Skip to main content
SpringerLink
Log in

A metadata-driven approach to efficiently detect code-reuse attacks on ARM multiprocessors

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

In recent years, there is a growing need to protect security and privacy of the data against various attacks on software running on smart mobile devices. As of today, the code-reuse attack (CRA) is known as one of the most sophisticated techniques. We in this paper propose a hardware-assisted solution that can be practically deployed into the existing ARM-based mobile devices. We exploit CoreSight debug interface to obtain the core internal information. As the information fed from the debug interface is insufficient for our purpose to detect CRAs, our solution uses the metadata to supplement the lacking information. However, most metadata-driven approaches suffer from the significant storage overhead to store every basic information describing the original data that is vital to their analysis or techniques. As this large space overhead can be a major obstacle to the general acceptance of our solution in ARM-based devices with strict performance constraints, we have endeavored to develop a technique minimizing the memory overhead. Also, we have extended our solution to apply to multiprocessor SoCs as the growing number of computing systems including mobile devices use multiprocessor architectures. Experimental results show that our solution detects CRAs with 1.74% performance overhead in dual-CPU system and requires only 5.66% more memories for storing metadata.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. That is, an indirect call, indirect jump or return.

  2. There are five types: direct jump/call, indirect jump/call and return.

  3. That is, an indirect call, indirect jump or return.

References

  1. Abadi M, Budiu M, Erlingsson U, Ligatti J (2005) Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS ’05, New York, NY, USA, 2005. Association for Computing Machinery, pp 340–353

  2. Andersen S, Abella V (2004) Data execution prevention. changes to functionality in microsoft windows XP service pack 2, part 3: Memory protection technologies

  3. ARM co., LTD. CoreSight Program Flow Trace Architecture Specification, 2011

  4. ARM co., LTD. ARM CoreSight Architecture Specification v2.0, 2013

  5. ARM co., LTD. ARM System Memory Management Unit Architecture Specification, 2013

  6. ARM co., LTD. AMBA Network Interconnect (NIC-301) Technical Reference Manual, 2014

  7. ARM co., LTD. Cortex-A9 Processor, 2014

  8. Bletsch T, Jiang X, Freeh VW, Liang Z (2011) Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, pp 30–40

  9. Carlini, N, Wagner D (2014) Rop is still dangerous: Breaking modern defenses. In: Proceedings of USENIX Security

  10. Checkoway S, Davi L, Dmitrienko A, Sadeghi A-R, Shacham H, Winandy M (2010) Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, pp 559–572

  11. Chen P, Xiao H, Shen X, Yin X, Mao B, Xie L (2009) Drop: detecting return-oriented programming malicious code. In: Information Systems Security. Springer, pp 163–177

  12. Cheng Y, Zhou Z, Yu M, Ding X, Deng RH (2014) Ropecker: A generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (NDSS)

  13. Das S, Zhang W, Liu Y (2016) A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans Very Large Scale Integr (VLSI) Syst 24(11):3193–3207

    Article  Google Scholar 

  14. Davi L, Koeberl P, Sadeghi A-R (2014) Hardware-assisted fine-grained control-flow integrity: towards efficient protection of embedded systems against software exploitation. In: Proceedings of the The 51st Annual Design Automation Conference on Design Automation Conference. ACM, pp 1–6

  15. Davi L, Sadeghi A-R, Winandy M (2011) Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, pp 40–51

  16. Fiskiran AM, Lee RB (2004) Runtime execution monitoring (REM) to detect and prevent malicious code execution. In: Proceedings of IEEE International Conference on Computer Design: VLSI in Computers and Processors, 2004, ICCD 2004. IEEE, pp 452–457

  17. Gaikar V et al (2011) Iphone 4s officially announced by apple

  18. Guthaus MR, Ringenberg JS, Ernst D, Austin TM, Mudge T, Brown RB (2001) Mibench: a free, commercially representative embedded benchmark suite. In: Proceedings of the Fourth Annual IEEE International Workshop on Workload Characterization. WWC-4 (Cat. No.01EX538), pp 3–14

  19. He W, Das S, Zhang W, Liu Y (2020) BBB-CFI: lightweight CFI approach against code-reuse attacks using basic block information. ACM Trans Embed Comput Syst 19(1):1–22

    Article  Google Scholar 

  20. Henning JL (2006) SPEC CPU2006 benchmark descriptions. ACM SIGARCH Comput Arch News 34(4):1–17

    Article  Google Scholar 

  21. Hu H, Qian C, Yagemann C, Chung SPH, Harris WR, Kim T, Lee W (2018) Enforcing unique code target property for control-flow integrity. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, New York, NY, USA. Association for Computing Machinery, pp 1470–1486

