skip to main content
10.1145/3337167.3337168acmotherconferencesArticle/Chapter ViewAbstractPublication PageshaspConference Proceedingsconference-collections
research-article

Detecting Non-Control-Flow Hijacking Attacks Using Contextual Execution Information

Published: 23 June 2019 Publication History

Abstract

In recent years, we see a rise of non-control-flow hijacking attacks, which manipulate key data elements to corrupt the integrity of a victim application while upholding a valid control-flow during its execution. Consequently, they are more difficult to be detected hence prevented with traditional mitigation techniques that target control-oriented attacks. In this work, we propose a methodology for the detection of non-control-flow hijacking attacks via employing low-level hardware information formatted as time series. Using architectural and micro-architectural hardware event counts, we model the regular execution behavior of the application(s) of interest, in an effort to detect abnormal execution behavior taking place at the vicinity of the vulnerability. We employed three distinct anomaly detection models: a traditional support vector machine (SVM), an echo state network (ESN), and a heavily modified k-nearest neighbors (KNN) model. We evaluated the proposed methodology using seven real-world non-control-flow hijacking exploits that target two vulnerabilities in modern web servers and three vulnerabilities in the OpenSSL library. Because our proposed detection methodology employs the contextual information across the temporal domain, we are able to achieve an average classification accuracy of 99.36%, with a false positive rate (FPR) of 0.79% and false negative rate (FNR) of 0.53%, respectively.

References

[1]
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-control-data Attacks Are Realistic Threats. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14 (SSYM'05). USENIX Association, Berkeley, CA, USA, 12--12.
[2]
Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS). Internet Society.
[3]
John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the Feasibility of Online Malware Detection with Performance Counters. In Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA '13). ACM, New York, NY, USA, 559--570.
[4]
Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 177--192.
[5]
Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. (2016).
[6]
Intel. 2013. Intel 64 and IA-32 Architectures Software Developer Manual. Technical Report. Intel.
[7]
Khaled N. Khasawneh, Meltem Ozsoy, Caleb Donovick, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2015. Ensemble Learning for Low-Level Hardware-Supported Malware Detection. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 9404 (RAID 2015). Springer-Verlag New York, Inc., New York, NY, USA, 3--25.
[8]
Thomas Kittel, Sebastian Vogl, Julian Kirsch, and Claudia Eckert. {n. d.}. Counteracting Data-Only Malware with Code Pointer Examination. In Research in Attacks, Intrusions, and Defenses (2015), Herbert Bos, Fabian Monrose, and Gregory Blanc (Eds.). Springer International Publishing, 177--197.
[9]
Chen Liu, Zhiliu Yang, Zander Blasingame, Gildo Torres, and James Bruska. 2018. Detecting Data Exploits Using Low-level Hardware Information: A Short Time Series Approach. In Proceedings of the First Workshop on Radical and Experiential Security (RESEC '18). ACM, New York, NY, USA, 41--47.
[10]
Markos Markou and Sameer Singh. 2003. Novelty detection: a reviewâĂŤpart 1: statistical approaches. Signal processing 83, 12 (2003), 2481--2497.
[11]
M. Morton, J. Werner, P. Kintis, K. Snow, M. Antonakakis, M. Polychronakis, and F. Monrose. {n. d.}. Security Risks in Asynchronous Web Servers: When Performance Optimizations Amplify the Impact of Data-Oriented Attacks. In 2018 IEEE European Symposium on Security and Privacy (EuroS P) (2018-04). 167--182.
[12]
Meltem Ozsoy, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, and Dmitry Ponomarev. {n. d.}. Malware-aware processors: A framework for efficient online malware detection. In High Performance Computer Architecture (HPCA), 2015 IEEE 21st International Symposium on (2015). IEEE, 651--661.
[13]
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). USENIX, Washington, D.C., 447--462.
[14]
Rapid7. 2006. Metasploit | Penetration Testing Software, Pen Testing Security. https://www.metasploit.com. (2006). Retrieved 2018-09-24 from https://www.metasploit.com
[15]
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security (TISSEC) 15, 1, Article 2 (March 2012), 34 pages.
[16]
R. Rogowski, M. Morton, F. Li, F. Monrose, K. Z. Snow, and M. Polychronakis. {n. d.}. Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses. In 2017 IEEE European Symposium on Security and Privacy (EuroS P) (2017-04). 366--381.
[17]
R. Sommer and V. Paxson. 2010. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In 2010 IEEE Symposium on Security and Privacy. 305--316.
[18]
Synopsys. 2014. The Heartbleed Bug. http://www.heartbleed.com. (09 2014). Retrieved 2018-9-24 from http://www.heartbleed.com
[19]
Adrian Tang, Simha Sethumadhavan, and SalvatoreJ. Stolfo. 2014. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In Research in Attacks, Intrusions and Defenses, Angelos Stavrou, Herbert Bos, and Georgios Portokalidis (Eds.). Lecture Notes in Computer Science, Vol. 8688. Springer International Publishing, 109--129.
[20]
Gildo Torres and Chen Liu. 2016. Can Data-Only Exploits Be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability. In Proceedings of the Hardware and Architectural Support for Security and Privacy (HASP 2016). ACM, New York, NY, USA, Article 2, 7 pages.
[21]
L.J.P van der Maaten and G.E. Hinton. 2008. Visualizing High-Dimensional Data Using t-SNE. Journal of Machine Learning Research 9: 2579--2605 (Nov 2008).
[22]
Victor van der Veen, Nitish dutt Sharma, Lorenzo Cavallaro, and Herbert Bos. 2012. Memory Errors: The Past, the Present, and the Future. In Proceedings of the 15th International Conference on Research in Attacks, Intrusions, and Defenses (RAID'12). Springer-Verlag, Berlin, Heidelberg, 86--106.
[23]
Sebastian Vogl, Jonas Pfoh, Thomas Kittel, and Claudia Eckert. 2014. Persistent Data-only Malware: Function Hooks without Code. In NDSS.
[24]
Xueyang Wang and R. Karri. 2013. NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters. In Design Automation Conference (DAC), 2013 50th ACM/EDAC/IEEE. 1--7.
[25]
Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting Violation of Control Flow Integrity Using Performance Counters. In Proceedings of the 2012 42Nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (DSN '12). IEEE Computer Society, Washington, DC, USA, 1--12.

