Execution Model Enforcement Via Program Shepherding

Nearly all security attacks have one thing in common: they coerce the target program into performing actions that it was never intended to perform. In short, they violate the program’s execution model. The execution model encompasses the Application Binary Interface (ABI), higher-level specifications from the program’s source programming language, and components specific to the program — for example, which values a particular function pointer may take. If this execution model were enforced, and only program actions that the programmer intended were allowed, a majority of current security holes would be closed. In this paper, we employ program shepherding [26] to enforce a program’s execution model. Program shepherding monitors control flow in order to enforce a security policy. We use static and dynamic analyses to automatically build a custom security policy for a target program which specifies the program’s execution model. We have implemented our analyses in the DynamoRIO [4, 5] runtime code modification system. The resulting system imposes minimal or no performance overhead, operates on unmodified native binaries, and requires no special hardware or operating system support. Our static analyses require source code access but not recompilation. The analysis process requires no user interaction, but is able to build a strict enough policy to prevent all deviations from the program’s control flow graph and nearly all violations of the calling convention, greatly reducing the possibility of an unintended program action.