Signature-Based Protection from Code Reuse Attacks

Transcription

1 1 Signaue-Based Poecion fom Code Reuse Aacks Mehme Kayaalp, Suden Membe, IEEE, Timohy Schmi, Junaid Nomani, Dmiy Ponomaev, Membe, IEEE, Nael Abu Ghaaleh, Membe, IEEE Absac Code Reuse Aacks (CRAs) ecenly emeged as a new class of secuiy explois. CRAs consuc malicious pogams ou of small fagmens (gadges) of exising code, hus eliminaing he need fo code injecion. Exising defenses agains CRAs ofen incu lage pefomance oveheads o equie exensive binay ewiing and ohe changes o he sysem sofwae. In his pape, we examine a signaue-based deecion of CRAs, whee he aack is deeced by obseving he behavio of pogams and deecing he gadge execuion paens. We fis demonsae ha naive signaue-based defenses can be defeaed by inoducing special delay gadges as pa of he aack. We hen show how a sofwae-configuable signaue-based appoach can be designed o defend agains such sealh CRAs, including he aacks ha manage o use longe-lengh gadges. The poposed defense (called SCRAP) can be implemened eniely in hadwae using simple logic a he commi sage of he pipeline. SCRAP is ealied wih minimal pefomance cos, no changes o he sofwae layes and no implicaions on binay compaibiliy. Finally, we show ha SCRAP geneaes no false alams on a wide ange of applicaions. Index Tems Pocesso Achiecues, Suppo fo Secuiy, Code Reuse Aacks. 1 INTRODUCTION Explois ageing sofwae vulneabiliies emain one of he pimay secuiy heas o compue sysems, wih coss esimaed in he 1s of billions of dollas [1]. The NIST naional vulneabiliy daabase includes ens of housands of vulneabiliies, wih an aveage epoing ae of 1 new vulneabiliies pe day [2]. Thus, i is ciical o build sysems ha make explois difficul o launch and ha deec and limi hei effec quickly. Mos cuen aacks sa by exploiing a buffe oveflow vulneabiliy. Despie significan effos in devising soluions ha peven buffe oveflows [3] [6], hey emain pevalen. Ealy code injecion aacks ovewoe he buffe wih he malicious code on he sack and simulaneously ovewoe he eun addess o poin a he sa of he exploi code [7], [8]. A numbe of sofwae and hadwae appoaches o poec agains such aacks wee devised [9] [12]. These effos have culminaed in he ecen deploymen of hadwae memoy poecion mechanisms ha do no allow a memoy page o be boh wiable and execuable a he same ime (he so called W X poecion). These hadwae exensions ae suppoed by boh AMD and Inel pocessos and deployed in boh Linux and Windows opeaing sysems [13], [14]. poined o by he nex eun addess on he sack. All he aacke has o do is o injec a pope sequence of eun addesses ono he sack o poin o he needed gadges. ROP was shown o be Tuing-complee on a vaiey of plafoms [16] [2]. Auomaed ools have been developed ha allow unsophisicaed aackes o consuc abiay malicious pogams using ROP [21] [24]. Seveal defense mechanisms agains ROP have been ecenly poposed [25] [3]. Pehaps he simples of hese soluions ae he ones ha uilie a shadow call/eun sack, whee he eun insucions ae mached agains he coesponding calls using poeced memoy space [28] [3]. We assume ha such an enfocemen of call-eun pais is aleady in place and heefoe simple ROP-based aacks ae defeaed. 1.1 Code Reuse Aacks: Bypassing W X In esponse o hese defenses new Code Reuse Aacks (CRAs) emeged ha consuc a malicious pogam by siching ogehe caefully seleced fagmens of he exising libay code; hese snippes ae called gadges [15]. One example of a CRA is he eun-oiened pogamming (ROP) aack, whee each gadge ends wih a eun insucion o igge he execuion of he nex gadge Compue Science Depamen, Binghamon Univesiy, Binghamon, NY {mkayaalp,schmi1,jnomani1,dima,nael}@cs.binghamon.edu Fig. 1. Example of a simple JOP aack. Unfounaely, a new fom of CRA was developed ha does no ely on eun insucions [31] [33]. In his jump-oiened pogamming (JOP) model, he aacke chains he gadges using a sequence of indiec jump insucions, ahe han eun insucions. A special dispache gadge is used o ochesae he conol flow among he gadges. A high level example of he

2 2 JOP aack model is shown in Figue 1. This diagam shows how he aack will jump fom he dispache gadge o funcional gadges which will hen eun he conol back o he dispache gadge. The jump locaions change based on he addesses popped off he sack by he dispache gadge, and will ulimaely esul in he execuion of a sysem call. 1.2 Poposed Soluion: Signaue-based CRA Deecion Alhough i may appea ha CRAs ae a naow fom of aack, hey epesen a wide-open vulneabiliy ha is inceasingly used o exploi common buffe oveflows. Fo example, Apple s opeaing sysem fo mobile devices (ios) employs a secue boo chain and code signing o peven any unused code fom execuing [34]. Howeve ecen appoaches o jailbeak and sofwae unlock such devices ae CRA-based [35] and ae able o bypass all hese secuiy measues. Thus, i is ciical o develop soluions ha poec agains his majo vulneabiliy, pefeably in a way ha poecs legacy binaies. In his pape, we popose Signaue-based CRA Poecion (SCRAP): a simple and low-ovehead hadwae scheme o poec agains JOP aacks ha ae based on he dynamic deecion of aack signaues, o he paens of execued insucions ha ae indicaive of he JOP aack. SCRAP woks because he aack paens ae significanly diffeen fom hose of he egula pogams as hey execue fequen indiec jump (o call) insucions o jump fom gadge o gadge. Pevious wok [26] invesigaed his ype of defense fo ROP aacks and showed ha i has pomise. They implemened a defense mechanism called DROP in sofwae using Valgind ool o deec he ROP paen. Because i is implemened in sofwae, DROP incus ove 5X pefomance loss on he aveage acoss simulaed wokloads, mainly due o he ovehead of Valgind. Saing fom DROP, we made seveal obsevaions abou exising signaue-based deecion ha moivaed his wok. Fis, he ideas of signaue-based deecion can be exended o poec agains he JOP aacks if one uses he indiec jumps as he gadge boundaies. Second, he high pefomance ovehead of DROP (appopiaely adaped o poec agains JOP aacks) can be avoided by implemening he checking logic in hadwae, placing his hadwae off-he-ciical pah in he commi sage of he pipeline, and pefoming simple checks duing insucion commimen. If successful, his appoach can povide poecion wih much lowe ovehead and complexiy compaed o he pevious soluions and can naually poec he exising binaies. Thid, and mos impoan, he naive implemenaions of he signaue-based deecion along he lines of DROP can be bypassed because of he song assumpions i makes abou usable gadge lenghs. Fo example, we demonsae an aack ha uses a delaying gadge hough a funcion call in he middle of he aack wih he only pupose o diso he aack signaues expeced by a DROP-like signaue-based defense. Finally, he hesholds on he lengh of gadges assumed by DROP ae no absolue: alhough difficul, i is possible o find longe gadges and inegae hem ino an aack, avoiding deecion. In his pape, we pesen a complee woking example of such a sealh JOP aacks inegaing delay gadges, and using gadges longe han he DROP hesholds. Moivaed by hese obsevaions, we popose an aack signaue deecion logic ha poecs agains such sealh JOP aacks by fileing ou he spuious funcion