Control Flow Integrity Enforcement with Dynamic Code Optimization

  • Yan Lin
  • Xiaoxiao Tang
  • Debin Gao
  • Jianming Fu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9866)


Control Flow Integrity (CFI) is an attractive security property with which most injected and code reuse attacks can be defeated, including advanced attacking techniques like Return-Oriented Programming (ROP). However, comprehensive enforcement of CFI is expensive due to additional supports needed (e.g., compiler support and presence of relocation or debug information) and performance overhead. Recent research has been trying to strike the balance among reasonable approximation of the CFI properties, minimal additional supports needed, and acceptable performance. We investigate existing dynamic code optimization techniques and find that they provide an architecture on which CFI can be enforced effectively and efficiently. In this paper, we propose and implement DynCFI that enforces security policies on a well established dynamic optimizer and show that it provides comparable CFI properties with existing CFI implementations while lowering the overall performance overhead from 28.6 % to 14.8 %. We further perform comprehensive evaluations and shed light on the exact amount of savings contributed by the various components of the dynamic optimizer including basic block cache, trace cache, branch prediction, and indirect branch lookup.


Control Flow Integrity Return-oriented programming Dynamic code optimization 



This work was supported by No. 61373168 and No. 20120141110002.


  1. 1.
  2. 2.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005)Google Scholar
  3. 3.
    Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. In: ACM SIGPLAN Notices, vol. 35, pp. 1–12. ACM (2000)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 353–362. ACM (2011)Google Scholar
  5. 5.
    Bruening, D.: Efficient, transparent, and comprehensive runtime code manipulation. Ph.D. thesis. Massachusetts Institute of Technology (2004)Google Scholar
  6. 6.
    Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)Google Scholar
  7. 7.
    Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient detection of the return-oriented programming malicious code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Chen, W.-K., Lerner, S., Chaiken, R., Gillies, D.M.: Mojo: a dynamic optimization system. In: 3rd ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-3), pp. 81–90 (2000)Google Scholar
  9. 9.
    Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ACM Symposium on Information, Computer and Communications Security, ASIACCS, vol. 15 (2015)Google Scholar
  10. 10.
    Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM (2011)Google Scholar
  11. 11.
    Deaver, D., Gorton, R., Rubin, N., Wiggins, R.: An on-line program specializer. In: Proceedings of the IEEE Hot Chips XI Conference (1999)Google Scholar
  12. 12.
    Fratric, I.: Runtime Prevention of Return-Oriented Programming Attacks. University of Zagreb (2012)Google Scholar
  13. 13.
    Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEE (2014)Google Scholar
  14. 14.
    Intel Corporation. Intell\(\textregistered \)64 and IA-32 Architectures Software Developer’s Manual (2015)Google Scholar
  15. 15.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security Symposium, vol. 92 (2002)Google Scholar
  16. 16.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices, vol. 40, pp. 190–200. ACM (2005)Google Scholar
  17. 17.
    Mathias, P., Antonio, B., Thomas, R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015)CrossRefGoogle Scholar
  18. 18.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K., Franz, M.: Opaque control-flow integrity. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  19. 19.
    Niu, B., Tan, G.: Modular control-flow integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, p. 58. ACM (2014)Google Scholar
  20. 20.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security, pp. 447–462 (2013)Google Scholar
  21. 21.
    Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)Google Scholar
  22. 22.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM (2007)Google Scholar
  23. 23.
    van der Veen, V., Göktas, E., Contag, M., Pawlowski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E., Giuffrida, C.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: IEEE Symposium on Security and Privacy (S&P) (2016)Google Scholar
  24. 24.
    Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: Runtime Intrusion Prevention Evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 41–50. ACM (2011)Google Scholar
  25. 25.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)Google Scholar
  26. 26.
    Yuan, P., Zeng, Q., Ding, X.: Hardware-assisted fine-grained code-reuse attack detection. In: Bos, H., et al. (eds.) Raid 2015. LNCS, vol. 9404, pp. 66–85. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26362-5_4 CrossRefGoogle Scholar
  27. 27.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573 (2013)Google Scholar
  28. 28.
    Zhang, M., Sekar, L.: Control flow integrity for COTS binaries. In: Proceedings of the 22th USENIX Security Symposium, pp. 337–352 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Yan Lin
    • 1
  • Xiaoxiao Tang
    • 1
  • Debin Gao
    • 1
  • Jianming Fu
    • 2
  1. 1.School of Information SystemsSingapore Management UniversitySingaporeSingapore
  2. 2.Computer SchoolWuhan UniversityWuhanChina

Personalised recommendations