Secure Execution via Program Shepherding
Saman Amarasinghe (MIT-LCS)
Colloquium
Tuesday, January 28, 2003, 3:30 pm
134 Sieg
Abstract
The greatest threat to our modern information infrastructure is the remote exploitation of program vulnerabilities. The goal of most security attacks is to gain unauthorized access to a computer system by taking control of a vulnerable privileged program. This is typically done by exploiting a bug in the program such as a buffer overflow or a format string vulnerability that allows overwriting stored program addresses with pointers to malicious code typically inserted in to the system masquerading as data. These are the most serious and prevalent attacks; 31 out of 34 CERT advisories year-to-date are due to such exploitations. All these attacks have one thing in common: they coerce the target program into performing actions that it was never intended to perform. In short, they violate the execution model followed by legitimate programs.
Instead of attempting to stop such attacks by identifying all the bugs in the program, we take a novel approach to this problem by restricting the damage that can be done by an exploitation of a program vulnerability. In this talk, I will introduce program shepherding, a method for enforcing a program's execution model. Instead of attempting to protect data, program shepherding monitors control flow in order to enforce a security policy. We use static and dynamic analyses to automatically build a custom security policy for a target program which specifies the program's execution model. First, program shepherding can restrict execution privileges on the basis of code origins. This distinction can ensure that malicious code masquerading as data is never executed, thwarting a large class of security attacks. Second, shepherding can restrict control transfers based on instruction class, source, and target. Finally, shepherding guarantees that sandboxing checks placed around any type of program operation will never be bypassed. This process requires no user interaction, but is able to build a strict enough policy to prevent all deviations from the program's control flow graph and nearly all violations of the calling convention, greatly reducing the possibility of an unintended program action.
We have implemented program shepherding in the DynamoRIO runtime code modification system. DynamoRIO executes a program through copies of its code stored in a cache. The code cache is the key to efficient, secure execution, because it allows many security checks to be performed only once, when the code is copied to the cache. We show that secure execution of a program using this system only adds an average overhead of 25% over native execution. More information can be found at http://cag.lcs.mit.edu/dynamorio