Abstract
Despite the large number of proposed countermeasures against control-flow hijacking attacks, these attacks still pose a great threat for today’s applications. The problem with existing solutions is that they either provide incomplete probabilistic protection (e.g., stack canaries) or impose a high runtime overhead (e.g., bounds checking).
In this paper, we show how the concept of program-part duplication can be used to protect against control-flow hijacking attacks and present two different instantiations of the duplication concept which protect against popular attack vectors. First, we use the duplication of functions to eliminate the need of return addresses and thus provide complete protection against attacks targeting a function’s return address. Then we demonstrate how the integrity of function pointers can be protected through the use of data duplication. We test the combined effectiveness of our two methods and experimentally show that they provide an almost complete protection against control-flow hijacking attacks with only a low runtime overhead in real-world applications.
Keywords
- control-data attacks
- duplication
- return addresses
- function pointers
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009)
Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 51–66. USENIX Association, Berkeley (2009)
Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: ACM Conference on Programming Language Design and Implementation (1994)
Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the 2000 USENIX Technical Conference, San Diego, California, USA (June 2000)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., pp. 105–120 (August 2003)
Bulba and Kil3r. Bypassing Stackguard and Stackshield. Phrack, 56 (2000)
Chiueh, T.-C., Hsu, F.-H.: RAD: A Compile-Time Solution to Buffer Overflow Attacks. In: ICDCS 2001, pp. 409–417 (2001)
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuardTM: Protecting Pointers from Buffer Overflow Vulnerabilities. In: Proc. of the 12th Usenix Security Symposium (2003)
Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks (1998)
Solar Designer. Getting around non-executable stack (and fix). Posting to BuqTraq mailing list (August 1997), http://seclists.org/bugtraq/1997/Aug/63
IBM. Gcc extension for protecting applications from stack-smashing attacks, http://www.trl.ibm.com/projects/security/ssp/
Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: 3rd International Workshop on Automatic Debugging (1997)
Kendall, S.C.: Bcc: Runtime Checking for C Programs. In: USENIX Summer Conference (1983)
Lhee, K.-S., Chapin, S.J.: Type-Assisted Dynamic Buffer Overflow Detection. In: 11th USENIX Security Symposium (2002)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ”Return-Less” kernels. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 195–208. ACM, New York (2010)
Lin, C., Rajagopalan, M., Baker, S., Collberg, C., Debray, S., Hartman, J.: Protecting against unexpected system calls. In: Proceedings of the 14th USENIX Security Symposium, Baltimore, Maryland, USENIX Association (August 2005)
LLVM Developer Group. The LLVM Compiler Infrastructure, http://llvm.org/
Lvin, V.B., Novark, G., Berger, E.D., Zorn, B.G.: Archipelago: trading address space for reliability and security. SIGOPS Oper. Syst. Rev. 42, 115–124 (2008)
Oiwa, Y., Sekiguchi, T., Sumii, E., Yonezawa, A.: Fail-Safe ANSI-C Compiler: An Approach to Making C Programs Secure: Progress Report. In: International Symposium on Software Security 2002 (2002)
Patil, H., Fischer, C.N.: Low-Cost, Concurrent Checking of Pointer and Array Accesses in C Programs. Software: Practice and Experience 27(1) (1997)
Philippaerts, P., Younan, Y., Muylle, S., Piessens, F., Lachmund, S., Walter, T.: Code Pointer Masking: Hardening Applications against Code Injection Attacks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 194–213. Springer, Heidelberg (2011)
Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., pp. 257–272 (August 2003)
Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: 25th Annual Computer Security Applications Conference (2009)
Rosenberg, D.: Breaking LibTIFF, http://vulnfactory.org/blog/2010/06/29/breaking-libtiff/
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the USENIX Security Symposium (2011)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: di Vimercati, S.D.C., Syverson, P. (eds.) Proceedings of CCS 2007, pp. 552–561. ACM Press (October 2007)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington, D.C., pp. 298–307 (October 2004)
Spafford, E.H.: The internet worm program: an analysis. SIGCOMM Comput. Commun. Rev. 19, 17–57 (1989)
Standard Performance Evaluation Corporation. SPEC CINT2006, http://www.spec.org/cpu2006/CINT2006/
Steffen, J.L.: Adding Run-Time Checking to the Portable C Compiler. Software: Practice and Experience 22(4) (1992)
Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: Proceedings of the Second European Workshop on System Security, EUROSEC 2009, pp. 1–8. ACM, New York (2009)
The PaX Team. Documentation of ASLR in PaX, http://pax.grsecurity.net/docs/aslr.txt
The PaX Team. Documentation of PAGEEXEC in PaX, http://pax.grsecurity.net/docs/pageexec.txt
Van Acker, S., Nikiforakis, N., Philippaerts, P., Younan, Y., Piessens, F.: ValueGuard: Protection of Native Applications against Data-Only Buffer Overflows. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 156–170. Springer, Heidelberg (2010)
Vendicator. Stack Shield technical info file v0.7 (January 2001), http://www.angelfire.com/sk/stackshield/
Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: Runtime Intrusion Prevention Evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC. ACM (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Noorman, J., Nikiforakis, N., Piessens, F. (2012). There Is Safety in Numbers: Preventing Control-Flow Hijacking by Duplication. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)
