Elsevier

Microprocessors and Microsystems

Volume 33, Issues 7–8, October–November 2009, Pages 461-468
Microprocessors and Microsystems

Indirect Branch Validation Unit

https://doi.org/10.1016/j.micpro.2009.09.002Get rights and content

Abstract

This paper presents a micro-architectural enhancement, named Indirect Branch Validation Unit (IBVU), to prevent malicious attacks from compromising the control data of the program. The IBVU provides a run-time control flow protection by validating a dynamic instance of an indirect branch’s address and its target address – indirect branch pair (IBP), which represents the program behavior. To validate an IBP at run-time with little performance and storage overhead, the IBVU employs a Bloom filter, a hashing based bit vector representation for querying a set membership. Two organizations trading off of the access delay and space in VLSI design are provided, and three commonly used hashing schemes are evaluated for the performance impact as well as the area overhead. Recognizing potential false positives from adopting the Bloom filter, consideration of reducing it per the Bloom filter’s design parameters is discussed, while the difficulty of utilizing the false positives due to hashing based indexing of the Bloom filter for malicious attack is noted.

Introduction

There are various ways to exploit software vulnerabilities (such as buffer overflow, format string vulnerability, heap overflow and integer overflow) for malicious attacks. An external adversary always subverts victim program’s normal execution by overwriting critical data in the program’s address space. By overwriting control data, the data that are used as the target of a control flow transfer instruction, software attacks tend to redirect the control flow to the attacker’s way [4]. Meanwhile, there are also attacks overwriting other critical data, such as decision-making data.

Current micro-architecture allows an indirect branch to use any value loaded into the program counter as the destination, lack of checking its validity. It is one of the fundamental reasons that make it difficult for a higher-level solution built upon this unsecured hardware to guarantee every control flow transfer as intended. At machine instruction level, high-level descriptions of program behavior are ultimately translated into control flow transfer instructions of direct branches and indirect branches. We therefore propose a hardware defense mechanism to validate indirect branch’s behavior to restrain it from jumping to arbitrary targets. The shifting of the defense into the instruction level not only provides a more secure hardware platform. However, at the machine instruction level protection, the performance and storage overhead needs to be minimal, which makes many existing protection schemes inappropriate.

In order to represent the dynamic execution of the indirect branch, we propose the Indirect Branch Validation Unit (IBVU) to contain the indirect branch behavior signature that includes the target address and the PC address of the interested indirect branch instances. For the IBVU to check an indirect branch pair (IBP), i.e. an indirect branch instruction’s address and its target address, one needs to represent a set of legitimate IBP’s. One may consider a hardware table along with its caching, but it may incur a little excessive performance and storage overhead. As a result, we consider a time-and-space efficient bit vector representation. A Bloom filter, facilitating the indirect branch validation for processor core, is adopted to implement the IBVU. Bloom filter is a space-efficient probabilistic data structure that is used to test whether an element is a member of a set [2]. Thus, the IBVU can efficiently detect at run-time whether a given indirect branch instance is legitimate or not. However, false positives are possible in the Bloom filter due to the indexing of the filter through hashing. As a result, it is possible for the filter to pass some invalid bit patterns as the legitimate ones instead of filtering them out.

Although the false positives are inherent cost of the Bloom filter for the benefit of a fast and efficient representation of program control flows, one should note that the false positives from the Bloom filter are NOT directly translated attack vulnerability of escaping the protection. Note that the false positive rates in the Bloom filter are just a probability that there can be hashed values that hit the same positions of the bit vector in Bloom filter. Encountering the same hashed values from two different control flow paths is something else, which is highly unlikely event. To exploit the false positives in the Bloom filter to launch a successful attack, the attacker has to construct two proper values that conform to the false positive pattern, one for the address pointed by the program counter (PC) of a branch instruction for execution that the attacker can succeed to modify, and the other for the target address where the attacker can succeed to inject a malicious code or a trampoline to it. Also note that devising a false positive pattern in the Bloom filter is akin to breaking encryption code and that it becomes even more difficult if we add more control path information to be validated.

Along with the size of the bit vector relative to the size of the set to be filtered, different hash functions adopted in the Bloom filter will cause the access delay, areas, and power consumption of the IBVU will vary. This paper goes over design options of the IBVU in VLSI design. In order to meet the different micro-architecture requirement, two organizations, namely the cascading style and the iterating style, for trade off in time and space in VLSI design are presented. Finally, based on the VLSI design experiment data, the performance degradation inside the processor core is provided.

The rest of this paper is organized as follows: Section 2 introduces the basic idea of how to use the indirect branches’ signature to detect the attacks, and Section 3 presents the design and implementation of the Indirect Branch Validation Unit. In Section 4, we consider the effect of the Bloom filter on the validation and based on the experiment data provided in Section 3. We also consider how the insertion of the IBVU will affect the performance of the processor core in this section. In Section 5, we provide the related works on the popular protection mechanism proposed so far and conclude in Section 6.