calls in he middle of he aack fom he aack signaue. We develop a language fo he possible aack sequences and deive fom i a sae machine implemenaion of he deecion logic. We show ha he poposed mechanism geneaes no false alams in any of he egula wokloads ha we consideed and successfully deecs CRAs, even when delay gadges ae used, fo a lage numbe of shellcodes. Finally, we exend he deecos o oleae infequen use of longe gadges. We popose implemening he deeco in hadwae boh fo pefomance and legacy binay suppo easons, bu he main eason is ha hadwae soluions ae able o deec even when uninended insucions (see Secion 2.2) ae used by he aacke. Sofwae soluions such as CFI [36], CFL [37], Google NaCl [38] y o peven he aacke fom eve using an uninended insucion. Bu if only one conol flow change could be execued, hen he aacke could bypass all he checking insucions by only using uninended insucions. Such a saing poin migh be due o a bug in he veifie/binay ewie o due o a poion of he code ha is no checked. In hadwae based soluions, even uninended insucions ae subjec o checks. SCRAP has he following key chaaceisics: I successfully deecs all JOP aacks ha we wee able o geneae, while esuling in eo false alams acoss egula code base. I incus minimal pefomance cos (less han 2%) and only equies simple hadwae a he commi sage of he pipeline. Thee is also no impac on he pocesso cycle ime. I does no equie complex binay ewiing, binay annoaion, o consucion of a full conol flow gaph of a pogam. I also does no equie compile o ISA suppo and can be used o poec legacy binaies. Wih a simple hadwae suppo, i pefoms checks fo uninended jumps (in vaiable insucion-lengh achiecues, such as x86) hus closing he poenial secuiy vulneabiliy of puely sofwae-based soluions. This submission is an exended vesion of he pape ha appeaed in HPCA-213 confeence [39]. The confeence pape has been significanly exended in he following ways: In he confeence vesion, we only evaluaed he impac of SCRAP on SPEC 26 benchmaks. In his submission, we exend he sudy of false alams due o SCRAP o a numbe of ohe applicaions, including Adobe Flash Playe, Apache web Seve and Moilla Fiefox web bowse and Xpdf PDF

3 3 viewe. We pesen including Xpdf, Adobe Flash Playe, Apache2 Web Seve and Moilla Fiefox web bowse. We pesen deailed esuls fo hese applicaions and demonsae ha no false posiive alams occu duing hei execuion. Figue 12 and Figue 14, showing he false posiive aes, have been significanly impoved o claify he specific benchmaks ha have a leas one false posiive fo vaying SCRAP paamees. These figues also include he saisics fom he newly evaluaed applicaions lised above. To analye he impac on he ciical pah delay and dynamic powe consumpion, we implemened he poposed SCRAP deeco in Veilog HDL on an FPGA wih a 9nm pocess. We evaluaed boh designs: a vanilla SCRAP pesened in Secion 7 and he wo-heshold SCRAP vaiaion discussed in Secion 1. Fo compaison, we also evaluaed 8-, 16-, 32- and 64-bi counes in he same echnology. Ou esuls ae pesened in Secion 11, showing ha he ovehead of SCRAP fom boh iming and powe sandpoins is negligible. Specifically, a simple G 7,4 SCRAP logic, has a shoe delay han an 8-bi coune and consumes as much powe as a 16-bi coune. To esimae he memoy ovehead of SCRAP, we added Figue 11, which shows he memoy foopin of he Secue Call Sack using diffeen alignmens fo SCRAP counes. Specifically, we evaluaed he ovehead of adding bye- and wod-long SCRAP counes o each Secue Call Sack eny, and we show ha he addiional memoy ovehead due o SCRAP counes is negligible. 2 CRA MECHANICS AND EXAMPLE In his secion, we oveview a fully funcional example of a JOP aack. We follow by discussing how vaiable lengh ISAs such as x86 and x86-64 significanly incease he numbe of gadges available fo aacks. 2.1 Funcional JOP Aack Example Figue 2 shows an example of he malicious shell code o be execued by he aacke. The pupose of his simple code is o execue a sysem call ha sas a new shell. Fo his example, we use he sandad C libay ( ) as he code base fo he gadge composiion. Table 1 shows he gadges ha we found in o cay ou he funcionaliy of he aack fom Figue 2. Finally, we show he dynamic sequence of he discoveed gadges o execue his aack and explain he funcionaliy and pupose of each dynamic gadge invocaion. In ode o launch a shell using he gadges in Table 1, his ype of aack has o accomplish wo hings: he coec paamees fo a sysem call mus be placed in he agumen egises and a sysem call mus be made. To launch a shell, ou example aack makes a sysem call o execve. When he sysem call is made, egises ecx and edx mus poin o a null wod, x, ; Load he syscall numbe fo execve o eax xo eax, eax ; Se eax o mov al, xb ; Se eax o xb ; Poin ecx and edx o a null wod mov ecx, NULL ; NULL poins o x mov edx, NULL ; Poin ebx o he execuable pah mov ebx, SH ; SH poins o "/bin/sh" in x8 ; Make he sysem call Fig. 2. Example shellcode in assembly. Gadge Gadge Funcion popa g cmc jmp [ebp+x62] Dispache g1 add [esi+edi*4-xd], bl jmp eax Null-Wie g2 in x8 Sysem Call TABLE 1 Gadges used in example aack. and ebx mus poin o he sing "/bin/sh". Boh null wods and he sing "/bin/sh" can be found in memoy; we can place hei addesses ono he sack and le he JOP aack pop hem ino he appopiae egises. The emaining sep in he aack is o iniialie he value of he eax egise. When he sysem call is made, eax mus conain xb, indicaing a call o execve. Howeve, a JOP aack ypically depends on exploiing a buffe oveflow; hese aacks ypically ely on a buffe oveflow which is exploied by he aacke o place daa on he sack. The buffe is ypically a sing buffe, so a x bye causes he sysem o eminae eading he sing; he aacke canno use null values in he iniial oveflow. If he aack needs any null values, such as hose in he wod xb, he aack mus geneae hem iself. We make use of a null-wie gadge o ceae null values on he sack ha will evenually be popped ino eax. Ou null-wie is consuced wih an add insucion, adding he bye held in bl o he bye on he sack poined o by esi+edi*4-xd. If we place byes holding xff on he sack as pa of he iniial oveflow aack and ensue ha bl conains x1, we can add x1 o xff on he sack, oveflowing o a x. Using his mehod, ou aack ceaes he wod xb on he sack whee i can be popped ino eax as he final sep befoe he sysem call gadge is used. In he emainde of his secion we show how he aack execues using he gadges descibed in Table 1. We assume he aacke has exploied a buffe oveflow o place daa on he sack and ediec conol flow o he dispache gadge (g). Fom he dispache gadge, he aack poceeds o execue he null-wie gadge (g1), hen g, g1, g, g1, g, and finally, he sysem call (g2). Below, each sep sas wih he gadge numbe followed

