Advertisement

Building Control-Flow Integrity Defenses

  • Lucas Davi
  • Ahmad-Reza Sadeghi
Chapter
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)

Abstract

In particular, Abadi et al. [2, 4] suggest a label-based CFI approach, where each CFG node is marked with a unique label ID that is placed at the beginning of a BBL. In order to preserve the program’s original semantics, the label is either encoded as an offset into a x86 cache prefetch instruction or as simple data word. Inserting labels into a program binary will require moving instructions from their original position. As a consequence, CFI requires adjusting all memory offsets embedded into jump/call and data load/store instructions that are affected by the insertion of the additional prefetch instructions.

Keywords

Program Execution Return Address Return Instruction Performance Overhead Target Address 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: A theory of secure control-flow. In: Proceedings of the 7th International Conference on Formal Methods and Software Engineering, ICFEM’05 (2005). URL http://dx.doi.org/10.1007/11576280_9
  2. 2.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity: principles, implementations, and applications. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS’05 (2005). URL http://doi.acm.org/10.1145/1102120.1102165
  3. 3.
    Abadi, M., Budiu, M., Erlingsson, Ú., Necula, G.C., Vrable, M.: XFI: Software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI’06 (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298463
  4. 4.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009). URL http://doi.acm.org/10.1145/1609956.1609960
  5. 5.
    Afek, J., Sharabani, A.: Dangling pointer: smashing the pointer for fun and profit (2007). URL https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf
  6. 6.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Proceedings of the 29th IEEE Symposium on Security and Privacy, SP’08 (2008). URL http://dx.doi.org/10.1109/SP.2008.30
  7. 7.
    Arias, O., Davi, L., Hanreich, M., Jin, Y., Koeberl, P., Paul, D., Sadeghi, A.R., Sullivan, D.: HAFIX: hardware-assisted flow integrity extension. In: Proceedings of the 52nd Design Automation Conference, DAC’15. (2015). doi: http://doi.acm.org/10.1145/2744769.2744847
  8. 8.
    Bachaalany, E.: Inside EMET 4.0. REcon Montreal (2013). URL http://recon.cx/2013/slides/Recon2013-Elias%20Bachaalany-Inside%20EMET%204.pdf
  9. 9.
    Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC’11 (2011). URL http://doi.acm.org/10.1145/2076732.2076783
  10. 10.
    Bruening, D.L.: Efficient, transparent, and comprehensive runtime code manipulation. Ph.D. thesis, Massachusetts Institute of Technology (2004). URL http://groups.csail.mit.edu/cag/rio/derek-phd-thesis.pdf
  11. 11.
    Budiu, M., Erlingsson, U., Abadi, M.: Architectural support for software-based protection. In: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, ASID’06, pp. 42–51 (2006). URL http://doi.acm.org/10.1145/1181309.1181316
  12. 12.
    C4SS!0, h1ch4m: MPlayer Lite r33064 m3u buffer overflow exploit (DEP Bypass) (2011). URL http://www.exploit-db.com/exploits/17565/
  13. 13.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671250
  14. 14.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI’06 (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298470
  15. 15.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th USENIX Security Symposium (2005). URL http://dl.acm.org/citation.cfm?id=1251398.1251410
  16. 16.
    Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). URL http://www.internetsociety.org/doc/ropecker-generic-and-practical-approach-defending-against-rop-attacks
  17. 17.
    Chiueh, T., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proceedings of the 21st International Conference on Distributed Computing Systems, ICDCS’01 (2001). URL http://dl.acm.org/citation.cfm?id=876878.879316
  18. 18.
    Chiueh, T., Prasad, M.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the 2003 USENIX Annual Technical Conference, ATC’03 (2003). URL https://www.usenix.org/legacy/event/usenix03/tech/full_papers/prasad/prasad_html/camera.html
  19. 19.
    cplusplus.com: Polymorphism. URL http://www.cplusplus.com/doc/tutorial/polymorphism/
  20. 20.
    Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP’14 (2014). URL http://dx.doi.org/10.1109/SP.2014.26
  21. 21.
    Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS’15 (2015). URL http://doi.acm.org/10.1145/2714576.2714635
  22. 22.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). URL http://doi.acm.org/10.1145/1966913.1966920
  23. 23.
    Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS’12 (2012). URL http://www.internetsociety.org/mocfi-framework-mitigate-control-flow-attacks-smartphones
  24. 24.
    Davi, L., Lehmann, D., Sadeghi, A.R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671251
  25. 25.
    Davi, L., Lehmann, D., Sadeghi, A.R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. Technical Report TUD-CS-2014-0097, Technische Universität Darmstadt (2014). URL https://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/techreport-stitching-gadgets.pdf
  26. 26.
    Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University (2004). URL http://www.ru.is/faculty/ulfar/thesis.pdf
  27. 27.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode’09 (2009). URL http://doi.acm.org/10.1145/1655077.1655083
  28. 28.
    Frantzen, M., Shuey, M.: StackGhost: hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium (2001). URL http://dl.acm.org/citation.cfm?id=1251327.1251332
  29. 29.
    Fratric, I.: ROPGuard: runtime prevention of return-oriented programming attacks (2012). URL http://www.ieee.hr/_download/repository/Ivan_Fratric.pdf
  30. 30.
    Gawlik, R., Holz, T.: Towards automated integrity protection of C++ virtual function tables in binary programs. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC’14 (2014). URL http://doi.acm.org/10.1145/2664243.2664249
  31. 31.
    Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of the 35th IEEE Symposium on Security and Privacy, SP’14 (2014). URL http://dx.doi.org/10.1109/SP.2014.43
  32. 32.
    Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671252
  33. 33.
    Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: Proceedings of the 2006 International Workshop on Dynamic Systems Analysis, WODA’06, pp. 65–72 (2006). URL http://doi.acm.org/10.1145/1138912.1138926
  34. 34.
    Jalayeri, S.: Bypassing EMET 3.5’s ROP mitigations (2012). URL https://repret.wordpress.com/2012/08/08/bypassing-emet-3-5s-rop-mitigations/
  35. 35.
    Jang, D., Tatlock, Z., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). URL http://www.internetsociety.org/doc/safedispatch-securing-c-virtual-calls-memory-corruption-attacks
  36. 36.
    jduck: the latest Adobe exploit and session upgrading (2010). URL http://bugix-security.blogspot.de/2010/03/adobe-pdf-libtiff-working-exploitcve.html
  37. 37.
    Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: low-overhead protection from code reuse attacks. In: Proceedings of the 39th Annual International Symposium on Computer Architecture, ISCA’12 (2012). URL http://dl.acm.org/citation.cfm?id=2337159.2337171
  38. 38.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium (2002). URL http://dl.acm.org/citation.cfm?id=647253.720293
  39. 39.
    McCamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: Proceedings of the 15th USENIX Security Symposium (2006). URL http://dl.acm.org/citation.cfm?id=1267336.1267351
  40. 40.
    Microsoft: enhanced Mitigation Experience Toolkit. URL https://www.microsoft.com/emet
  41. 41.
    Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, CCS’13 (2013). URL http://doi.acm.org/10.1145/2508859.2516649
  42. 42.
    Niu, B., Tan, G.: Modular control-flow integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI’14 (2014). URL http://doi.acm.org/10.1145/2594291.2594295
  43. 43.
    Niu, B., Tan, G.: RockJIT: securing just-in-time compilation using modular control-flow integrity. In: Proceedings of the 21st ACM Conference on Computer and Communications Security, CCS’14 (2014). URL http://doi.acm.org/10.1145/2660267.2660281
  44. 44.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC’10 (2010). URL http://doi.acm.org/10.1145/1920261.1920269
  45. 45.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Security Symposium (2013). URL http://dl.acm.org/citation.cfm?id=2534766.2534805
  46. 46.
