Execution Model Enforcement Via Program Shepherding

Nearly all security attacks have one thing in common: they co- erce the target program into performing actions that it was never intended to perform. In short, they violate the program's execu- tion model. The execution model encompasses the Application Binary Interface (ABI), higher-level specifications from the pro- gram's source programming language, and components specific to the program — for example, which values a particular function pointer may take. If this execution model were enforced, and only program actions that the programmer intended were allowed, a ma- jority of current security holes would be closed. In this paper, we employ program shepherding (26) to enforce a program's execution model. Program shepherding monitors con- trol flow in order to enforce a security policy. We use static and dy- namic analyses to automatically build a custom security policy for a target program which specifies the program's execution model. We have implemented our analyses in the DynamoRIO (4, 5) runtime code modification system. The resulting system imposes minimal or no performance overhead, operates on unmodified native bina- ries, and requires no special hardware or operating system support. Our static analyses require source code access but not recompila- tion. The analysis process requires no user interaction, but is able to build a strict enough policy to prevent all deviations from the program's control flow graph and nearly all violations of the call- ing convention, greatly reducing the possibility of an unintended program action.