Abstract
Memory corruption is an important class of vulnerability that can be leveraged to craft control flow hijacking attacks. Control Flow Integrity (CFI) provides protection against such attacks. Application of type-based CFI policies requires information regarding the number and type of function arguments. Binary-level type recovery is inherently speculative, which motivates the need for an evaluation framework to assess the effectiveness of binary-level CFI techniques. In this work, we develop a novel and extensible framework to assess how the program analysis information we get from advanced binary analysis tools affects the efficacy of type-based CFI techniques. We introduce new and insightful metrics to quantitatively compare source independent CFI policies with their ground truth source aware counterparts. We leverage our framework to evaluate binary-level CFI policies implemented using program analysis information extracted from the IDA Pro binary analyzer and compared with the ground truth information obtained from the LLVM compiler.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Our framework is available online - https://github.com/Ruturaj4/B-CFI.
- 2.
It is important to realize that even if the binary-level CFI technique produces a more desirable outcome (for example, by allowing all programmer-intended targets and a smaller spurious set in the reachable set), it is still considered erroneous in this work, if it does not match the output of the corresponding source-level approach, since the technique did not function as algorithmically designed (due to imprecise analysis data), and any observed “improvement” is merely coincidental.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Association for Computing Machinery, New York (2005)
Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50(1), 1–33 (2017)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 559-572. Association for Computing Machinery, New York (2010)
Designer, S.: Getting around non-executable stack (and fix) (1997). http://ouah.bsdjeunz.org/solarretlibc.html
Farkhani, R.M., Jafari, S., Arshad, S., Robertson, W., Kirda, E., Okhravi, H.: On the effectiveness of type-based control flow integrity. In: Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC 2018), pp. 28–39. Association for Computing Machinery, New York (2018)
Frassetto, T., Jauernig, P., Koisser, D., Sadeghi, A.R.: Cfinsight: a comprehensive metric for CFI policies. In: 29th Annual Network and Distributed System Security Symposium (NDSS) (2022)
Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 179–194 (2016)
hexrays. Interactive Disassembler (IDA) (2022). https://hex-rays.com/ida-pro/
Lan, B., Li, Y., Sun, H., Su, C., Liu, Y., Zeng, Q.: Loop-oriented programming: a new code reuse attack to bypass modern defenses. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 190–197 (2015)
Lettner, J., et al.: Subversive-C: abusing and protecting dynamic message dispatch. In: 2016 USENIX Annual Technical Conference (USENIX ATC 16), pp. 209–221. USENIX Association, Denver (2016)
Li, Y., Wang, M., Zhang, C., Chen, X., Yang, S., Liu, Y.: Finding cracks in shields: on the security of control flow integrity mechanisms. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS 2020). Association for Computing Machinery, New York (2020)
LLVM. Clang (2022). https://clang.llvm.org/docs/controlflowintegrity.html
LLVM. The LLVM Compiler Infrastructure (2023). https://llvm.org
Muntean, P., Fischer, M., Tan, G., Lin, Z., Grossklags, J., Eckert, C.: \(\tau \)-CFI: type-assisted control flow integrity for x86-64 binaries. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 423–444. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_20
Muntean, P., Neumayer, M., Lin, Z., Tan, G., Grossklags, J., Eckert, C.: Analyzing control flow integrity with LLVM-CFI. In: Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC 2019), pp. 584–597. Association for Computing Machinery, New York (2019)
Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI 2014. Association for Computing Machinery, New York (2014)
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in c++ applications. In: 2015 IEEE Symposium on Security and Privacy, pp. 745–762 (2015)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-LIBC without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 552–561 (2007)
Team, P.: Rap: rip rop. In: Hackers 2 Hackers Conference (H2HC) (2015)
Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: Proceedings of the 23rd USENIX Conference on Security Symposium (SEC 2014), pp. 941–955. USENIX Association, USA (2014)
van der Veen, V., et al.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 934–953 (2016)
Wang, M., Yin, H., Bhaskar, A.V., Su, P., Feng, D.: Binary code continent: finer-grained control flow integrity for stripped binaries. In: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015), pp. 331–340. Association for Computing Machinery, New York (2015)
Xu, X., Ghaffarinia, M., Wang, W., Hamlen, K.W., Lin, Z.: Confirm: evaluating compatibility and relevance of control-flow integrity protections for modern software. In: Proceedings of the 28th USENIX Conference on Security Symposium (SEC 2019), pp. 1805–1821. USENIX Association, USA (2019)
Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy, pp. 559–573 (2013)
Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Proceedings of the 22nd USENIX Conference on Security (SEC 2013). USENIX Association, USA (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Vaidya, R.K., Kulkarni, P.A. (2024). Effectiveness of Binary-Level CFI Techniques. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)