SBIR-STTR Award

Control flow hijacking occurs when an attacker overwrites a control-flow data item (e.g. return address or function pointer) to take control of the execution of a program. We propose to detect and prevent hijacking by using a low-overhead per-process dynamic run-time virtualization monitor, called an SDT (software dynamic translator) to make shadow copies of control-flow data items each time they are initialized or updated, and detect overwriting changes that occur between initialization and use. A static analyzer that operates on program binaries will help identify all control-data items, and reduce run-time overhead by identifying control-data items that are provably safe (not susceptible to overwriting between initialization and use). Remedial actions to be taken when attempted hijacking is detected will not be limited to program termination; program recovery techniques will be studied and designed.

Keywords:
Control Flow Hijacking, Software Dynamic Translation, Static Analysis, Dynamic Analysis, Virtualization.

To hijack the execution of a program, an attacker must overwrite the value of a return address or a function pointer (broadly defined). To prevent program hijacking, our product will provide a layered defense of these two targets, including deterministic and randomization defenses, with the ability in many cases to continue execution after a hijacking attempt is prevented. Our product toolkit includes static analysis of the program binary to be protected (no source code required) and dynamic monitoring using virtual machine technology after deployment. The randomization defense can be used to provide artificial software diversity.

Keywords:
program hijacking, program binaries, static analysis, process virtualization, software diversity