",
day = "1",
doi = "10.1109/ICCD.2010.5647696",
language = "English",
isbn = "9781424489350",
pages = "370--375",
booktitle = "Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors",

}

TY - GEN

T1 - Countering code injection attacks with TLB and I/O monitoring

AU - Ahn, Dongkyun

AU - Lee, Kyung Ho

PY - 2010/12/1

Y1 - 2010/12/1

N2 - This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.

AB - This paper presents a software-transparent protection against binary code injection attacks. With a TLB (Translation Lookahead Buffer) that is usually split between data (DTLB) and instructions (ITLB) as found in modern processors, a simple protection can be developed based on an observation that activating an injected code causes a data TLB hit under ITLB miss with dirty bit set in the hit TLB entry. However, such a protection is not applicable in practice unless the system does not allow runtime code injections, while modern systems utilize runtime generated code rather extensively. The protection presented distinguishes an activation of a legitimated runtime generated codes from binary code injection attacks at an ITLB miss. The protection monitors not only address translation requests coming to TLB but also the address of the buffer used for I/O operations. This allows information flow tracking that filters out illegitimate code injection. The protection blocks an activation of the code injected via an I/O operation by analyzing TLB flags and the translation request profile. To evaluate our idea, we have revised the address translation function in Bochs x86 simulator and conducted code injection attacks available over the Internet to see how many code injections our idea can detect. The experimental results show that the proposed protection can detect all the code injection attacks tested without revising the operating system.

KW - Code injection attack

KW - Cyber attack detection

KW - Translation look-aside buffer

KW - Virtual address translation

UR - http://www.scopus.com/inward/record.url?scp=78650750541&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650750541&partnerID=8YFLogxK

U2 - 10.1109/ICCD.2010.5647696

DO - 10.1109/ICCD.2010.5647696

M3 - Conference contribution

SN - 9781424489350

SP - 370

EP - 375

BT - Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors

ER -