BeCFI: detecting hidden control flow with performance monitoring counters. (2016)
- Record Type:
- Journal Article
- Title:
- BeCFI: detecting hidden control flow with performance monitoring counters. (2016)
- Main Title:
- BeCFI: detecting hidden control flow with performance monitoring counters
- Authors:
- Zhou, HongWei
Shi, WenChang
Yuan, JinHui
Li, FuLin - Abstract:
- Most of existing control flow integrity efforts target keeping intended control flow in good integrity. However, they fail to expose hidden control flow that may be introduced by the execution of rootkits, ROP gadgets, etc. To overcome the challenge, we propose an innovative approach BeCFI to detect hidden control flow based on cross-view principle. Since modern processors are capable of observing the execution of all branch instructions, BeCFI obtains the hardware view with the support of performance monitoring counters (PMCs). To obtain software view, we build a software-based counter by compiler-patching and binary-overwriting, and monitor the execution of branch instructions with software-based counters. If a control transfer only appears in hardware view, BeCFI considers that it is hidden control transfer. We have developed a prototype system on Intel x86 Linux kernel. Our evaluations show BeCFI is capable of detecting the hidden control flow introduced by kernel rootkits and ROP attacks. Furthermore our performance tests demonstrate that BeCFI incurs an acceptable overhead.
- Is Part Of:
- International journal of high performance computing and networking. Volume 9:Number 5/6(2016)
- Journal:
- International journal of high performance computing and networking
- Issue:
- Volume 9:Number 5/6(2016)
- Issue Display:
- Volume 9, Issue 5/6 (2016)
- Year:
- 2016
- Volume:
- 9
- Issue:
- 5/6
- Issue Sort Value:
- 2016-0009-NaN-0000
- Page Start:
- 470
- Page End:
- 479
- Publication Date:
- 2016
- Subjects:
- control flow integrity -- CFI -- operating systems -- kernel rootkits -- branch instructions -- performance monitoring counters -- PMCs -- high performance computing -- security
High performance computing -- Periodicals
Computer networks -- Periodicals
High performance computing
Periodicals
004.05 - Journal URLs:
- http://www.inderscience.com/jhome.php?jcode=ijhpcn ↗
http://www.metapress.com/openurl.asp?genre=journal&issn=1740-0562 ↗
http://www.inderscience.com/ ↗ - Languages:
- English
- ISSNs:
- 1740-0562
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 7813.xml