Section snippets

Validating indirect branches

A natural solution to prevent the control data attack is to monitor program execution to ensure that it conforms to a pre-defined specification of its intended behavior [13]. Most researches try to achieve this goal by using a model-based solution to monitor indirect events such as system call sequence [10], [11], [23]. However, extracting the exact static information is very hard and incurs tremendous space or run-time overhead, which makes the methods not suitable for performance critical and

Implementing Indirect Branch Validation Unit

Based on the data shown in Table 1, we can see that the IBVU should have the following properties: (1) The number of IBPs ranges significantly between programs, thereby an adaptive scheme is desirable to minimize the search time and power consumption. (2) As the maximum IBPs are wildly varying from program to program, a PC-index table or a flat IBP table are not preferred. (3) The fixed-sized hardware table must be able to handle the overflow problem properly. Discarding legitimate IBPs on

Performance evaluation

This section investigates the performance impact of our IBVU when it is incorporated into the processor’s pipeline. In our experiment based on CACTI 3.2 [25] with 90 nm technology, we simulate both the cascaded and iterated organization and select the comparatively suitable hash function for each organization [20]. Using four 128 K Bloom filters and Simplehash in a cascading organization design, the validation of IBVU is estimated to incur 2.323 ns delay. On the other hand, using H3 hashing and

Related works

Through the years, many contributions, both in software and hardware mechanism, have been made on the securing program execution by restraining the control flow transfers. At the very early time, Data Mark Machine by Fenton [8] enhances every memory word with a tag. Based on the underlying security policy, the tag can be set and checked for potential security violation. As simple variations of the Data Mark Machine, there have been proposals to have a single bit tag attached to each datum to

Conclusion

Current processor architecture is vulnerable for attacks that are aimed at altering control data, the data that are used as the target addresses of the indirect branches. The current systems lack the validation mechanism to check the legitimacy of the branch and its target address. We have presented a micro-architectural enhancement, called Indirect Branch Validation Unit (IBVU), to do the validation of an indirect branch’s PC and its target, (named IBP). All legitimate IBPs allowed under a

Acknowledgements

We acknowledge the help of Arnold Lee who did Verilog description and synthesis of the validation unit. This work was supported in part by a special research fund from the college of information and communications at the Korea University, Seoul, Korea, the IT R&D program of MKE/IITA [2009-F-039-01 Trustworthy Computing], and a funding from the US National Science Foundation (CNS-0627431).

Gyungho Lee received the Ph.D. degree in computer science from the University of Illinois at Urbana-Champaign in 1986. He is currently a professor in the college of Information and Telecommunications, Korea University, Seoul, Korea. His research and teaching interests are in computer architecture, microprocessor design, and computer/network system security. He was an IEEE Computer Society Distinguished Visitor from January 2000 to December 2002. He has been an editor for several journals

References (26)

  • M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti, Control_flow Integrity, in: ACM CSS05, November...
  • B. Bloom

    Space/time tradeoffs in hash coding with allowable errors

    Communications of the ACM

    (1970)
  • Bochs, The Open Source IA-32 Emulation Project,...
  • CERT Security Advisories,...
  • J. Crandall, F. Chong, Minos: control data attack prevention orthogonal to memory model, in: Proceedings of the 37th...
  • L. Carter et al.

    Universal classes of hashing functions

    Journal of Computer and System Science

    (1979)
  • P. Chang, E Hao, Y. Patt, Target prediction for indirect branches, in: Proceedings of the 24th ISCA,...
  • J. Fenton

    Memoryless subsystems

    Computer Journal

    (1974)
  • H. Feng, O. Kolesnikov, P. Fogla, W. Lee, W. Gong, Anomaly detection using call stack information, IEEE Symposium on...
  • S. Forrest, S. Hofmeyr, A. Somayajo, T. Longstaff, A sense of self for unix processes, in: Proceedings of the 2000 IEEE...
  • J. Giffin, S. Jha, B. Miller, Efficient context-sensitive intrusion detection, in: 11th Annual Network and Distributed...
  • D. Gao, M. Reiter, D. Song, Gray-box extraction of execution graphs for anomaly detection, in: The ACM CCS Conference,...
  • C. Ko, C. Fink, K. Levitt, Automated detection of vulnerabilities in privileged program s by execution monitoring, in:...
  • Cited by (1)

    Gyungho Lee received the Ph.D. degree in computer science from the University of Illinois at Urbana-Champaign in 1986. He is currently a professor in the college of Information and Telecommunications, Korea University, Seoul, Korea. His research and teaching interests are in computer architecture, microprocessor design, and computer/network system security. He was an IEEE Computer Society Distinguished Visitor from January 2000 to December 2002. He has been an editor for several journals including the IEEE Transactions on Parallel and Distributed Systems. He is elected to a Fellow of the American Association for the Advancement of Science (AAAS) in 2006 and awarded a “University Scholar” designation, the highest honor bestowed by the University of Illinois upon its faculty, in 2007.

    Yixin Shi received his B.S. and M.S. degrees in Electronics Engineering both from the Shanghai Jiao Tong University in 1997 and 2000, respectively. He received the Ph.D. degree in the Department of Electrical and Computer Engineering, University of Illinois at Chicago in 2007. He is currently a software engineer in platform group at Google Inc. He is interested in architectural support for security, cache design in wide-issue processors, architectural simulator.

    Hui Lin is a Ph.D. student in the Department of Electrical and Computer Engineering, University of Illinois at Chicago. His research area includes microprocessor architecture and trusted computing.

    1

    Tel.: +1 312 413 3148.

    View full text