Preventing Program Hijacking via Static and Dynamic Analyses

Control flow hijacking occurs when an attacker overwrites a control-flow data item (e.g. return address or function pointer) to take control of the execution of a program. We propose to detect and prevent hijacking by using a low-overhead per-process dynamic run-time virtualization monitor, called an SDT (software dynamic translator) to make shadow copies of control-flow data items each time they are initialized or updated, and detect overwriting changes that occur between initialization and use. A static analyzer that operates on program binaries will help identify all control-data items, and reduce run-time overhead by identifying control-data items that are provably safe (not susceptible to overwriting between initialization and use). Remedial actions to be taken when attempted hijacking is detected will not be limited to program termination; program recovery techniques will be studied and designed.