Title :
Strengthening software self-checksumming via self-modifying code
Author :
Giffin, Jonathon T. ; Christodorescu, Mihai ; Kruger, Louis
Author_Institution :
Comput. Sci. Dept., Wisconsin Univ., WI
Abstract :
Recent research has proposed self-checksumming as a method by which a program can detect any possibly malicious modification to its code. Wurster et al. developed an attack against such programs that renders code modifications undetectable to any self-checksumming routine. The attack replicated pages of program text and altered values in hardware data structures so that data reads and instruction fetches retrieved values from different memory pages. A cornerstone of their attack was its applicability to a variety of commodity hardware: they could alter memory accesses using only a malicious operating system. In this paper, we show that their page-replication attack can be detected by self-checksumming programs with self-modifying code. Our detection is efficient, adding less than 1 microsecond to each checksum computation in our experiments on three processor families, and is robust up to attacks using either costly interpretive emulation or specialized hardware
Keywords :
invasive software; system recovery; altered data structure; checksum computation; commodity hardware; hardware data structure; malicious code modification; malicious operating system; memory access alteration; memory page replication detection; program text replication; self-checksumming program; self-modifying code; software self-checksumming routine; undetectable code modification; Contracts; Data structures; Detectors; Emulation; Hardware; Information retrieval; Licenses; Operating systems; Protection; Robustness;
Conference_Titel :
Computer Security Applications Conference, 21st Annual
Conference_Location :
Tucson, AZ
Print_ISBN :
0-7695-2461-3
DOI :
10.1109/CSAC.2005.53
