Runtime Execution Monitoring (REM) to detect and prevent malicious code execution

A. Murat Fiskiran, Ruby B. Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

38 Scopus citations

Abstract

Many computer security threats involve execution of unauthorized foreign code on the victim computer. Viruses, network and email worms, Trojan horses, backdoor programs used in Denial of Service attacks are a few examples. In this paper, we present an architectural technique, which we call Runtime Execution Monitoring (REM), to detect program flow anomalies associated with such malicious code. The key idea in REM is the verification of program code at the hash block (similar to a basic block) level. This is achieved by pre-computing keyed hashes (HMACs) for each hash block during program installation, and then verifying these values during program execution. By verifying program code integrity at the hash block level, REM can monitor instructions whose behavior is typically exploited by malicious code, such as branch, call, return instructions. Performance degradation with REM averages 6.4% on our benchmark programs, which can be reduced to under 5% by increasing the size of the L1 instruction cache.

Original languageEnglish (US)
Title of host publicationProceedings - IEEE International Conference on Computer Design
Subtitle of host publicationVLSI in Computers and Processors, ICCD 2004
Pages452-457
Number of pages6
DOIs
StatePublished - Dec 1 2004
EventProceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors, ICCD 2004 - San Jose, CA, United States
Duration: Oct 11 2004Oct 13 2004

Publication series

NameProceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors
ISSN (Print)1063-6404

Other

OtherProceedings - IEEE International Conference on Computer Design: VLSI in Computers and Processors, ICCD 2004
CountryUnited States
CitySan Jose, CA
Period10/11/0410/13/04

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'Runtime Execution Monitoring (REM) to detect and prevent malicious code execution'. Together they form a unique fingerprint.

Cite this