Memory behaviour based models for program integrity verification and anomaly detection against code reuse attacks

Abstract

Reliability and usefulness of any computing system relies on the integrity newlineand correctness of the code running in the system. Any adversarial modification in newlinethe code causes execution integrity violations in the system, and causes behaviour newlineanomalies. The code may be modified statically using code injection methods or newlinealtered dynamically at run-time, to create attacks against the computing systems. newlineTechniques to detect the execution integrity violations rely on static newlinecode analysis models like Control Flow Integrity (CFI) solutions, taint tracking newlineand hardware based trusted computing platforms. CFI schemes keep the list newlineof valid control-flow target addresses as eligible target sets, and these target newlineaddresses are verified on each execution of the direct or indirect control transfer newlineinstructions, during execution. Taint tracking method intentionally insert some newlinespecial data-structures into the code at compile time, and the behaviour of these newlinedata structures are verified during execution. Trusted computing platforms ensure newlinecode integrity, but with the cost of additional hardware and storage. Even though newlinebasic CFI schemes are widely adopted in many systems, these techniques do not newlinepreserve Time Of Check To Time Of Use (TOCTTOU) consistency. Also, there newlineexist more advanced and application specific code reuse attack strategies like Data newlineOriented Programming (DOP) that bypass CFI checks. Solutions that deal with newlinethese types of attacks require compiler or hardware support and modifications. newlineThis thesis proposes strategies to detect run-time anomalies without any newlinehardware or software modification in the underlying machine or the application newlinecode. The broad objective of the thesis is to build a behaviour model that newlinedetects run- time anomalies in applications. The specific objective is to detect newlinethe non-control- data attacks created using Return Oriented Pro newline