An application specific dynamic behaviour model using function-call sequence and memory access-graph for execution integrity verification

Abstract

Computing systems demand stringent security checks to guard themselves against powerful attack vectors. Deployment of the Control Flow Integrity(CFI) checks limit the control flow of a program to a set of valid destinations, derived from the static analysis of the code. CFI checks guarantee the integrity of the executed code, but, they do not guarantee the integrity of execution, as sophisticated attack vectors create attacks that comply with the normal control flow of the program. This paper proposes an application specific, dynamic, execution integrity verification scheme, to detect static and dynamic integrity breaches. The system builds a behaviour model consisting of function call sequences and memory access graphs, to verify the semantic behaviour exhibited by the application. Dynamic variation of the function behaviour is further recorded as Access Graph Variance Vector (AGVV). Temporal sequencing of function calls, together with the memory access graph comparison, yields a two-level integrity verification system. Apart from detecting the deviations from normal behaviour, our proposed method limits the abnormal behaviour from being propagated. Experimental evaluation of the proposed method using applications from MiBench benchmark suite against static integrity breaches shows cent percent verification accuracy with less than 5% false positive rate. The system also identifies the dynamic integrity violation caused by ROP based attacks from the RIPE benchmark suite, indicating an accuracy of 94.44% against dynamic integrity breaches.