Current taint checking architectures monitor tainted data usage mainly with control transfer instructions. An alarm is raised once the program counter becomes tainted. However, such architectures are not effective against non-control data attacks. In this paper we present a generic instruction-level runtime taint checking architecture for handling non-control data attacks. Under our architecture, instructions are classified as either Taintless-Instructions or Tainted-Instructions prior to program execution. An instruction is called a Tainted-Instruction if it is supposed to deal with tainted data. Otherwise it is called a Taintless-Instruction. A security alert is raised whenever a Taintless-Instruction encounters tainted data at runtime. The proposed architecture is implemented on the SimpleScalar simulator. The preliminary results from experiments on SPEC CPU 2000 benchmarks show that there are a significant amount of Taintless-Instructions. We also demonstrate effective usages of our architecture to detect buffer overflow and format string attacks.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravi Iyer. "Non-Control-Data Attacks Are Realistic Threats". In Proceedings of USENIX Security Symposium, August 2005.
	2	Jun Xu , Nithin Nakka, Defeating Memory Corruption Attacks via Pointer Taintedness Detection, Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN'05), p.378-387, June 28-July 01, 2005  [doi>10.1109/DSN.2005.36]
	3	Jonathan Pincus and Brandon Baker. "Mitigations for Low-level Coding Vulnerabilities: Incomparability and Limitations". http://research.microsoft.com/users/jpincus/mitigations.pdf, 2004.
	4	G. Edward Suh , Jae W. Lee , David Zhang , Srinivas Devadas, Secure program execution via dynamic information flow tracking, Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, October 07-13, 2004, Boston, MA, USA
	5	Jedidiah R. Crandall , Frederic T. Chong, Minos: Control Data Attack Prevention Orthogonal to Memory Model, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.221-232, December 04-08, 2004, Portland, Oregon  [doi>10.1109/MICRO.2004.26]
	6	John Wilander and Mariam Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention", In Proceedings of the 10th Network and Distributed System Security Symposium (NDSS'03), February 2003.
	7	Jonathan Pincus , Brandon Baker, Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, IEEE Security and Privacy, v.2 n.4, p.20-27, July 2004  [doi>10.1109/MSP.2004.36]
	8	James Newsome and Dawn Song. "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software". In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 05), February 2005.
	9	D. Burger and T. M. Austin. "The Simplescalar Tool Set Version 2.0". Technical Report, Computer Science Department, University of Wisconsin-Madison, 1997.
	10	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	11	Georgios Portokalidis, Asia Slowinska and Herbert Bos. "Argos: an Emulator for Fingerprinting Zero-Day Attacks". In proceedings of ACM SIGOPS EUROSYS 2006, Leuven, Belgium, April 2006.
	12	Alex Ho, Michael Fetterman, Christopher Clark, Andrew Warfield and Steven Hand. "Practical Taint-based Protection using Demand Emulation". In proceedings of ACM SIGOPS EUROSYS 2006, Leuven, Belgium, April 2006.
	13	C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, A. Grier, S. Beattie, P. Wagle, and Q. Zhang. "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks". In Proceedings in the 7th USENIX Security Symposium, January 1998.
	14	Etoh, Hiroaki and Yoda, K. "Protecting from stack-smashing attacks". http://www.research.ibm.com/trl/projects/security/ssp/main.html (2004).
	15	SSH CRC-32 Compensation Attack Detector Vulnerability. http://www.securityfocus.com/bid/2347
	16	William Robertson , Christopher Kruegel , Darren Mutz , Fredrik Valeur, Run-time Detection of Heap-based Overflows, Proceedings of the 17th USENIX conference on System administration, October 26-31, 2003, San Diego, CA
	17	Olatunji Ruwase and Monica S. Lam. "A Practical Dynamic Buffer Overflow Detector". In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.
	18	Michael Dalton, Hari Kannan, Christos Kozyrakis, "Deconstructing Hardware Architectures for Security". 5th Annual Workshop on Duplicating, Deconstructing, and Debunking (WDDD) at ISCA, Boston, MA, June 2006.