Fine-Grained Control-Flow Integrity Through Binary Hardening

  • Mathias Payer
  • Antonio Barresi
  • Thomas R. Gross
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9148)


Applications written in low-level languages without type or memory safety are prone to memory corruption. Attackers gain code execution capabilities through memory corruption despite all currently deployed defenses. Control-Flow Integrity (CFI) is a promising security property that restricts indirect control-flow transfers to a static set of well-known locations.

We present Lockdown, a modular, fine-grained CFI policy that protects binary-only applications and libraries without requiring source-code. Lockdown adaptively discovers the control-flow graph of a running process based on the executed code. The sandbox component of Lockdown restricts interactions between different shared objects to imported and exported functions by enforcing fine-grained CFI checks using information from a trusted dynamic loader. A shadow stack enforces precise integrity for function returns. Our prototype implementation shows that Lockdown results in low performance overhead and a security analysis discusses any remaining gadgets.


Return Instruction Code Pointer Functional Gadget Binary Translation Spec CPU2006 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank Andreas Follner, Volodymyr Kuznetsov, Per Larsen, Kaveh Razavi, our shepherd Cristiano Giuffrida, and the anonymous reviewers for feedback and discussions. This research was supported, in part, by a grant from NSF.


  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: CCS 2005 (2005)Google Scholar
  2. 2.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: SP 2008 (2008)Google Scholar
  3. 3.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: SP 2014 (2014)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: ACSAC 2011 (2011)Google Scholar
  5. 5.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS 2011 (2011)Google Scholar
  6. 6.
    Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: SP 2014 (2014)Google Scholar
  7. 7.
    Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: CGO 2003 (2003)Google Scholar
  8. 8.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: SSYM 2014 (2014)Google Scholar
  9. 9.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS 2010 (2010)Google Scholar
  10. 10.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: SSYM 2005 (2005)Google Scholar
  11. 11.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: SP 2015 (2015)Google Scholar
  12. 12.
    Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: SP 2014 (2014)Google Scholar
  13. 13.
    Davi, L., Dmitrienko, R., Egele, M., Fischer, T., Holz, T., Hund, R., Nuernberger, S., Sadeghi, A.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS 2012 (2012)Google Scholar
  14. 14.
    Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: SSYM 2014 (2014)Google Scholar
  15. 15.
    Drepper, U.: How to write shared libraries, December 2010.
  16. 16.
    Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: software guards for system address spaces. In: OSDI 2006 (2006)Google Scholar
  17. 17.
    Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: SP 2014 (2014)Google Scholar
  18. 18.
    Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes pp. 181–188 (2001)Google Scholar
  19. 19.
    HTTP Archive: Http archive - interesting stats - average sizes of web sites and objects (2014).
  20. 20.
    Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: a safe dialect of C. In: ATC 2002 (2002)Google Scholar
  21. 21.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: SSYM 2002 (2002)Google Scholar
  22. 22.
    Kuzentsov, V., Payer, M., Szekeres, L., Candea, G., Song, D., Sekar, R.: Code pointer integrity. In: OSDI (2014)Google Scholar
  23. 23.
    Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: SP 2014 (2014)Google Scholar
  24. 24.
    Le, L.: Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028) (2013)Google Scholar
  25. 25.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005 (2005)Google Scholar
  26. 26.
    MacManus, G., Saelo, H.: Metasploit module nginx chunked size for CVE-2013-2028 (2013).
  27. 27.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS 2015 (2015)Google Scholar
  28. 28.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: PLDI 2009 (2009)Google Scholar
  29. 29.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ISMM 2010 (2010)Google Scholar
  30. 30.
    Necula, G., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. (TOPLAS) 27(3), 477–526 (2005)CrossRefGoogle Scholar
  31. 31.
    Nergal: the advanced return-into-lib(c) exploits. Phrack 11(58), November 2007.
  32. 32.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI 2007 (2007)Google Scholar
  33. 33.
    Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: CCS 2013 (2013)Google Scholar
  34. 34.
    Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI 2014 (2014)Google Scholar
  35. 35.
    PaX-Team: PaX ASLR (Address Space Layout Randomization) (2003).
  36. 36.
    Payer, M., Gross, T.R.: Fine-grained user-space security through virtualization. In: VEE 2011 (2011)Google Scholar
  37. 37.
    Payer, M., Hartmann, T., Gross, T.R.: Safe loading - a foundation for secure execution of untrusted programs. In: SP 2012 (2012)Google Scholar
  38. 38.
    Philippaerts, P., Younan, Y., Muylle, S., Piessens, F., Lachmund, S., Walter, T.: Code pointer masking: hardening applications against code injection attacks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 194–213. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  39. 39.
    Pincus, J., Baker, B.: Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Secur. Priv. 2, 20–27 (2004)CrossRefGoogle Scholar
  40. 40.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: SP 2015 (2015)Google Scholar
  41. 41.
    SCO: System V Application Binary Interface, Intel386 Architecture Processor Supplement (1996).
  42. 42.
    Seibert, J., Okhravi, H., Soederstroem, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: CCS (2014)Google Scholar
  43. 43.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS 2007 (2007)Google Scholar
  44. 44.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: SP 2013 (2013)Google Scholar
  45. 45.
    Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: SSYM 2014 (2014)Google Scholar
  46. 46.
    van de Ven, A., Molnar, I.: Exec shield (2004).
  47. 47.
    Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: SP 2010 (2010)Google Scholar
  48. 48.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of vontrol flow integrity using performance counters. In: DSN 2012 (2012)Google Scholar
  49. 49.
    Zeng, B., Tan, G., Erlingsson, U.: Strato: a retargetable framework for low-level inlined-reference monitors. In: SSYM 2013 (2013)Google Scholar
  50. 50.
    Zhang, C., Wei, T., Chen, Z., Duan, L., McCamant, S., Szekeres, L.: Protecting function pointers in binary. In: ASIACCS 2013 (2013)Google Scholar
  51. 51.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: SP 2013 (2013)Google Scholar
  52. 52.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: SSYM 2013 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Mathias Payer
    • 1
  • Antonio Barresi
    • 2
  • Thomas R. Gross
    • 2
  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.ETH ZurichZürichSwitzerland

Personalised recommendations