Cited By

View all
  • (2023)HARD-Lite: A Lightweight Hardware Anomaly Realtime Detection Framework Targeting RansomwareIEEE Transactions on Circuits and Systems I: Regular Papers10.1109/TCSI.2023.329953270:12(5036-5047)Online publication date: Dec-2023
  • (2022)Where's Waldo?Proceedings of the 19th ACM International Conference on Computing Frontiers10.1145/3528416.3530226(75-84)Online publication date: 17-May-2022
  • (2022)Detecting Non-control-flow Hijacking Threats with Deep Autoencoding Gaussian Mixture Model2022 4th International Conference on Communications, Information System and Computer Engineering (CISCE)10.1109/CISCE55963.2022.9851019(414-417)Online publication date: 27-May-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
HASP '19: Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy
June 2019
73 pages
ISBN:9781450372268
DOI:10.1145/3337167
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Anomaly Detection
  2. Data-Only Attacks
  3. Encryption-Downgrade Attacks
  4. Hardware Performance Counters
  5. Machine Learning

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

HASP '19

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)HARD-Lite: A Lightweight Hardware Anomaly Realtime Detection Framework Targeting RansomwareIEEE Transactions on Circuits and Systems I: Regular Papers10.1109/TCSI.2023.329953270:12(5036-5047)Online publication date: Dec-2023
  • (2022)Where's Waldo?Proceedings of the 19th ACM International Conference on Computing Frontiers10.1145/3528416.3530226(75-84)Online publication date: 17-May-2022
  • (2022)Detecting Non-control-flow Hijacking Threats with Deep Autoencoding Gaussian Mixture Model2022 4th International Conference on Communications, Information System and Computer Engineering (CISCE)10.1109/CISCE55963.2022.9851019(414-417)Online publication date: 27-May-2022
  • (2022)HARD-Lite: A Lightweight Hardware Anomaly Realtime Detection Framework Targeting Ransomware2022 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)10.1109/AsianHOST56390.2022.10022111(1-6)Online publication date: 14-Dec-2022
  • (2021)Feature Creation Towards the Detection of Non-control-Flow Hijacking AttacksArtificial Neural Networks and Machine Learning – ICANN 202110.1007/978-3-030-86362-3_13(153-164)Online publication date: 7-Sep-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media