| Security breaches are a major threat to the dependability of computer systems and can cause not only economic effect but also social impact. However, many previous mitigation approaches are either heavyweight in requiring non-trivial modifications to processor architectures, or intrusive in requiring source-code or binary modifications to applications. Further, some emerging attacking approaches such as return-oriented programming attacks are usually difficult to be detected using existing techniques.In this paper, we propose an approach to detecting security breaches based on hardware support for performance monitoring in modern processors. The key observation is that security breaches, which typically cause abnormal control and data flow, usually incur precisely identifiable deviation in performance samples. Based on this observation, we design and implement a system called Eunomia, which is the first non-intrusive system that can detect emerging attacks based on return-oriented programming without any changes to applications (either source or binary) or special-purpose hardware. Eunomia can also detect realistic attacks using traditional means including code-injection attacks and return-to-libc attacks on unmodified binaries. Further, with novel performance counter mechanisms such as Branch Trace Store, Eunomia can assist post-attack analysis by utilizing the precise control transfer recorded during attacking runs.Security evaluation shows that Eunomia has low false positives or false negatives when detecting several realistic security attacks. Performance results show that Eunomia incurs only 4.72% performance overhead on average, ranging from 0.09% to 10.49%. These two evaluations indicate that Eunomia could be applied to real-world applications on off-the-shell systems for daily use. |
PDF Full Text Request