    Pewny, J., Holz, T.: Compiler-based CFI for iOS. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC’13 (2013). URL http://doi.acm.org/10.1145/2523649.2523674
  47. 47.
    Prakash, A., Yin, H., Liang, Z.: Enforcing system-wide control flow integrity for exploit detection and diagnosis. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security, ASIACCS’13 (2013). URL http://doi.acm.org/10.1145/2484313.2484352
  48. 48.
    Prakash, A., Hu, X., Yin, H.: vfGuard: strict protection for virtual function calls in COTS C++ binaries. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). URL http://www.internetsociety.org/doc/vfguard-strict-protection-virtual-function-calls-cots-c-binaries
  49. 49.
    rix: Smashing C++ VPTRS. Phrack Magazine 56(8) (2000). URL http://phrack.org/issues/56/8.html
  50. 50.
    Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-rop defenses. In: Research in Attacks, Intrusions and Defenses. Lecture Notes in Computer Science, Springer Intertnational Publishing, vol. 8688 (Springer, 2014). URL http://dx.doi.org/10.1007/978-3-319-11379-1_5
  51. 51.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, SP’15 (2015). doi:10.1109/SP.2015.51Google Scholar
  52. 52.
    Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., Chen, B.: Adapting software fault isolation to contemporary CPU architectures. In: Proceedings of the 19th USENIX Security Symposium (2010). URL http://dl.acm.org/citation.cfm?id=1929820.1929822
  53. 53.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07 (2007). URL http://doi.acm.org/10.1145/1315245.1315313
  54. 54.
    Sinnadurai, S., Zhao, Q., Fai Wong, W.: Transparent runtime shadow stack: protection against malicious return address modifications (2008). URL http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702s
  55. 55.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, SP’13 (2013). URL http://dx.doi.org/10.1109/SP.2013.45. Received the Best Student Paper Award
  56. 56.
    Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671285
  57. 57.
    Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. SIGOPS Oper. Syst. Rev. 27(5), 203–216 (1993). URL http://doi.acm.org/10.1145/173668.168635
  58. 58.
    Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, SP’10 (2010). URL http://dx.doi.org/10.1109/SP.2010.30
  59. 59.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN’12 (2012). URL http://dl.acm.org/citation.cfm?id=2354410.2355130
  60. 60.
    Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native Client: a sandbox for portable, untrusted x86 native code. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP’09 (2009). URL http://dx.doi.org/10.1109/SP.2009.25
  61. 61.
    Zeng, B., Tan, G., Erlingsson, U.: Strato: a retargetable framework for low-level inlined-reference monitors. In: Proceedings of the 22nd USENIX Security Symposium (2013). URL http://dl.acm.org/citation.cfm?id=2534766.2534798
  62. 62.
    Zeng, B., Tan, G., Morrisett, G.: Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11 (2011). URL http://doi.acm.org/10.1145/2046707.2046713
  63. 63.
    Zhang, T., Zhuang, X., Pande, S., Lee, W.: Anomalous path detection with hardware support. In: Proceedings of the 2005 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, CASES’05 (2005). URL http://doi.acm.org/10.1145/1086297.1086305
  64. 64.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22nd USENIX Security Symposium (2013). URL http://dl.acm.org/citation.cfm?id=2534766.2534796
  65. 65.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity & randomization for binary executables. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, SP’13 (2013). URL http://dx.doi.org/10.1109/SP.2013.44
  66. 66.
    Zhang, C., Song, C., Chen, K.Z., Chen, Z., Song, D.: VTint: defending virtual function tables’ integrity. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). URL http://www.internetsociety.org/doc/vtint-protecting-virtual-function-tables%E2%80%99-integrity
  67. 67.
    Zovi, D.D.: Practical return-oriented programming. SOURCE Boston (2010). URL http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf

Copyright information

© The Author(s) 2015

Authors and Affiliations

  • Lucas Davi
    • 1
  • Ahmad-Reza Sadeghi
    • 1
  1. 1.CASEDTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations