Secure and Efficient In-Process Monitor and Multi-Variant Execution

Yeoh, SengMing

01 February 2021

Control flow hijacking attacks such as Return Oriented Programming (ROP) and data oriented attacks like Data Oriented Programming (DOP) are problems still plaguing modern software today. While there have been many attempts at hardening software and protecting against these attacks, the heavy performance cost of running these defenses and intrusive modifications required has proven to be a barrier to adoption. In this work, we present Monguard, a high-performance hardware assisted in-process monitor protection system utilizing Intel Memory Protection Keys (MPK) to enforce execute-only memory, combined with code randomization and runtime binary patching to effectively protect and hide in-process monitors. Next, we introduce L-MVX, a flexible lightweight Multi-Variant Execution (MVX) system running in the in-process monitor system that aims to solve some of the performance problems of recent MVX defenses through selective program call graph protection and in-process monitoring, maintaining security guarantees either by breaking attacker assumptions or creating a scenario where a particular attack only works on a single variant. / Master of Science / Memory corruption attacks are still prevalent on modern software. While there have been many attempts at hardening software and preventing against these attacks, the heavy performance cost of running these defenses and intrusive modifications required have proven to be a barrier to adoption. In this work, we present L-MVX, a high-performance hardware assisted in-process monitor protection system that provides an unintrusive and efficient way to defend against these attacks on monitor systems. We also introduce L-MVX, a flexible lightweight process monitoring engine running on L-MVX that aims to solve some of the performance problems of recent monitor defenses.

Multi-Variant Execution

In-Process Monitor

Memory Isolation