Monitor integrity protection with space efficiency and separate compilation

Ben Niu, Gang Tan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

33 Scopus citations

Abstract

Low-level inlined reference monitors weave monitor code into a program for security. To ensure that monitor code cannot be bypassed by branching instructions, some form of control-flow integrity must be guaranteed. Past approaches to protecting monitor code either have high space overhead or do not support separate compilation. We present Monitor Integrity Protection (MIP), a form of coarse-grained control-flow integrity. The key idea of MIP is to arrange instructions in variable-sized chunks and dynamically restrict indirect branches to target only chunk beginnings. We show that this simple idea is effective in protecting monitor code integrity, enjoys low space and execution-time overhead, supports separate compilation, and is largely compatible with an existing compiler toolchain. We also show that MIP enables a separate verifier that completely disassembles a binary and verifies its security. MIP is designed to support inlined reference monitors. As a case study, we have implemented MIP-based Software-based Fault Isolation (SFI) on both x86-32 and x86-64. The evaluation shows that MIP-based SFI has competitive performance with other SFI implementations, while enjoying low space overhead.

Original languageEnglish (US)
Title of host publicationCCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
Pages199-209
Number of pages11
DOIs
StatePublished - Dec 9 2013
Event2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
Duration: Nov 4 2013Nov 8 2013

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
CountryGermany
CityBerlin
Period11/4/1311/8/13

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Monitor integrity protection with space efficiency and separate compilation'. Together they form a unique fingerprint.

  • Cite this

    Niu, B., & Tan, G. (2013). Monitor integrity protection with space efficiency and separate compilation. In CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (pp. 199-209). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2508859.2516649