TY - GEN
T1 - Runtime Execution Monitoring (REM) to detect and prevent malicious code execution
AU - Fiskiran, A. Murat
AU - Lee, Ruby B.
PY - 2004
Y1 - 2004
N2 - Many computer security threats involve execution of unauthorized foreign code on the victim computer. Viruses, network and email worms, Trojan horses, backdoor programs used in Denial of Service attacks are a few examples. In this paper, we present an architectural technique, which we call Runtime Execution Monitoring (REM), to detect program flow anomalies associated with such malicious code. The key idea in REM is the verification of program code at the hash block (similar to a basic block) level. This is achieved by pre-computing keyed hashes (HMACs) for each hash block during program installation, and then verifying these values during program execution. By verifying program code integrity at the hash block level, REM can monitor instructions whose behavior is typically exploited by malicious code, such as branch, call, return instructions. Performance degradation with REM averages 6.4% on our benchmark programs, which can be reduced to under 5% by increasing the size of the L1 instruction cache.
AB - Many computer security threats involve execution of unauthorized foreign code on the victim computer. Viruses, network and email worms, Trojan horses, backdoor programs used in Denial of Service attacks are a few examples. In this paper, we present an architectural technique, which we call Runtime Execution Monitoring (REM), to detect program flow anomalies associated with such malicious code. The key idea in REM is the verification of program code at the hash block (similar to a basic block) level. This is achieved by pre-computing keyed hashes (HMACs) for each hash block during program installation, and then verifying these values during program execution. By verifying program code integrity at the hash block level, REM can monitor instructions whose behavior is typically exploited by malicious code, such as branch, call, return instructions. Performance degradation with REM averages 6.4% on our benchmark programs, which can be reduced to under 5% by increasing the size of the L1 instruction cache.
UR - http://www.scopus.com/inward/record.url?scp=17644387252&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=17644387252&partnerID=8YFLogxK
U2 - 10.1109/ICCD.2004.1347961
DO - 10.1109/ICCD.2004.1347961
M3 - Conference contribution
AN - SCOPUS:17644387252
SN - 0769522319
T3 - Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors
SP - 452
EP - 457
BT - Proceedings - IEEE International Conference on Computer Design
T2 - Proceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors, ICCD 2004
Y2 - 11 October 2004 through 13 October 2004
ER -