Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution

I
ICCD
2004
2004 IEEE International Conference on Computer Design (ICCD'04)
Abstract - Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by A. Murat Fiskiran Articles by Ruby B. Lee

2004 IEEE International Conference on Computer Design (ICCD'04)

San Jose, CA

October 11-October 13

ISBN: 0-7695-2231-9

	ASCII Text	x
	A. Murat Fiskiran, Ruby B. Lee, "Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution," Computer Design, International Conference on, pp. 452-457, 2004 IEEE International Conference on Computer Design (ICCD'04), 2004.

	BibTex	x
	@article{ 10.1109/ICCD.2004.1347961, author = {A. Murat Fiskiran and Ruby B. Lee}, title = {Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution}, journal ={Computer Design, International Conference on}, volume = {0}, year = {2004}, issn = {1063-6404}, pages = {452-457}, doi = {http://doi.ieeecomputersociety.org/10.1109/ICCD.2004.1347961}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Design, International Conference on TI - Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution SN - 1063-6404 SP452 EP457 A1 - A. Murat Fiskiran, A1 - Ruby B. Lee, PY - 2004 KW - null VL - 0 JA - Computer Design, International Conference on ER -

A. Murat Fiskiran, Princeton University

Ruby B. Lee, Princeton University

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ICCD.2004.1347961

Many computer security threats involve execution of unauthorized foreign code on the victim computer. Viruses, network and email worms, Trojan horses, backdoor programs used in Denial of Service attacks are a few examples. In this paper, we present an architectural technique, which we call Runtime Execution Monitoring (REM), to detect program flow anomalies associated with such malicious code. The key idea in REM is the verification of program code at the hash block (similar to a basic block) level. This is achieved by pre-computing keyed hashes (HMACs) for each hash block during program installation, and then verifying these values during program execution. By verifying program code integrity at the hash block level, REM can monitor instructions whose behavior is typically exploited by malicious code, such as branch, call, return instructions. Performance degradation with REM averages 6.4% on our benchmark programs, which can be reduced to under 5% by increasing the size of the L1 instruction cache.

Citation:

A. Murat Fiskiran, Ruby B. Lee, "Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution," iccd, pp.452-457, 2004 IEEE International Conference on Computer Design (ICCD'04), 2004

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.