Abstract
Most of existing control flow integrity efforts target keeping intended control flow in good integrity. However, they fail to expose hidden control flow that may be introduced by the execution of rootkits, ROP gadgets, etc. To overcome the challenge, we propose an innovative approach BeCFI to detect hidden control flow based on cross-view principle. Since modern processors are capable of observing the execution of all branch instructions, BeCFI obtains the hardware view with the support of performance monitoring counters PMCs. To obtain software view, we build a software-based counter by compiler-patching and binary-overwriting, and monitor the execution of branch instructions with software-based counters. If a control transfer only appears in hardware view, BeCFI considers that it is hidden control transfer. We have developed a prototype system on Intel x86 Linux kernel. Our evaluations show BeCFI is capable of detecting the hidden control flow introduced by kernel rootkits and ROP attacks. Furthermore our performance tests demonstrate that BeCFI incurs an acceptable overhead.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: International Journal of High Performance Computing and Networking
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
