Mihai Christodorescu
Doctoral Candidate
1210 W Dayton St
Office 7372
Madison, WI 53706-1685
|
This paper is a result of research work on self-checksumming and appeared as Technical Report # 1531 at University of Wisconsin, Madison. A shortened version of this report appeared in the Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC’05), December 5-9, 2005, Tucson, Arizona, USA.
Mihai Christodorescu was supported in part by the Office of Naval Research (ONR) under contract N00014-01-1-07081, while working as a research assistant on the WiSA project. Jonathon T. Giffin was partially supported by a Cisco Systems Distinguished Graduate Fellowship.
Downloads:
- Version suitable for printing: PDF Postscript
- Citation: BibTeX
Abstract
Recent research has proposed self-checksumming as a method by which a program can detect any possibly malicious modification to its code. Wurster et al. developed an attack against such programs that renders code modifications undetectable to any self-checksumming routine. The attack replicated pages of program text and altered values in hardware data structures so that data reads and instruction fetches retrieved values from different memory pages. A cornerstone of their attack was its applicability to a variety of commodity hardware: they could alter memory accesses using only a malicious operating system. In this paper, we show that their page-replication attack can be detected by self-checksumming programs with self-modifying code. Our detection is efficient, adding less than 1 microsecond to each checksum computation in our experiments on three processor families, and is robust up to attacks using either costly interpretive emulation or specialized hardware.
Maintained by Mihai Christodorescu (http://www.cs.wisc.edu/~mihai).
Created: Mon Dec 19 11:21:10 2005
Last modified: Sun Oct 29 00:24:52 CDT 2006