4 4 by an explanaion of how i advances he aack. Sep 1 - g The dispache gadge iniiaes he aack wih a popa insucion. This insucion populaes he egises wih useful values he aacke has placed on he sack. The second insucion, cmc, has no meaningful effec on his aack. Afe iniialiing he egises wih values necessay fo an aack, he dispache jumps o he null-wie gadge. Sep 2 - g1 The null-wie gadge adds he bye held in bl o he bye ha esi+edi*4-xd poins o. In Sep 1, he dispache gadge populaed he egises so ha bl conains x1 and esi+edi*4-xd poins o he value xff in he fuue value of eax on he sack. Sep 3 - g Populae he egises wih he values necessay o pefom he null-wie a second ime. Sep 4 - g1 Wie x o a second bye in he fuue value of eax. Sep 5 - g Populae he egises wih values fo a hid and final execuion of he null-wie. Sep 6 - g1 Wie he final null value ono he sack whee eax is popped fom. Sep 7 - g Populae he egises wih he appopiae values fo a sysem call. The value ha is popped fom he sack o eax is xb. Sep 8 - g2 Make a sysem call o execve(), launching a new shell. 3 UNDERSTANDING SIGNATURES OF JOP AT- TACKS Signaue based defenses can only wok if he insucion paens exhibied by he aack code can be disinguished fom hose of nomal pogams. The JOP aack paens (he numbe and he lengh of gadges used) ae diffeen fom he paens of ROP aacks examined in [26] because of wo facos: 1) he eliance on indiec jumps insead of euns; and 2) he need o execue he dispache gadge o ochesae he gadge-level conol flow, hus equiing moe gadges fo an aack. In ems of he numbe of gadges, Chen e al. [26] epoed ha a leas hee consecuive gadges ae needed o cay ou even a simple ROP aack. Fo JOP, he numbe of gadges needed is highe because of he need o call he dispache gadge afe evey funcional gadge. In addiion, i is much easie o compose an aack using sho-lengh gadges o limi he undesiable side effecs on he pogam sae. All exising ools fo auomaic gadge discovey [15], [31] heefoe limi he gadge sie o a mos five insucions and only conside usable he gadges ha pefom one opeaion (and one sae updae). The wok of [26] also used gadge sies of a mos five insucions fo implemening he shellcodes in ROP-syle aack. Signaue based deecion elies ciically on hese heshold values, so i is impoan o veify ha hey hold. 2.2 Gadges and Uninended Insucions Fo ISAs such as x86 wih vaiable sie insucions, he aackes can find gadges ha ae uninended by he pogamme. Specifically, hese ae insucions ha sa a a bye in he middle of a muli-bye insucion. These insucions accoun fo a lage numbe of he gadges exploiable by aackes [31]. 3.1 Gadge Analysis fo JOP Aack The sie of a usable gadge is limied by he side-effecs ha he gadge has on he pogam sae (including memoy locaions and egises). Lage gadges ypically ovewie many egises and/o memoy locaions, hus couping he sae and making aack coninuaion vey difficul o impossible. This is especially ue fo he gadges ha ae compised of uninended insucions. Inended piece of code fom mov [esp-x8], esi mov edi, [ebx-x44] mov esi, gs:[edi] 35% Sae Changes 2 Sae Changes b bb bc FF FF FF 65 8b 37 o [ebx-x4345], cl jmp ebp-x75 Uninended gadge code wih indiec jump Fig. 3. Example gadge wih uninended jump. To illusae he concep of uninended banches, we show a sequence of byes fom he libay in he op pa of Figue 3. If he decoding sas afe skipping he fis fou byes, a diffeen insucion sequence can be decoded as shown a he boom of Figue 3, conaining an indiec jump ha he pogamme did no inend o execue. Alhough he uninended gadges fa exceed inended gadges in numbe, hey ae ofen hade o uilie because hey can include aely-used insucions wih complicaed addessing modes and consans. Thus, only sho uninended gadges ae ypically usable. Pecenage of Toal Gadges Found 3% 25% 2% 15% 1% 5% % Gadge Lengh Fig. 4. Gadge lengh and sae changes saisics fo sandad C libay. To undesand he side-effec popeies of he JOP gadges, we pefomed exensive gadge analysis wihin he code base of seveal libaies. Ou gadge discovey

5 5 Fileed Gadges Toal Gadges Sie 5 Uninended Inended yp libphead Sie Sie 6 yp Sie 6 libphead Sie 7 yp Sie 7 libphead Sie 8 yp Sie 8 libphead yp libphead yp libphead yp libphead yp libphead Fig. 5. Gadge lengh and side effec analysis: op figues show he oal numbe of gadges of a given lengh while he boom figue shows he gadges fo he same lengh wih he shown numbe of side effecs. algoihm sas wih building he gadge ie as descibed by Shacham e al. [15]. In a gadge ie, indiec jump insucions ae epesened as nodes immediaely unde a dummy oo node. A child node unde an indiec jump epesens a possible decoding of an insucion peceding he paen insucion. Since muliple possible insucions (all bu one uninended) can pecede an indiec banch, he ie can banch leading o muliple gadges ending a he same indiec banch. Once he ie is consuced, he algoihm aveses he nodes saing wih an indiec banch owad is childen, and evey pah along his avesal epesens a possible gadge. Signaue deecion elies ciically on he obsevaion ha usable gadges ae sho allowing us o disinguish aacks fom nomal pogams whee he disance beween indiec banches ae significanly longe. We base ou appoach o he usabiliy of gadges on he numbe of sae updaes ha a gadge pefoms. Sae updaes ae egise limiing insucions such as egise wies o indiec memoy accesses (which foce egises o be a specific value in ode o peven illegal accesses). We conend ha longe gadges ha make muliple sae updaes ae difficul o use wihou desoying he aack sae. Figue 4 shows he oal numbe of gadges discoveed by he algoihm in he sandad C libay (), as well as he numbe of gadges ha emain afe we emove he gadges ha do moe sae changes han each given heshold. Figue 5 shows he same gadge saisics fo ohe common libaies. The op pa of he figue shows he oal numbe of gadges of a given lengh (each lengh is a sepaae figue). The boom pa shows he numbe of gadges pesen (of he same lengh as he coesponding op figue) wih a mos one sae updae. While a significan numbe of gadges of vaious sies obviously exis in he libaies, hee ae no gadges of sie eigh insucions o moe ha pefom less han wo sae updaes (o memoy o egises). Figue 6 shows he aveage numbe of side effecs as he gadge lengh inceases. I also shows he minimum Numbe of Side Ef f ecs Av eage Minimum Gadge Lengh Fig. 6. Numbe of side effecs as gadge lengh inceases. numbe of side effecs in gadges of ha lengh found acoss all he libaies we sudied. As he gadge lengh gows he numbe of side effecs gows linealy making hem inceasingly moe difficul o use. Even a a heshold of 7, hee exiss only one gadge wih a single sae updae in, and anohe one in -2.. Upon fuhe examinaion, we found boh of hese gadges no o be usable because hey use uninended insucions ha canno be used. Since no suiable gadges of seven insucions o moe wee found in muliple libaies, a heshold of seven insucions can be used by SCRAP o idenify a gadge. Howeve, using his lengh as a had heshold epesens a song assumpion: he aacke may be able o oleae some of he side-effecs in a long gadge, allowing he o use i as a delay gadge and bypass he deecion. We lae elax his assumpion o build signaue deecos ha ae esilien o he pesence of some longe gadges. 4 STEALTH JOP ATTACKS: CONCEALING AT- TACK PATTERNS WITH DELAY GADGETS Fom he discussion in he pevious secion, i appeas ha simple signaue-based deecion can be effecively applied o poec agains JOP aacks. Howeve, when designing secuiy soluions i is impoan o assume ha he aacke is awae of he paicula defense ha is implemened and conside possible aack modificaions ha would bypass his poecion.

