Fine-Grained Control-Flow Integrity Through Binary Hardening

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9148)

Abstract

Applications written in low-level languages without type or memory safety are prone to memory corruption. Attackers gain code execution capabilities through memory corruption despite all currently deployed defenses. Control-Flow Integrity (CFI) is a promising security property that restricts indirect control-flow transfers to a static set of well-known locations.

We present Lockdown, a modular, fine-grained CFI policy that protects binary-only applications and libraries without requiring source-code. Lockdown adaptively discovers the control-flow graph of a running process based on the executed code. The sandbox component of Lockdown restricts interactions between different shared objects to imported and exported functions by enforcing fine-grained CFI checks using information from a trusted dynamic loader. A shadow stack enforces precise integrity for function returns. Our prototype implementation shows that Lockdown results in low performance overhead and a security analysis discusses any remaining gadgets.

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: CCS 2005 (2005)Google Scholar
  2. 2.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: SP 2008 (2008)Google Scholar
  3. 3.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: SP 2014 (2014)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: ACSAC 2011 (2011)Google Scholar
  5. 5.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS 2011 (2011)Google Scholar
  6. 6.
    Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: SP 2014 (2014)Google Scholar
  7. 7.
    Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: CGO 2003 (2003)Google Scholar
  8. 8.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: SSYM 2014 (2014)Google Scholar
  9. 9.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS 2010 (2010)Google Scholar
  10. 10.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: SSYM 2005 (2005)Google Scholar
  11. 11.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: SP 2015 (2015)Google Scholar
  12. 12.
    Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: SP 2014 (2014)Google Scholar
  13. 13.
    Davi, L., Dmitrienko, R., Egele, M., Fischer, T., Holz, T., Hund, R., Nuernberger, S., Sadeghi, A.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS 2012 (2012)Google Scholar
  14. 14.
    Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: SSYM 2014 (2014)Google Scholar
  15. 15.
    Drepper, U.: How to write shared libraries, December 2010. http://www.akkadia.org/drepper/dsohowto.pdf
  16. 16.
    Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: software guards for system address spaces. In: OSDI 2006 (2006)Google Scholar
  17. 17.
    Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: SP 2014 (2014)Google Scholar
  18. 18.
    Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes pp. 181–188 (2001)Google Scholar
  19. 19.
    HTTP Archive: Http archive - interesting stats - average sizes of web sites and objects (2014). http://httparchive.org/interesting.php?a=All&l=Mar%201%202014
  20. 20.
    Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: a safe dialect of C. In: ATC 2002 (2002)Google Scholar
  21. 21.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: SSYM 2002 (2002)Google Scholar
  22. 22.
    Kuzentsov, V., Payer, M., Szekeres, L., Candea, G., Song, D., Sekar, R.: Code pointer integrity. In: OSDI (2014)Google Scholar
  23. 23.
    Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: SP 2014 (2014)Google Scholar
  24. 24.
    Le, L.: Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028) (2013)Google Scholar
  25. 25.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005 (2005)Google Scholar
  26. 26.
    MacManus, G., Saelo, H.: Metasploit module nginx chunked size for CVE-2013-2028 (2013). http://www.rapid7.com/db/modules/exploit/linux/http/nginx_chunked_size
  27. 27.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS 2015 (2015)Google Scholar
  28. 28.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: PLDI 2009 (2009)Google Scholar
  29. 29.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ISMM 2010 (2010)Google Scholar
  30. 30.
    Necula, G., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. (TOPLAS) 27(3), 477–526 (2005)CrossRefGoogle Scholar
  31. 31.
    Nergal: the advanced return-into-lib(c) exploits. Phrack 11(58), November 2007. http://phrack.com/issues.html?issue=67&id=8
  32. 32.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI 2007 (2007)Google Scholar
  33. 33.
    Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: CCS 2013 (2013)Google Scholar
  34. 34.
    Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI 2014 (2014)Google Scholar
  35. 35.
    PaX-Team: PaX ASLR (Address Space Layout Randomization) (2003). http://pax.grsecurity.net/docs/aslr.txt
  36. 36.
    Payer, M., Gross, T.R.: Fine-grained user-space security through virtualization. In: VEE 2011 (2011)Google Scholar
  37. 37.
    Payer, M., Hartmann, T., Gross, T.R.: Safe loading - a foundation for secure execution of untrusted programs. In: SP 2012 (2012)Google Scholar
  38. 38.
    Philippaerts, P., Younan, Y., Muylle, S., Piessens, F., Lachmund, S., Walter, T.: Code pointer masking: hardening applications against code injection attacks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 194–213. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  39. 39.
    Pincus, J., Baker, B.: Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Secur. Priv. 2, 20–27 (2004)CrossRefGoogle Scholar
  40. 40.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: SP 2015 (2015)Google Scholar
  41. 41.
    SCO: System V Application Binary Interface, Intel386 Architecture Processor Supplement (1996). http://www.sco.com/developers/devspecs/abi386-4.pdf
  42. 42.
    Seibert, J., Okhravi, H., Soederstroem, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: CCS (2014)Google Scholar
  43. 43.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS 2007 (2007)Google Scholar
  44. 44.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: SP 2013 (2013)Google Scholar
  45. 45.
    Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: SSYM 2014 (2014)Google Scholar
  46. 46.
    van de Ven, A., Molnar, I.: Exec shield (2004). https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
  47. 47.
    Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: SP 2010 (2010)Google Scholar
  48. 48.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of vontrol flow integrity using performance counters. In: DSN 2012 (2012)Google Scholar
  49. 49.
    Zeng, B., Tan, G., Erlingsson, U.: Strato: a retargetable framework for low-level inlined-reference monitors. In: SSYM 2013 (2013)Google Scholar
  50. 50.
    Zhang, C., Wei, T., Chen, Z., Duan, L., McCamant, S., Szekeres, L.: Protecting function pointers in binary. In: ASIACCS 2013 (2013)Google Scholar
  51. 51.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: SP 2013 (2013)Google Scholar
  52. 52.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: SSYM 2013 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Mathias Payer
    • 1
  • Antonio Barresi
    • 2
  • Thomas R. Gross
    • 2
  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.ETH ZurichZürichSwitzerland

Personalised recommendations