Skip to main content
SpringerLink
Log in

A Practical Method to Confine Sensitive API Invocations on Commodity Hardware

  • Conference paper
  • First Online:
Book cover Network and System Security (NSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Included in the following conference series:

Abstract

Control-flow hijacking attacks are a very dangerous threat to software security in that they can hijack the programs execution to execute malicious code. There have been many solutions proposed for countering these attacks, but majority of them suffer from the following limitations: (1) Some methods could be bypassed by advanced code reuse attacks; (2) Some methods will incur considerable performance cost; (3) Some methods need to modify the target program. To address these problems, we present APIdefender, a kernel-based solution to defeat control-flow attacks. Our method is compatible with the existing software and hardware. The basic idea of our approach is to confine the sensitive API invocations by comparing the invocation context with the baseline information that is obtained by offline analysis. To perform the run-time enforcement for the API invocations, we leverage some commodity hardware features. The experiments show that APIdefender can detect malicious API invocations effectively with a little performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The exploit database (2015). http://www.exploit-db.com/

  2. Ropgadget (2015). http://shell-storm.org/project/ROPgadget/

  3. Abadi, M., Budiu, M., Erlingsson, l., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, pp. 340–353, November 2005. doi:10.1145/1102120.1102165

  4. Backes, M., Rnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Conference on Security Symposium, pp. 433–447 (2014)

    Google Scholar 

  5. Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Twenty-Seventh Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, pp. 353–362, 5–9 December 2011. doi:10.1145/2076732.2076783

  6. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX Symposium on Operating Systems Design and Implementation, OSDI, San Diego, California, USA, Proceedings, pp. 209–224, 8–10 December 2008

    Google Scholar 

  7. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: Drop: detecting return-oriented programming malicious code. In: International Conference on Information Systems Security, ICISS 2009, Kolkata, India, Proceedings, pp. 163–177, 14–18 December 2009. doi:10.1007/978-3-642-10772-6_13

  8. Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: ACM Conference on Data and Application Security and Privacy, pp. 50–61 (2016). doi:10.1145/2857705.2857726

  9. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: a generic and practical approach for defending against ROP attacks. In: Network and Distributed System Security Symposium (2014). doi:10.14722/ndss.2014.23156

  10. Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy, pp. 763–780 (2015). doi:10.1109/sp.2015.52

  11. Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones (2012)

    Google Scholar 

  12. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: hardware-assisted flow integrity extension. In: Design Automation Conference, p. 74 (2015). doi:10.1145/2744769.2744847

  13. Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, Hong Kong, China, pp. 40–51, March 2011. doi:10.1145/1966913.1966920

  14. Gupta, A., Habibi, J., Kirkpatrick, M.S., Bertino, E.: Marlin: mitigating code reuse attacks using code randomization. IEEE Trans. Dependable Secure Comput. 12(3), 326–337 (2015). doi:10.1109/tdsc.2014.2345384

    Article  Google Scholar 

  15. Jacobson, E.R., Bernat, A.R., Williams, W.R., Miller, B.P.: Detecting code reuse attacks with a model of conformant program execution. In: Jürjens, J., Piessens, F., Bielova, N. (eds.) ESSoS 2014. LNCS, vol. 8364, pp. 1–18. Springer, Cham (2014). doi:10.1007/978-3-319-04897-0_1

    Chapter  Google Scholar 

  16. Kayaalp, M., Ozsoy, M., Ghazaleh, N.A., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Trans. Comput. 63(5), 1144–1156 (2014). doi:10.1109/tc.2012.269

    Article  MathSciNet  MATH  Google Scholar 

  17. Li, J., Wang, Z., Bletsch, T., Srinivasan, D.: Comprehensive and efficient protection of Kernel control data. IEEE Trans. Inf. Forensics Secur. 6(4), 1404–1417 (2011). doi:10.1109/tifs.2011.2159712

    Article  Google Scholar 

  18. Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS Symposium (2015). doi:10.14722/ndss.2015.23271

  19. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Conference on Security, pp. 447–462 (2013)

    Google Scholar 

  20. van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Patharmor: practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 927–940, CCS 2015, NY, USA. ACM, New York (2015). doi:10.1145/2810103.2813673

  21. Veen, V.V.D., Giuffrida, C., Goktas, E., Contag, M., Pawoloski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: Symposium on Security and Privacy, pp. 934–953 (2016). doi:10.1109/sp.2016.60

  22. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security, pp. 157–168 (2012). doi:10.1145/2382196.2382216

  23. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12 (2012). doi:10.1109/dsn.2012.6263958

  24. Yutao, L., Peitao, S., Xinran, W., Haibo, C., Binyu, Z., Haibing, G.: Transparent and efficient CFI enforcement with intel processor trace. In: IEEE Symposium on High Performance Computer Architecture (2017). doi:10.1109/hpca.2017.18

  25. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., Mccamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy. IEEE, pp. 559–573 (2013). doi:10.1109/sp.2013.44

  26. Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: USENIX Conference on Security, pp. 337–352 (2013). doi:10.1145/2818000.2818016

Download references

Acknowledgments

This work was supported in part by National Natural Science Foundation of China (NSFC) under Grant No. 61602035, the National Key R&D Program of China under Grant No. 2016YFB0800700, the Opening Project of Shanghai Key Laboratory of Integrated Administration Technologies for Information Security.

Author information

Authors and Affiliations

  1. Beijing Key Laboratory of Software Security Engineering Technique, Beijing Institute of Technology, Beijing, 100081, China

    Donghai Tian, Dingjun Qi, Li Zhan, Yuhang Yin, Changzhen Hu & Jingfeng Xue

  2. Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, Shanghai Jiao Tong University, Shanghai, 200240, China

    Donghai Tian

Authors
  1. Donghai Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dingjun Qi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Li Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yuhang Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Changzhen Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jingfeng Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Donghai Tian .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Tian, D., Qi, D., Zhan, L., Yin, Y., Hu, C., Xue, J. (2017). A Practical Method to Confine Sensitive API Invocations on Commodity Hardware. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation