ABSTRACT
After a software system is compromised, it can be difficult to understand what vulnerabilities attackers exploited. Any information residing on that machine cannot be trusted as attackers may have tampered with it to cover their tracks. Moreover, even after an exploit is known, it can be difficult to determine whether it has been used to compromise a given machine. Aviation has long-used black boxes to better understand the causes of accidents, enabling improvements that reduce the likelihood of future accidents. Many attacks introduce abnormal control flows to compromise systems. In this paper, we present BlackBox, a monitoring system for COTS software. Our techniques enable BlackBox to efficiently monitor unexpected and potentially harmful control flow in COTS binaries. BlackBox constructs dynamic profiles of an application's typical control flows to filter the vast majority of expected control flow behavior, leaving us with a manageable amount of data that can be logged across the network to remote devices. Modern applications make extensive use of dynamically generated code, some of which varies greatly between executions. We introduce support for code generators that can detect security-sensitive behaviors while allowing BlackBox to avoid logging the majority of ordinary behaviors. We have implemented BlackBox in DynamoRIO. We evaluate the runtime overhead of BlackBox, and show that it can effectively monitor recent versions of Microsoft Office and Google Chrome. We show that in ROP, COOP, and state- of-the-art JIT injection attacks, BlackBox logs the pivotal actions by which the attacker takes control, and can also blacklist those actions to prevent repeated exploits.
Supplemental Material
Available for Download
BlackBox monitors and logs application control flow activity, filtering out normal program behaviors based on a trusted profile and sorting the log by highest estimated risk first. To block known exploits, BlackBox supports a control flow blacklist that terminates the program with an error message when prohibited control flow occurs.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, 2005. Google ScholarDigital Library
- J. Alstott, E. Bullmore, and D. Plenz. powerlaw: A python package for analysis of heavy-tailed distributions. PLoS ONE, 9(1):e85777, 2014. doi: 10.1371/journal.pone.0085777.Google ScholarCross Ref
- W. Arthur, B. Mehne, R. Das, and T. Austin. Getting in control of your control flow with control-data isolation. In CGO, 2015. Google ScholarDigital Library
- M. Athanasakis, E. Athanasopoulos, M. Polychronakis, G. Portokalidis, and S. Ioannidis. The devil is in the constants: Bypassing defenses in browser JIT engines. In NDSS, 2015.Google ScholarCross Ref
- A. Ayers, R. Schooler, C. Metcalf, A. Agarwal, J. Rhee, and E. Witchel. Traceback: First fault diagnosis by reconstruction of distributed control flow. In PLDI, 2005. Google ScholarDigital Library
- V. Bertacco, R. Rodriguez, W. Arthur, B. Mammo, and T. Austin. Schnauzer: Scalable profiling for likely security bug sites. In CGO, 2013. Google ScholarDigital Library
- N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014. Google ScholarDigital Library
- N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In USENIX Security, 2015. Google ScholarDigital Library
- P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In ICISS, 2009. Google ScholarDigital Library
- Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attack. In NDSS, 2014.Google ScholarCross Ref
- M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen, M. Qunaibit, and A.-R. Sadeghi. Losing control: On the effectiveness of control-flow integrity under stack attacks. In CCS, 2015. Google ScholarDigital Library
- S. J. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A. Sadeghi, T. Holz, B. D. Sutter, and M. Franz. It’s a TRaP: Table randomization and protection against functionreuse attacks. In CCS, 2015. Google ScholarDigital Library
- L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In ASIACCS, 2011. Google ScholarDigital Library
- L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In NDSS, 2012.Google Scholar
- L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained controlflow integrity protection. In USENIX Security, 2014. Google ScholarDigital Library
- U. Erlingsson, S. Valley, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006. Google ScholarDigital Library
- I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point: On the effectiveness of code pointer integrity. In S&P, 2015. Google ScholarDigital Library
- I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In CCS, 2015. Google ScholarDigital Library
- E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In S&P, 2014.Google Scholar
- E. Göktas, E. Athanasopoulos, M. Polychroniakis, H. Bos, and G. Portokalidis. Size does matter - why using gadget chain length to prevent code-reuse attacks is hard. In USENIX Security, 2014.Google Scholar
- B. Hawkins, B. Demsky, D. Bruening, and Q. Zhao. Optimizing binary translation for dynamically generated code. In CGO, 2015. Google ScholarDigital Library
- J. L. Henning. SPEC CPU2006 benchmark descriptions. SIGARCH Computer Architecture News, 2006. Google ScholarDigital Library
- A. Homescu, S. Brunthaler, P. Larsen, and M. Franz. Librando: Transparent code randomization for just-in-time compilers. In CCS, 2013. Google ScholarDigital Library
- D. Jang, Z. Tatlock, and S. Lerner. SafeDispatch: Securing C++ virtual calls from memory corruption attacks. In NDSS, 2014.Google ScholarCross Ref
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In USENIX Security, 2002. Google ScholarDigital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In OSDI, 2014. Google ScholarDigital Library
- P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated software diversity. S&P, 2014. Google ScholarDigital Library
- M. E. Locasto, S. Sidiroglou, and A. D. Keromytis. Software self-healing using collaborative application communities. In NDSS, 2005.Google Scholar
- A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazières. Ccfi: Cryptographically enforced control flow integrity. In CCS, 2015. Google ScholarDigital Library
- V. Mohan, P. Larsen, S. Brunthaler, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In NDSS, 2015.Google ScholarCross Ref
- B. Niu and G. Tan. Rockjit: Securing just-in-time compilation using modular control-flow integrity. In CCS, 2014. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using inplace code randomization. In S&P, 2012. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In SEC, 2013. Google ScholarDigital Library
- J. H. Perkins, S. Kim, S. Larsen, S. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. Rinard. Automatically patching errors in deployed software. In SOSP, 2009. Google ScholarDigital Library
- F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In S&P, 2015. Google ScholarDigital Library
- C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Úlfar Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC & LLVM. In USENIX Security, 2014. Google ScholarDigital Library
- V. van der Veen, D. Andriesse, E. Gökta¸s, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical contextsensitive CFI. In CCS, 2015. Google ScholarDigital Library
- Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In DSN, 2012.Google Scholar
- C. Zhang, T. Wei, Z. Chen, L. Duan, S. McCamant, L. Szekeres, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In S&P, 2013. Google ScholarDigital Library
- M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security, 2013. Google ScholarDigital Library
Index Terms
- BlackBox: lightweight security monitoring for COTS binaries
Recommendations
Compiler-based Attack Origin Tracking with Dynamic Taint Analysis
Information Security and Cryptology – ICISC 2021AbstractOver the last decade, many exploit mitigations based on Control Flow Integrity (CFI) have been developed to secure programs from being hijacked by attackers. However, most of them only abort the protected application after attack detection, ...
A platform for secure static binary instrumentation
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsProgram instrumentation techniques form the basis of many recent software security defenses, including defenses against common exploits and security policy enforcement. As compared to source-code instrumentation, binary instrumentation is easier to use ...
Strict Virtual Call Integrity Checking for C++ Binaries
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityModern operating systems are equipped with defenses that render legacy code injection attacks inoperable. However, attackers can bypass these defenses by crafting attacks that reuse existing code in a program's memory. One of the most common classes of ...
Comments