6 6 All JOP and ROP vaiaions developed o dae only consideed he funcional equiemens of he aack. Theefoe, all gadges used by he aackes wee pefoming some useful pa of he aack code. In addiion, o avoid he necessiy of dealing wih gadge side-effecs, he exising auomaic ools fo geneaing JOP and ROP aacks only conside small gadge sies. Signaue-based appoaches ae effecive unde hese assumpions, as shown in [26] and also by he analysis in he pevious secion. Howeve, wha if he aacke is awae of he signaue-based poecion and modifies he aack o diso is execuion paens fom hose expeced by he defense? One appoach fo accomplishing his is o inoduce a delay gadge in he middle of he aack. The pupose of a delay gadge is no o execue any pa of he aack code, bu ahe pefom some spuious compuaions in a way ha would no coup he machine sae needed by he aack. A he same ime, he gadge would be long enough o ese he gadge coun used by he signaue deeco, befoe an aack is deeced. In his secion, we inoduce such delay gadges and demonsae how he aack shown in he backgound secion can be modified o incopoae i. The analysis in he pevious secion showed ha long gadges have oo many side effecs o be usable; howeve, i is possible o ceae a small sied delay gadges by using a call o a funcion. Since mos funcions have no side effecs, hey epesen an ideal vehicle fo implemening delay gadges wihou desoying he pogam sae. If a funcion call esuls in execuing a lage numbe of insucions he signaue based aack deeco will ese (assuming ha his is a valid pogam), allowing he aacke o coninue he aack. In he emainde of his secion, we demonsae how o implemen a delay gadge using a funcion call (using aoi()). g3 Gadge call, [ecx-x56a] add bl, bh inc ebx add dh, bh jmp edi Gadge Funcion Delay TABLE 2 Delay gadge used in sealh JOP aack. An example of a delay gadge ha makes a call o he aoi() funcion is shown in Table 2, his gadge was found in he libay. aoi() execues many moe insucions han he ypical JOP gadges, bypassing signaue based deecion. When aoi() euns, some egises such as eax, ecx, and edx may have been aleed and do no conain daa ha is meaningful o he aack. Howeve, by convenion, ohe egises such as ebx, esi, edi, esp, and ebp ae saved. As long as he delay gadge ends wih an indiec jump based on one of hese saved egises, he aack can eun o he dispache gadge which can ecove fom any side effecs caused by he delay. This new aack, which we call Sealh-JOP, is mouned using he same seies of gadges as ou pevious example, bu wih delay gadges called peiodically o avoid deecion. Ou pevious JOP aack jumped fom he dispache gadge o a funcional gadge, and hen back o he dispache. The Sealh-JOP aack example jumps fom he dispache o a funcional gadge, and hen o he delay gadge. Afe he delay gadge has execued, he conol euns o he dispache. Thus, hee is no sequence in he code wih muliple consecuive sho gadges, making DROP-like signaue deecion fail. A he same ime, he aacke is able o execue abiay code using he sho funcional gadges. In addiion o consideing delay gadges hough funcion calls, i is impoan o noe ha if even one gadge of lengh highe han he deecion heshold in DROP can be used (o a leas oleaed) in an aack, hen an aacke can exploi his gadge o bypass signaue deecion. We build he basic SCRAP deecos fis assuming ha he gadge lenghs deived in Secion 3 epesen had limis; ha is, evey gadge ha makes 2 side effecs o moe is no usable. Howeve, i is highly likely ha a moivaed aacke will be able o find a leas some longe gadges whose side effecs can be oleaed; we wee able o idenify muliple such gadges in consucing ou aacks. We hen elax his assumpion and develop moe sophisicaed signaue deecos in Secion 1, ha ae able o oleae he pesence of some longe gadges and sill deec an aack. 5 THREAT MODEL, ASSUMPTIONS AND LIMI- TATIONS We use sandad CRA assumpions on he aacke s access o memoy; his could be obained using a buffe oveflow, a sing fomaing aack, o a non-local jump buffe (using sejmp and longjmp [4]). We assume ha he sysem has NX suppo fo wiable memoy such ha code injecion aacks ae no possible. We assume ha he aacke can find abiay gadges limied only by he aack lenghs as pe he analysis we showed in Secion 3. Lae we elax his assumpion by allowing he use of longe gadges. Thoughou he pape, we pesen eal aacks consuced fom exising libay code. Howeve, ahe han assume secuiy due o ou inabiliy o find gadges in he cuen vesion of he libaies, we make he assumpion of he exisence of abiay gadges such ha he defense woks wih any fuue code base, and no jus he ones we used fo he analysis. We assume ha he vulneabiliy exploied o iniiae he aack does no lead o a pivilege escalaion. If pivilege escalaion is achieved fom he iniial vulneabiliy, hen a CRA aack is no necessay. The aacke may seek o obain pivilege escalaion hough he CRA. The new sealh JOP aack poposed in his pape uses delay gadges o obfuscae he JOP execuion paen. We exploed he use of funcion calls as delay gadges because of he limied side-effecs ha hey geneae. Ou analysis also showed adiional gadges ae ineffecive beyond a ceain lengh because of he pesence of sae

