SmashGuard: A Hardware Solution to Prevent Attacks on the Function Return Address

January 27, 2004
2:30pm - 4:00pm
Halligan 111
Host:

Abstract

A buffer overflow attack is the most common method for compromising the security of a host. This attack can be used to change the function return address and redirect execution to the attacker's code. The recent Code Red, Code Red II, W32/Blaster and W32/Nachi-A worms all exploited such vulnerabilities (in Microsoft ISS and Microsoft Windows RPC) to propagate themselves across the Internet. In this talk, I will first describe the existing methods for attacking the return address and discuss the strengths and weaknesses of existing software-based solutions. I will then present our proposed microarchitectual support for the detection/prevention of such attacks. Our solution, called SmashGuard, protects against all known forms of attack on the return address pointer stored in the program stack. Because the stack operations and checks are done in hardware, and in parallel with the usual execution of instructions, our best-performing implementation scheme has virtually no performance overhead. This approach is inexpensive and non-intrusive because our hardware modification does not require that we modify the instruction set of the architecture. I will present performance statistics with SPEC-2K benchmarks of our hardware solution and the most commonly applied software solution. Finally, I will discuss our approach to handling the complexities introduced by setjmp/longjmp, context switches and deeply nested function calls.