\(\tau \)CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries

  • Paul MunteanEmail author
  • Matthias Fischer
  • Gang Tan
  • Zhiqiang Lin
  • Jens Grossklags
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose \(\tau {\textsc {CFI}}\), an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, \(\tau {\textsc {CFI}}\) can be used to harden legacy applications for which source code may not be available. We have evaluated \(\tau {\textsc {CFI}}\) on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that \(\tau {\textsc {CFI}}\) is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, \(\tau {\textsc {CFI}}\) achieves higher forward-edge caller-callee matching precision.


Open image in new window object dispatch Indirect control flow transfer Code-reuse attack 



We thank the anonymous reviewers for their feedback, which helped to considerably improve the quality of this paper. Jens Grossklags’ research is supported by the German Institute for Trust and Safety on the Internet (DIVSI). Gang Tan is supported by US NSF grants CCF-1723571 and CNS-1624126, the Defense Advanced Research Projects Agency (DARPA) under agreement number N6600117C4052, and Office of Naval Research (ONR) under agreement number N00014-17-1-2539. Zhiqiang Lin is partially supported by US NSF grant CNS-1812553 and CNS-1834215, AFOSR award FA9550-14-1-0119, and ONR award N00014-17-1-2995.


  1. 1.
    LLVM: Clang CFI (2017).
  2. 2.
  3. 3.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: S&P (2015)Google Scholar
  4. 4.
    Crane, S., et al.: It’s a TRaP: table randomization and protection against function-reuse attacks. In: CCS (2015)Google Scholar
  5. 5.
    Lettner, J., et al.: Subversive-C: abusing and protecting dynamic message dispatch. In: USENIX ATC (2016)Google Scholar
  6. 6.
    BlueLotus Team: BCTF challenge: Bypass VTable read-only checks (2015).
  7. 7.
    Lan, B., Li, Y., Sun, H., Su, C., Liu, Y., Zeng, Q.: Loop-oriented programming: a new code reuse attack to bypass modern defenses. In: IEEE Trustcom/BigDataSE/ISPA (2015)Google Scholar
  8. 8.
    Evans, I., et al.: Control Jujutsu: on the weaknesses of fine-grained control flow integrity. In: CCS (2015)Google Scholar
  9. 9.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control flow integrity. In: CCS (2005)Google Scholar
  10. 10.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control flow integrity principles, implementations, and applications. In: TISSEC (2009)Google Scholar
  11. 11.
    Burow, N.: Control-flow integrity: precision, security, and performance. CSUR 50, 16:1–16:33 (2017)CrossRefGoogle Scholar
  12. 12.
    Tan, G., Jaeger, T.: CFG construction soundness in control-flow integrity. In: PLAS (2017)Google Scholar
  13. 13.
    Ramalingam, G.: The undecidability of aliasing. TOPLAS 16, 1467–1471 (1994)CrossRefGoogle Scholar
  14. 14.
    Jang, D., Tatlock, T., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: NDSS (2014)Google Scholar
  15. 15.
    Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI (2014)Google Scholar
  16. 16.
    Niu, B., Tan, G.: RockJIT: securing just-in-time compilation using modular control-flow inegrity. In: CCS (2014)Google Scholar
  17. 17.
    Haller, I., Goktas, E., Athanasopoulos, E., Portokalidis, G., Bos, H.: ShrinkWrap: VTable protection without loose ends. In: ACSAC (2015)Google Scholar
  18. 18.
    Bounov, D., Gökhan K., R., Lerner, S.: Protecting C++ dynamic dispatch through VTable interleaving. In: NDSS (2016)Google Scholar
  19. 19.
    Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC and LLVM. In: USENIX Security (2014)Google Scholar
  20. 20.
    Zhang, C., et al. : Practical control flow integrity and randomization for binary executables. In: S&P (2013)Google Scholar
  21. 21.
    Prakash, A., Hu, X., Yin, H.: Strict protection for virtual function calls in COTS C++ binaries. In: NDSS (2015)Google Scholar
  22. 22.
    Zhang, C., Song, C., Zhijie, K.C., Chen, Z., Song, D.: VTint: protecting virtual function tables’ integrity. In: NDSS (2015)Google Scholar
  23. 23.
    Elsabagh, M., Fleck, D., Stavrou, A.: Strict virtual call integrity checking for C ++ binaries. In: ASIACCS (2017)Google Scholar
  24. 24.
    Pawlowski, A., et al.: MARX: uncovering class hierarchies in C++ programs. In: NDSS (2017)Google Scholar
  25. 25.
    Veen, V.V.D., et al.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: S&P (2016)Google Scholar
  26. 26.
    Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: OSDI (2014)Google Scholar
  27. 27.
    Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security (2015)Google Scholar
  28. 28.
    Goktas, E., et al.: Bypassing Clang’s SafeStack for fun and profit. In: Blackhat Europe (2016).
  29. 29.
    Dang, T., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ASIACCS (2015)Google Scholar
  30. 30.
    Bernat, A.R., Miller, B.P.: Anywhere, any-time binary instrumentation. In: PASTE (2011)Google Scholar
  31. 31.
    Andriesse, D., Chen, X., Veen, V.V.D., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security (2016)Google Scholar
  32. 32.
    Mycroft, A.: Lecture Notes (2007).
  33. 33.
    Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS (2010)Google Scholar
  34. 34.
    Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). Scholar
  35. 35.
    Fokin, A., Derevenets, Y., Chernov, A., Troshina, K.: SmartDec: approaching C++ decompilation. In: WCRE (2011)Google Scholar
  36. 36.
    Balakrishnan, G., Reps, T.: DIVINE: discovering variables IN executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007). Scholar
  37. 37.
    Caballero, J., Lin, Z.: Type inference on executables. CSUR 48, 35 (2016)CrossRefGoogle Scholar
  38. 38.
    Lee, B., Song, C., Kim, T., Lee, W.: Type casting verification: stopping an emerging attack vector. In: USENIX Security (2015)Google Scholar
  39. 39.
    Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: Euro S&P (2017)Google Scholar
  40. 40.
    Bruening, D.: DynamoRIO.
  41. 41.
    Davi, L., et al.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)Google Scholar
  42. 42.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security (2013)Google Scholar
  43. 43.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security (2013)Google Scholar
  44. 44.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS (2015)Google Scholar
  45. 45.
    Veen, V.V.D., et al.: Practical context-sensiticve CFI. In: CCS (2015)Google Scholar
  46. 46.
    Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Technical University of MunichMunichGermany
  2. 2.The Ohio State UniversityColumbusUSA
  3. 3.The Pennsylvania State UniversityState CollegeUSA

Personalised recommendations