BeCFI:Detecting Hidden Control Flow with Performance Monitoring Counters
Most of existing control ow integrity e
orts target keeping intended control ow in good integrity.However,they fail to expose hidden control ow that may be introduced by the execution of rootkits,ROP gadgets,etc.To overcome the challenge,we propose an innovative approach BeCFI to detect hidden control ow based on crossview principle.Since modern processors are capable of observing the execution of all branch instructions,BeCFI obtains the hardware view with the support of performance monitoring counters(PMC).To obtain software view,we build a software-based counters by compiler-patching and binary-overwriting,and monitors the execution of branch instruction with software-based counters.If a control transfer only appears in hardware view,BeCFI considers that it is hidden control transfer.We have developed a prototype system on Intel x86 Linux kernel.Our evaluations show BeCFI is capable of detecting the hidden control ow introduced by kernel rootkits and ROP attacks.Furthermore our performance tests demonstrates that BeCFI incurs an acceptable overhead.
control flow integrity operating system kernel branch performance monitoring counters
国内会议
湖北恩施
英文
1-16
2014-09-13(万方平台首次上网日期,不代表论文的发表时间)