Strengthening software self-checksumming via self-modifying code

Jonathon T. Giffin, Mihai Christodorescu, and Louis Kruger.

In 21st Annual Computer Security Applications Conference (ACSAC).

Tucson, Arizona, December 2005.

All student authors.

Recent research has proposed self-checksumming as a method by which a program can detect any possibly malicious modification to its code. Wurster et al. developed an attack against such programs that enables code modifications undetectable to any self-checksumming routine. The attack replicated pages of program text and altered values in hardware data structures so that data reads and instruction fetches retrieved values from different memory pages. A cornerstone of their attack was its applicability to a variety of commodity hardware: they could alter memory accesses using only a malicious operating system. In this paper, we show that their page-replication attack can be detected by self-checksumming programs with self-modifying code. Our detection is efficient, adding less than 1 microsecond to each checksum computation in our experiments on three processor families, and is robust up to attacks using either costly interpretive emulation or specialized hardware.

Paper: [pdf] [ps]
Slides: [pdf]

An expanded version of this paper is available as a technical report.

An alternate slideset is available. The alternate slides contain more straightforward technical reporting and omit the position statements contained in the conference talk.

This page updated April 05, 2006.