7 7 updaes. Howeve, hee is a possibiliy ha addiional paens of geneaing delay gadges may exis (e.g., a loop gadge), alhough we have no been able o find and exploi such gadges. We believe ha he deecion logic can be exended o capue such delay paens as well. 6 EXPRESSING ATTACK SIGNATURES IN FOR- MAL LANGUAGE In his secion, we fomalie he aack paen as a conex-fee gamma. This fomal descipion is used as he basis fo he hadwae implemenaion of SCRAP logic. We encode execuions of insucions as sings of symbols denoing ypes of insucions, called signaues. The aacks ae hen fomalied as fomal languages of signaues. The alphabe used in his secion is given in Table 3. Symbol w x y a Insucion Indiec Jump Indiec Call Call Reun All Ohe TABLE 3 Signaue alphabe. 6.1 Expessing Aacks Wihou Delay Gadges We obseve ha basic CRAs, such as ROP and JOP aacks, can be expessed as a fomal language defining an aack as he following egula expession ha uses POSIX Exended Regula Expessions: R N,S = (a {, N} (w x)) {S, } Hee, w denoes an indiec jump and x denoes an indiec call, while a denoes any ohe ype of insucion. N is a paamee ha specifies he numbe of insucions ha a gadge can have, while S specifies he numbe of consecuive gadges consideed as an aack. Fo example, in R 5,3 case, hee consecuive gadges each having no moe han five insucions fom an aack. 6.2 Expessing Aacks wih Delay Gadges Wih he inclusion of funcion calls as delays, he fomal language defining he aack becomes a conex fee language, fomalied as he conex-fee gamma G N,S, whee again N is he numbe of insucions ha a gadge can have and S is he numbe of consecuive gadges consideed as an aack. The definiion of G 5,3 = (V, Σ, Rules, Aack) is given in Figue 7. The gamma sas wih Aack which is expanded o S = 3 phases, each including a gadge and an unbounded numbe of delays. A gadge is he same as he G N,S egula expession defined above in Secion 6.1. A delay sas wih a Call and ends wih a Reun and a Body beween hem which we fuhe define o capue V ={Aack, P, Gadge, Delays, Delay, Call, Body, Reun, Gadge, Indiec, NoGadge, NoAack} Σ ={w, x, y,, a} Rules ={ Aack P P P P Gadge Delays Delays Gadge Gadge Indiec a Indiec a a Indiec Indiec w x a a a Indiec a a a a Indiec a a a a a Indiec Delays Delay Delays ε Delay Call Body Reun Call x y Reun Body Delays Body Body Delays Body a Body Body a ε Body NoGadge NoAack NoGadge a a a a a a Indiec a NoGadge NoAack ε P P P } Fig. 7. Definiion of G 5,3 = (V, Σ, Rules, Aack). complex delay gadges consising of nesed funcion calls. Specifically, he delay gadge can have any numbe of delay funcion calls, and any numbe of unimpoan insucions. I can also include less han S gadges in i as long as hee is a NoGadge sequence befoe i. A N ogadge has moe han N insucions befoe he Indiec insucion. The gamma is given fo specific N and S values, bu i can be efomulaed fo any N and S value by simply changing some of he poducion ules. Aack has S numbe of P expansions and Gadge allows N many a s befoe Indiec. N ogadge and N oaack would also have o be changed accodingly. Signaue R 5,3? G 5,3? aaawaawaaw Yes Yes awaaxaaaaw Yes Yes awaxaaaaaaaxaw No Yes awaxaayaaaaxaw No Yes TABLE 4 Example aack signaues. Table 4 shows example aack signaues and whehe hey ae consideed as an aack unde pio appoaches descibed in Secion 6.1 and unde he gamma ha excludes delays. The pas of he signaue ha ae mached as delays unde G 5,3 ae highlighed. 7 SCRAP: HARDWARE-BASED SIGNATURE DETECTION In his secion, we demonsae an efficien hadwae implemenaion o ecognie he fomal gamma ha

8 8 expesses he aack signaues shown in he pevious secion. The poposed logic equied by SCRAP is locaed a he commi sage of he pipeline off of he ciical iming pah. In he subsecions below, we descibe he componens of SCRAP, building fom a single sae machine owads developing he complee soluion. This is a sandad execise of anslaing he language gamma ino he hadwae implemenaion; howeve, because up o fou insucions commi evey cycle, we inoduce an opimiaion ha significanly simplifies he logic wihou having any advese impac on he pefomance. 7.1 The SCRAP Sae Machine The SCRAP sae machine is shown in Figue 8. We use a coune o keep ack of he cuen gadge lengh, and a compaao o decide whehe he coune is above he gadge lengh heshold. When a gadge end is deeced (w o x even in he language), he gadge lengh is used o ansiion hough he shown finie sae machine. The emaining sep o implemen he push down auomaa is o noe ha when a call insucion is encouneed, we push he cuen sae numbe o he shadow sack. This numbe is esoed when a eun insucion is encouneed. sauaing coune T 1 1 L q a: incease coune w, x: if coune < T 1, oupu S else oupu L x, y: push he sae : pop he sae L L L S S S S sa q 1 q 2 q 3 q a 1 Fig. 8. The sae machine fo SCRAP. 7.2 Inegaing Sae Counes ino Secue Call Sack As we discussed peviously, a shadow call sack is a mechanism ha has been poposed o defend agains simple ROP aacks [28] [3], [41]. SCRAP elies on a hadwae implemenaion of he call sack, which is backed up by a lage sofwae sack. In ou design, each eny of he hadwae sack is augmened wih he coune ha keeps ack of he numbe of poenial aack gadges ha execued consecuively. This makes i possible o ack he infomaion abou he sae of he aack even acoss funcion calls, eliminaing hei use as delay gadges. 7.3 The SCRAP Micoachiecue We now descibe he micoachiecual changes needed fo an ou-of-ode supescala pocesso o implemen SCRAP. Fis, as he insucions ae decoded, he infomaion abou he elevan insucion ypes is exaced and placed in he Reode Buffe (ROB) enies allocaed fo he insucions. Fo his pupose, all insucions ae classified ino five ypes, as defined by he aack gamma in Secion 6, hus equiing a new 3-bi wide field wihin each ROB eny o cay his infomaion. When he insucions each he commi sage of he pipeline, his infomaion is used o updae he SCRAP sae machine counes. The complexiy of he coune updae logic depends on he supescala widh (i.e. how many insucions commi pe cycle) and also on he hesholds on he gadge lengh and he numbe of consecuive gadges used by SCRAP. To simplify he logic, o ensue ha only one coune updae can be pefomed pe cycle, and also o ensue ha in a single cycle we opeae on he counes wihin a single eny of he secue sack, we popose a echnique called Commi Tholing Simplifying SCRAP hough Commi Tholing To simplify he SCRAP sae machine coune updae logic, we popose Commi Tholing (CT), which allows only one of he following insucions o be commied in a single cycle: CALL, indiec CALL, indiec jump, and RET. The numbe of hese insucions in ypical pogams is small (less han 5% combined accoding o ou analysis based on he binay insumenaion of SPEC 26 benchmaks). When encouneing he second insucion fom his lis in he co-commiing goup in he same cycle, he commi logic blocks and delaying he commi he second insucion o he nex cycle. An