Enlisting Hardware Architecture to Thwart Malicious Code Injection

  • Ruby B. Lee
  • David K. Karig
  • John P. McGregor
  • Zhijie Shi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2802)


Software vulnerabilities that enable the injection and execution of malicious code in pervasive Internet-connected computing devices pose serious threats to cyber security. In a common type of attack, a hostile party induces a software buffer overflow in a susceptible computing device in order to corrupt a procedure return address and transfer control to malicious code. These buffer overflow attacks are often employed to recruit oblivious hosts into distributed denial of service (DDoS) attack networks, which ultimately launch devastating DDoS attacks against victim networks or machines. In spite of existing software countermeasures that seek to prevent buffer overflow exploits, many systems remain vulnerable.


Procedure Call Return Address Malicious Code Return Instruction Branch Prediction 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baratloo, A., Singh, N., Tsai, T.: Transparent Run-time Defense against Stack Smashing Attacks. In: Proc. of the 9th USENIX Security Symposium (June 2000)Google Scholar
  2. 2.
    Bypassing StackGuard and StackShield. Phrack Magazine 10(56) (May 2000)Google Scholar
  3. 3.
    Burger, D., Austin, T.M.: The SimpleScalar Tool Set, Version 2.0. University of Wisconsin-Madison Computer Sciences Department Technical Report (1342) (June 1997)Google Scholar
  4. 4.
    CERT Coordination Center (November 2001),
  5. 5.
    Compaq Computer Corporation, Alpha 21164 Microprocessor (.28μm): Hardware Reference Manual (December 1998)Google Scholar
  6. 6.
    Compaq Computer Corporation, Alpha 21264 Microprocessor Hardware Reference Manual (July 1999)Google Scholar
  7. 7.
    Cormie, D.: The ARM11 Microarchitecture (April 2002), available at
  8. 8.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium (January 1998)Google Scholar
  9. 9.
    Frantzen, M., Shuey, M.: StackGhost: Hardware Facilitated Stack Protection. In: Proceedings of the 10th USENIX Security Symposium (August. 2001)Google Scholar
  10. 10.
    Hornof, L., Jim, T.: Certifying Compilation and Run-time Code Generation. In: Proceedings of the ACM Conference on Partial Evaluation and Semantics-Based Program Manipulation (January 1999)Google Scholar
  11. 11.
    Houle, K.J., Weaver, G.M., Long, N., Thomas, R.: Trends in Denial of Service Attack Technology. CERT Coordination Center (October 2001)Google Scholar
  12. 12.
    Intel Corporation, The IA-32 Intel Architecture Software Developer’s Manual, vol. 2: Instruction Set Reference, Intel Corporation (2001)Google Scholar
  13. 13.
    Kaeli, D.R., Emma, P.G.: Branch History Table Prediction of Moving Target Branches Due to Subroutine Returns. In: Proceedings of the 18th International Symposium on Computer Architecture, May 1991, pp. 34-41 (1991)Google Scholar
  14. 14.
    Karger, P.A., Schell, R.R.: Thirty Years Later: Lessons from the Multics Security Evaluation. In: Proceedings of the 2002 Annual Computer Security Applications Conference, December 2002, pp. 119-126 (2002)Google Scholar
  15. 15.
    Kargl, F., Maier, J., Weber, M.: Protecting Web Servers from Distributed Denial of Service Attacks. In: Proceedings of the Tenth International Conference on World Wide Web, April 2001, pp. 514-525 (2001)Google Scholar
  16. 16.
    Karig, D., Lee, R.B.: Remote Denial of Service Attacks and Countermeasures. Princeton University Department of Electrical Engineering Technical Report CEL2001-002 (October 2001)Google Scholar
  17. 17.
    klog: The Frame Pointer Overwrite. Phrack Magazine 9(55) (September 1999)Google Scholar
  18. 18.
    Lee, R.B.: Precision Architecture. IEEE Computer 22(1), 78–91 (1989)Google Scholar
  19. 19.
    McCarthy, J.: Take Two Aspirin, and Patch That System – Now. SecurityWatch, August 31 (2001)Google Scholar
  20. 20.
    The SANS Institute, The SANS/FBI Twenty Most Critical Internet Security Vulnerabilities (October 2002),
  21. 21.
    The Standard Performance Evaluation Corporation (November 2001),
  22. 22.
    Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A Static Vulnerability Scanner for C and C++ Code. In: Proceedings of the 2000 Annual Computer Security Applications Conference (December 2000)Google Scholar
  23. 23.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 156-169 (2001)Google Scholar
  24. 24.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In: Network and Distributed System Security Symposium (February 2000)Google Scholar
  25. 25.
    Webb, C.F.: Subroutine Call/Return Stack. IBM Technical Disclosure Bulletin 30(11) (April 1988)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Ruby B. Lee
    • 1
  • David K. Karig
    • 1
  • John P. McGregor
    • 1
  • Zhijie Shi
    • 1
  1. 1.Princeton Architecture Laboratory for Multimedia and Security (PALMS), Department of Electrical EngineeringPrinceton University 

Personalised recommendations