  22. Kanuparthi AK, Zahran M, Karri R (2012) Architecture support for dynamic integrity checking. IEEE Trans Inf Forensics Secur 7(1):321–332

    Article  Google Scholar 

  23. Kayaalp M, Ozsoy M, Abu-Ghazaleh N, Ponomarev D (2012) Branch regulation: low-overhead protection from code reuse attacks. In: 2012 39th Annual International Symposium on Computer Architecture (ISCA). IEEE, pp 94–105

  24. Kayaalp M, Schmitt T, Nomani J, Ponomarev D, Abu-Ghazaleh N (2013) Scrap: architecture for signature-based protection from code reuse attacks. In: 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013). IEEE, pp 258–269

  25. Lee Y, Lee J, Heo I, Hwang D, Paek Y (2016) Integration of ROP/JOP monitoring IPS in an arm-based SOC. In: Proceedings of the 2016 Conference on Design, Automation and Test in Europe. EDA Consortium, pp 331–336

  26. Limited A (2012) Procedure call standard for the arm architecture

  27. Oh H, Yang M, Cho Y, Paek Y (2019) Actimon: Unified JOP and ROP detection with active function lists on an SoC FPGA. IEEE Access 7:186517–186528

    Article  Google Scholar 

  28. Olle S-W, Sébastien L, Johan L (2010) Evaluation of the energy efficiency of arm based processors for cloud infrastructure. Turku Centre for Computer Science

  29. Özdoganoglu H, Vijaykumar T, Brodley CE, Kuperman B, Jalote A et al (2006) Smashguard: a hardware solution to prevent security attacks on the function return address. IEEE Trans Comput 55(10):1271–1285

    Article  Google Scholar 

  30. Pappas V, Polychronakis M, Keromytis AD (2013) Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security, pp 447–462

  31. Salwan J (2014) The shell storm linux shellcode repository

  32. Samsung Electronics co., LTD. Exynos 4 (2012)

  33. Shacham H (2007) The geometry of innocent flesh on the bone: return-into-LIBC without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, pp 552–561

  34. Sigwald J (2012) Analysis of the jailbreakme v3 font exploit. Sogeti ESEC Lab

  35. Team P (2003) Address space layout randomization

  36. Wang Z, Wu C, Li J, Lai Y, Zhang X, Hsu W-C, Cheng Y (2017) Reranz: a light-weight virtual machine to mitigate memory disclosure attacks. In: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’17, New York, NY, USA. Association for Computing Machinery, pp 143–156

  37. Wenjian H, Das S, Zhang W, Liu Y (2017) No-jump-into-basic-block: enforce basic block CFI on the fly for real-world binaries. In: 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC), pp 1–6

  38. Xilinx Inc. Zc702 evaluation board for the zynq-7000 xc7z020 extensible processing platform user guide(ug850 v1.0) 2012

Download references

Acknowledgements

This work was supported in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) Grant Funded by the Korean Government (MSIT) under Grant 2018-0-00230 (Development on Autonomous Trust Enhancement Technology of IoT Device and Study on Adaptive IoT Security Open Architecture based on Global Standardization [TrusThingz Project]) and Grant 2017-0-00213 (Development of Cyber Self Mutation Technologies for Proactive Cyber Defense), in part by the National Research Foundation of Korea (NRF) Grant Funded by the Korean Government (MSIT) under Grant NRF-2020R1A2B5B03095204 and Grant NRF-2018R1D1A1B07049870, in part by the BK21 Plus program of the Creative Research Engineer Development for IT, Seoul National University in 2020, in part by the EDA tool from the IC Design Education Center (IDEC), South Korea, and in part by the research fund of Hanyang University (HY-2020).

Author information

Authors and Affiliations

  1. ECE and ISRC, Seoul National University, Seoul, Republic of Korea

    Hyunyoung Oh & Yunheung Paek

  2. Department of Computer Science, Hanyang University, Seoul, Republic of Korea

    Yeongpil Cho

Authors
  1. Hyunyoung Oh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yeongpil Cho
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yunheung Paek
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Yeongpil Cho or Yunheung Paek.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Oh, H., Cho, Y. & Paek, Y. A metadata-driven approach to efficiently detect code-reuse attacks on ARM multiprocessors. J Supercomput 77, 7287–7314 (2021). https://doi.org/10.1007/s11227-020-03542-1

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-020-03542-1

Keywords

Search

Navigation