addiional equiemen ha we impose is ha wheneve a eun insucion is encouneed, he commi pocess also sops o ensue ha we always opeae on he counes wihin he same sack eny in each cycle. The impac of CT opimiaions on he pefomance is negligible (less han.3% on he aveage fo SPEC 26 benchmaks), bu i allows us o significanly limi he numbe of diffeen insucion paens coming ou of he commi sage in a single cycle in ems of hei impac on he SCRAP deecion sae. We pesen deails of ou implemenaion in Secion Allowing sofwae configuaion of SCRAP We allow he SCRAP deeco hesholds o be configuable using a pivileged sysem call ha ses he deecion machine sae. We build lage deeco allowing up o 1 gadges in a ow o be deeced. The configuaion can be changed o G N,S by changing he T 1 heshold egise o N and by making he S h sae in he deeco o be he finish sae deecing he pesence of an aack. The choice of sofwae configuabiliy is made fo wo easons. Fis we obseved significan divegence in applicaion behavio. Wihou sofwae configuabiliy, we ae foced o use he wos case hesholds ha do no geneae false posiives acoss any applicaions. Many applicaions do no use indiec banch and call insucions fequenly, and can benefi fom lowe hesholds which fuhe incease he difficuly of aacks. A he

9 9 same ime, we wan o poec agains he poenial of an applicaion ha does geneae false posiives agains ou hesholds. If he hesholds ae fixed in hadwae, hen such an applicaion canno be suppoed. 8 PERFORMANCE EVALUATION OF SCRAP Fo evaluaing he pefomance impac of SCRAP, we used PTLsim [42] - a cycle-accuae x86 pocesso simulao. We simulaed a 4-wide issue ou-of-ode coe wih 64KB L1 daa and insucion caches, 512KB L2 cache and 2 MB L3 cache. Memoy laency was assumed o be 1 cycles. We used 17 C and C++ SPEC CPU26 [43] benchmaks fo ou expeimens. The benchmaks wee compiled using GCC-4.2 compile on a x86 machine unning Ubunu wih kenel vesion Each benchmak was simulaed fo 2 billion commied insucions afe fas-fowading fo he fis 1 million insucions. Fis, we sudied he impac of he Commi Tholing opimiaion. We discoveed ha hee was negligible slowdown due o CT (less han.1% on aveage). To explain his slowdown, we show in Figue 9 he pecenage of cycles whee CT iniiaed a commi block. The cos of mos of hese salls is hidden by ou-ofode execuion, esuling in he obseved low impac on oveall pefomance. Fo a 4-eny hadwae buffe of he secue call sack, he pefomance ovehead of SCRAP is jus ove 1% on he aveage and i is less han 6% fo all benchmaks as shown in Figue 1. This includes he ovehead of salls due o CT cycles as well as he ovehead of he oveflow of he hadwae call sack buffe. The addiional memoy equiemen fo SCRAP (and also he secue call sack) is shown in Figue 11. SCRAP uses small counes ha easily fis in a bye, bu using wod-long counes is pefeable fo alignmen puposes. The esuls show ha, even wih longe counes, memoy foopin of SCRAP is less han a memoy page of 4 KByes. Pecenage of CT cycles 1% 8% 6% 4% 2% % asa bip2 gcc gobmk h264ef hmme lbm mcf milc namd omnepp pelbench povay sjeng soplex sphinx3 xalancbmk Fig. 9. Pecenage of cycles whee commi is blocked by CT. 9 SECURITY ANALYSIS OF SCRAP In his secion, we analye he SCRAP deecion effeciveness. We fis demonsae ha i esuls in no false posiives fo nomal pogams and hen analye deecion of acual shellcodes. Slowdown 2.5% 2.% 1.5% 1.%.5%.% asa bip2 gcc gobmk h264ef hmme lbm mcf milc namd omnepp pelbench povay sjeng Fig. 1. Pefomance slowdown of SCRAP. Secue Call Sack Sie (KBye) bye-long wod-long 2.77 soplex sphinx3 xalancbmk aveage Fig. 11. Secue call sack sie when using bye- and wod-long SCRAP counes. 9.1 False Posiives in Regula Codes Nex, we examine he impac of SCRAP on he execuion of eal pogams o deemine if SCRAP geneaes any false alams duing legal pogam execuion. We used Pin ool [44] o insumen 18 C/C++ SPEC 26 benchmaks and Apache Web Seve, Fiefox Web Bowse, Adobe Flash Playe 11.2 and Xpdf 3.3 PDF viewe, fo one billion insucions. Fo insumening Apache, we used Apache benchmaking ool ab o emoely send housands of equess o he web seve which seves a saic vesion of he Wikipedia eny 1 wih a sie of abou 65KBs. Fiefox benchmak is insumened by accessing he same Wikipedia eny online and Xpdf is insumened using a PDF vesion of he same page. Fo Flash Playe, we used a sandalone vesion of a Flash caoon called The Badge Song 2. The insumenaion esuls ae pesened in Figue 12, which shows he se of benchmaks ha have a leas one false posiive fo given values of N and S. As seen fom hese figues, fo he hesholds wih fou consecuive gadges and a mos seven insucions in each gadge, none of ou benchmaks geneaed false posiives; i.e., a SCRAP deeco G 7,4 geneaes no false posiives fo he above applicaions. The selecion of a SCRAP configuaion is a adeoff beween secuiy (he abiliy of deecing aacks), and false posiives (flagging legiimae code as an aack). 1. hp://en.wikipedia.og/wiki/scap 2. hp://weebls-suff.com/songs/badges/

10 S (numbe of consecuive gadges) m m apache m fiefox flash xpdf m m asa q bip2 p gcc x gobmk y h264ef u hmme v lbm m m u m libquanum p mcf q milc p m namd w s p w u omnepp s y u m w w m s m s s u m y y y pelbench p u u u v p p p p s povay v sjeng u p m q w soplex w q sphinx3 s u p m q xalancbmk u v s u p m q p u v s u p m q p u v s u p m q p u v s y x p u v p N (gadge lengh) Fig. 12. Lis of benchmaks wih non-eo false posiive aes fo G N,S fo diffeen values of N and S. Since we only evaluaed a subse of possible applicaions, i is impossible o claim ha false negaives will neve occu. Insead, ou esuls demonsae ha fo some SCRAP configuaions ha deec all known and even hypoheical aacks, he ae of false posiives is likely o be vey small (even if hey exis a all), such ha hese false posiives can be addessed individually. This, fo example, can be achieved by making excepions, o ceaing he whieliss. Fo example, one excepion could be made fo jump ages ha ae loaded fom ead-only memoy. Ou peliminay expeimens on a Windows plafom show ha hee is such necessiy fo Impo Addess Tables on Poable Execuable foma (please efe o he supplemenay documen fo deails). 