 |
Mihai Christodorescu
Doctoral Candidate
1210 W Dayton St
Office 7372
Madison, WI 53706-1685
|
This paper is a result of research work on self-checksumming and appeared in the Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05), December 5-9, 2005, Tucson, Arizona, USA.
Mihai Christodorescu was supported in part by the Office of Naval Research (ONR) under contract N00014-01-1-07081, while working as a research assistant on the WiSA project. Jonathon T. Giffin was partially supported by a Cisco Systems Distinguished Graduate Fellowship.
Downloads:
- Version suitable for printing: PDF Postscript
- Citation: BibTeX
An extended version of this paper was published as UW-Madison Department of Computer Sciences Technical Report # 1531.
Abstract
Recent research has proposed self-checksumming as a method by which a program can detect any possibly malicious modification to its code. Wurster et al. developed an attack against such programs that renders code modifications undetectable to any self-checksumming routine. The attack replicated pages of program text and altered values in hardware data structures so that data reads and instruction fetches retrieved values from different memory pages. A cornerstone of their attack was its applicability to a variety of commodity hardware: they could alter memory accesses using only a malicious operating system. In this paper, we show that their page-replication attack can be detected by self-checksumming programs with self-modifying code. Our detection is efficient, adding less than 1 microsecond to each checksum computation in our experiments on three processor families, and is robust up to attacks using either costly interpretive emulation or specialized hardware.