Architectural approaches for code injection defense at the user and kernel levels
Code injection attacks, despite being well researched, continue to be a problem today. Modern architectural solutions such as the execute-disable bit have been useful in limiting the attacks, however they enforce program layout restrictions and can often still be circumvented by a determined attacker. In this dissertation, we analyze the code injection problem from the perspective of a vulnerable system’s memory architecture. We propose an alternative memory architecture, the split memory architecture (SMA), which is not susceptible to code injection attacks. This memory architecture can be implemented either in software running on a von Neumann memory architecture or through slight modifications to the von Neumann architecture. The SMA is also able to support the execution of unmodified programs and operating systems designed and compiled for a von Neumann system. ^ We demonstrate the efficacy of the SMA approach at the user-level by presenting the design, implementation, and evaluation of an operating system level patch to run a process inside an SMA. The results show that the system is able to prevent a variety of code injection attacks while imposing less than 20% overhead on average. ^ We also demonstrate an SMA at the kernel-level with NICKLE, an instantiation of an SMA in a virtual machine monitor (VMM). We use NICKLE to verify the applicability of the SMA design to the prevention of code injection based kernel rootkits. Our evaluation reveals that NICKLE is able to prevent the execution of these rootkits while imposing less than 10% overhead to QEMU. The VMM-based SMA is also used as the basis for a rootkit profiler named PoKeR, which is able to help human experts determine the behavior of a rootkit. ^ Our results reveal that the SMA can be a solution for preventing code injection attacks in both user-level applications and the operating system kernel.^
Dongyan Xu, Purdue University, Xuxian Jiang, Purdue University.