9.2 Deecing JOP Aacks Wih a SCRAP deeco G 7,4, SCRAP is capable of deecing any JOP aack ha does no use a gadge longe han 7 insucions (8 including he ending conol flow insucion). Thusfa, evey published aack, and evey aack auomaion ool uses gadges of sie 5 o less [15], [24], [26]. As seen in Secion 4, gadges ha call funcions can be used in an aack because hey peseve half of he egises due o assembly convenion. Howeve, SCRAP is capable of deecing aacks ha implemen hese gadges, while a JOP vesion of DROP would fail. As discussed in Secion 3, in geneal long gadges ha do no use funcion calls have oo many side effecs o be used in an aack. Theefoe, all cuenly published aacks would be deeced by SCRAP. Howeve, if an aacke is awae of he SCRAP poecion, hey may be able o find longe gadges whose side effecs can be oleaed o epaied by a subsequen gadge. Thus, we exend SCRAP in Secion 1 o defend agains such possible JOP aacks ha manage o use an occasional long gadge in he middle of he aack o avoid deecion. To fuhe assess SCRAP deecion capabiliies, we implemened 14 shell code aacks available fom he Shell-Som Linux shellcode eposioy [45]. These shellcodes anged in complexiy fom simple single sysem calls, o aacks wih muliple sysem calls, condiional banches, and loops. Even he mos basic aack equied a leas 6 gadges, which is geae han he minimum numbe of consecuive gadges necessay o be deeced by SCRAP. Gadges longe han 6 insucions wee exemely difficul o incopoae due o side effecs. Howeve, we wee able o include a small numbe of gadges of inemediae lengh, a few insucions longe. Aacks ha use hese longe gadges ae defeaed by he impoved deeco pesened in Secion 1. 1 TOLERATING LONGER GADGETS Thusfa, we have assumed ha he lengh of he gadges usable by aackes is limied o a had heshold chosen in a way ha makes false posiives impossible. This assumpion is based on he analysis in Secion 3 whee we showed ha longe gadges ceae oo many sae updaes, making hem difficul o use (e.g., Figue 6). Howeve, i may be possible fo aackes o idenify some longe gadges whose side effecs do no compleely desoy he aack sae. Such gadges can be used as a delay gadge o avoid deecion by he basic SCRAP deeco. In ou own implemenaion of shellcodes, alhough i was difficul, we wee able o idenify a few such gadges ha ae longe han he deecion heshold and could be inegaed ino an aack successfully, avoiding deecion by he basic SCRAP. These gadges, fo example, updaed egises ha wee no needed fo he aack, modified a non-ciical memoy locaion while being able o avoid illegal accesses, o had a sideeffec ha could be undone by anohe gadge. Thus, fo pacical signaue based deecion, i is impeaive ha we deec aacks even in he pesence of some of hese longe gadges. In he emainde of his secion we popose a new muli-heshold deeco ha is able o deec CRAs quickly, while oleaing he use of longe gadges. Inuiively, he deeco assumes ha aackes may be able o find some gadges longe han he SCRAP heshold whose side-effecs can be oleaed o undone by subsequen gadges. These inemediae gadges ae no easy o find o use consucively in an aack since he numbe of side effecs made by a gadge gows quickly wih he lengh of he gadge. Side effecs also incease he numbe of gadges necessay fo an aack; a epai gadge mus be called in ode o coec sae changes and a dispache gadge mus be called in ode o each he epai gadge. The new deeco deecs aacks as a sequence of gadges of lengh T 1 o shoe, while allowing he use of inemediae gadges (IGs) of lengh T 2 o shoe such ha T 2 > T 1. Since IGs ypically do no advance he aack bu ae used only o avoid deecion, we do no advance he gadge coun (move close o deecion) like we do wih sho gadges. A he same ime we only ese o he iniial sae wih gadges of lengh geae

11 S (numbe of sho gadges) 11 han T 2. Now, fo evey ohe IG he gadge coune is educed by one o ake advanage of he addiional gadges necessay o epai side effecs. To deec an aack, we sill need S sho gadges ( T 1 ) befoe a vey long gadge (> T 2 ). The sae machine fo he muli-heshold deeco is shown in Figue 13. We call a deeco of his ype G T1,T 2,S whee S is he gadge coun ha is needed o deec an aack. Noe ha all hee hesholds ae sofwae configuable in pivilege mode. The false posiive ae is inceased by his new muliheshold deeco. Peviously, medium lengh gadges ese SCRAP o is iniial sae, seing all counes o, making i moe difficul o deec an aack (bu making i possible fo aackes o avoid deecion). Figue 14 shows he benchmaks wih false posiives fo all benchmaks we evaluaed. The esuls show ha T 1 can be se o 7, and T 2 can be se o a vey high lengh of 25 wihou any false posiives wih gadge coun, S, of 4. Gadges of lengh 25 in he libaies we examined have a minimum of 5 side effecs and an aveage of 14 side effecs (Figue 6) i is exemely impobable ha hey can be used wihou desoying he ciical aack sae apache m m fiefox flash xpdf asa q bip2 m p gcc x gobmk y h264ef u hmme v lbm m m m m m libquanum p mcf q milc namd w w w m s m s m s u omnepp y y y w m s y u u u pelbench p p p w m s y u p u p s povay v sjeng u p m q w soplex w q sphinx3 s u p m q xalancbmk u v s u p m q p u v s u p m q p u v s u p m q p u v s y x p u v p (7, 1) (7,15) (7, 2) (7, 25) (7, 5) (T1, T2) (heshold pais fo gadge lenghs) Fig. 14. Lis of benchmaks wih non-eo false posiive aes fo wo-heshold deeco G T 1,T 2,S fo diffeen values of (T 1, T 2) and S. sa M L q sauaing coune T1 1 T q 1 a: incease coune w, x: if coune < T1, oupu S else if coune < T2, oupu M else oupu L x, y: push he sae : pop he sae L L L S S S S q1 q2 q3 M, L M M M M M S L q 2 S q 3 L S qa wo-heshold SCRAP pesened in he pevious secion. In ode o allow compaison, we also evaluaed 8-, 16-, 32- and 64-bi counes on he same echnology. Figue 15 shows he ciical pah delays of boh designs fo vaying widhs. A baseline SCRAP design shown as (n, s) means i is able o deec G N,S aack language