StackGhost: Hardware Facilitated Stack Protection
نویسندگان
چکیده
Conventional security exploits have relied on overwriting the saved return pointer on the stack to hijack the path of execution. Under Sun Microsystem’s Sparc processor architecture, we were able to implement a kernel modification to transparently and automatically guard applications’ return pointers. Our implementation called StackGhost under OpenBSD 2.8 acts as a ghost in the machine. StackGhost advances exploit prevention in that it protects every application run on the system without their knowledge nor does it require their source or binary modification. We will document several of the methods devised to preserve the sanctity of the system and will explore the performance ramifications of StackGhost.
منابع مشابه
Towards a Storage Stack for the Data Center by Ioan Alexandru
Towards a Storage Stack for the Data Center Ioan Alexandru Stefanovici Doctor of Philosophy Graduate Department of Computer Science University of Toronto 2016 The storage stack in a data center consists of all the hardware and software layers involved in processing and persisting data to durable storage. The shift of the world’s computation to data centers is placing significant strain on the s...
متن کاملHow to protect the protector?
This paper describes ongoing research to harden the lower part of the software stack, normally not covered by existing software-based fault-tolerance mechanisms. I discuss a combination of four techniques to harden the operating system kernel against hardware faults: resilient data structures, asynchronous checks, restartable OS services, and message protection. I present initial performance re...
متن کاملEnlisting Hardware Architecture to Thwart Malicious Code Injection
Software vulnerabilities that enable the injection and execution of malicious code in pervasive Internet-connected computing devices pose serious threats to cyber security. In a common type of attack, a hostile party induces a software buffer overflow in a susceptible computing device in order to corrupt a procedure return address and transfer control to malicious code. These buffer overflow at...
متن کاملECDSA on Things: IoT Integrity Protection in Practise
This paper documents some experiences and lessons learned during the development of an IoT security application for the EU-funded project RERUM. The application provides sensor data with end-to-end integrity protection through elliptic curve digital signatures (ECDSA). Here, our focus is on the cost in terms of hardware, runtime and powerconsumption in a real-world trials scenario. We show that...
متن کاملDefending Embedded Systems Against Buffer Overflow via Hardware/Software
Buffer overflow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against buffer overflow attacks. In this paper, we propose the Hardware/Software Address Protection (HSAP) technique to solve this problem. We first classify buffer overflow attacks into two categories (stack s...
متن کامل