whee N and S ae encoded using n and s bis especively. Similaly a wo-heshold SCRAP shown as ( 1, 2, s), uses 1 and 2 bis fo he wo heshold values and s bis fo gadge coun. Resuls fo ou unopimied implemenaion show ha he delay of SCRAP sae machine is well unde he cycle peiod of a supescala pocesso. Wih a iming oiened design, i can be implemened wih a shoe ciical pah. 1 Fig. 13. Sae machine fo he wo-heshold deeco. As a fuhe enhancemen, a simple G 7,4 SCRAP module, as discussed in Secion 9, could be used concuenly wih his muli-heshold deeco o cach aacks ha use hee sho gadges in a ow. The ovehead of his appoach is linea in he numbe of deecos since a new sae machine has o be implemened fo each deeco, and a space on he sack is needed o save each deeco s sae upon a funcion call. 11 FPGA IMPLEMENTATION We implemened he poposed deecos in Veilog HDL on a Xilinx Spaan-3E XC3S1E FPGA wih a 9nm pocess, using Xilinx ISE WebPACK We evaluaed boh designs; baseline SCRAP pesened in Secion 7 and Ciical Pah Delay (ns) (3,2) (3,3) (3,4) (4,2) (4,3) (4,4) (6,6,2) (6,6,3) (6,6,4) (7,7,2) (7,7,3) (7,7,4) 8-bi 16-bi 32-bi Baseline SCRAP Two-heshold SCRAP Counes Fig. 15. Ciical pah delays fo wo SCRAP designs wih diffeen widhs and vaious counes fo efeence. We fuhe evaluaed he dynamic powe dissipaion of ou FPGA designs, using Xilinx Powe Esimao 11.1 fo Spaan-3E FPGA Family. We se he ambien empeaue o 65 C, oggle ae o.5 and clock ae o 256MH. Resuls ae shown in Figue 16. Again, same x- 64-bi

12 12 axis labels ae used as in Figue 15 and also counes of vaious widhs ae pesened o allow compaison. Using he HDL Synhesis Repo, we esimaed he ansiso coun of he SCRAP logic. The lages baseline SCRAP design (4, 4) has as many ansisos as a 32-bi up coune and he lages wo-heshold design (7, 7, 4) has lile less ansisos han a 64-bi up coune. Dynamic Powe Dissipaion (mw) (3,2) (3,3) (3,4) (4,2) (4,3) (4,4) (6,6,2) (6,6,3) (6,6,4) (7,7,2) (7,7,3) (7,7,4) 8-bi 16-bi 32-bi Baseline SCRAP Two-heshold SCRAP Counes Fig. 16. Dynamic powe dissipaions fo wo SCRAP designs wih diffeen widhs and vaious counes fo efeence. 12 RELATED WORK In his secion, we oveview diffeen appoaches o poecing agains CRA aacks. The elaed wok is oganied ino hee pas: (1) defenses agains buffe oveflow aacks; (2) compehensive defenses; and (3) defenses specific o Code Reuse Aacks (CRAs) Defenses agains Buffe Oveflows Seveal appoaches wee developed o defea buffe oveflows which ae necessay o iniiae a CRA aack [9] [11], [46] [48]. Sackguad [9] and PoPolice [47] ae GCC exensions ha use canaies. SackShield sepaaes eun addesses ino a sepaae sack a compile ime making i impossible fo sack buffe oveflows o ovewie he eun addess [48]; simila woks save a copy of he eun addess and validae i befoe a funcion eun [1], [11]. SackGhos uses he egise window feaue of he Sun Spac achiecue o veify ha eun addesses have no been ovewien [49]. Recenly, he adven of he NoExecue (NX) bi and is suppo by mainseam opeaing sysems have made code injecion aacks ineffecive [13], [14] Compehensive Defenses Memoy bounds checking (MBC) annoae poines wih hei legal addess ange and check evey memoy access agains he base and bound of he associaed daa sucue [3], [4], [5], [51]. Howeve, he ovehead of MBC is subsanial. MBC canno peven all memoy explois: i canno poec legacy binaies and exenally linked o loaded componens. Dynamic Infomaion Flow Tacking (DIFT) ains he infomaion coming fom insecue souces, and dynamically acks and popagaes he ain 64-bi hough pocesso egises and memoy locaions. The dawback is ha DIFT is a heavy-weigh appoach ha enails a significan edesign of he pocesso daapah and memoy sysem if implemened in hadwae [5], [6], [52], o incus a subsanial pefomance ovehead if implemened in sofwae [53], [54]. Daa flow inegiy [55] deives he daa flow gaph duing compile-ime and insumen he pogam o enfoce confomance wih he flow in he gaph; noe ha his is a dual appoach o conol flow inegiy CRA Aacks and Defenses The fis CRA aack poposed was he eun-ino- (RILC) aack [56], whee he aacke subves he conol flow o call a funcion in he sandad C libay. Exensions o basic RILC have been poposed o allow a saic chain of funcions o be called [57] and ecenly o allow a geneal daa-dependen fom of chaining of funcions [58]. Reun-oiened Pogamming (ROP) aacks wee ecenly poposed o execue abiay code [15], and he numbe of soluions o hem wee inoduced [26] [3]. We discussed hose soluions in deail in ealie secions of his pape. The newe defenses agains ROP aacks also aemp o addess JOPs. Fo example, Onalioglu e al. fis use binay ewiing o emove uninended banches and euns [59]. To poec inended banches, hey use funcion-specific makes on each sack fame; hey call hese makes sack cookies. They also inse checks afe evey banch o check he sack cookie. Kayaalp e al [41] popose banch egulaion, a hadwae suppoed echniques o poec agains JOPs. Using binay ewiing, hey inse makes a he beginning of evey funcion, which include a magic numbe o mak a legal funcion eny, as well as he lengh of he funcion. Conol flow inegiy [36] is an appoach o enfoce legal conol flow inside of pogams; CFI would idenify he illegal conol flow necessay fo code euse aacks. Conol Flow Locking [37] laily enfoces he same popey and achieves smalle pefomance ovehead. Addess space layou andomiaion (ASLR) [6] andomly offses he pogam locaion in memoy. ASLR and ohe opimied heap allocaion models [61], [62] hide he coec addess of he malicious code hiding he locaion of he gadges. Unfounaely, explois agains ASLR ae known; fo example, a a foma sing aack can expose he sack locaion o an aacke allowing he andom offse o be deived [63]. Schwa e al show ha even a small pa of he code being unandomied is sufficien o consuc CRA aacks [24]. 13 CONCLUDING REMARKS In his pape, we pesened SCRAP, a new hadwaebased achiecue fo poecing agains he emeging class of code euse aacks (CRAs). We demonsaed ha he laes incanaion of CRAs - jump oiened pogamming (JOP) aacks - have execuion paens ha