Skip to main content

There Is Safety in Numbers: Preventing Control-Flow Hijacking by Duplication

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7617)

Abstract

Despite the large number of proposed countermeasures against control-flow hijacking attacks, these attacks still pose a great threat for today’s applications. The problem with existing solutions is that they either provide incomplete probabilistic protection (e.g., stack canaries) or impose a high runtime overhead (e.g., bounds checking).

In this paper, we show how the concept of program-part duplication can be used to protect against control-flow hijacking attacks and present two different instantiations of the duplication concept which protect against popular attack vectors. First, we use the duplication of functions to eliminate the need of return addresses and thus provide complete protection against attacks targeting a function’s return address. Then we demonstrate how the integrity of function pointers can be protected through the use of data duplication. We test the combined effectiveness of our two methods and experimentally show that they provide an almost complete protection against control-flow hijacking attacks with only a low runtime overhead in real-world applications.

Keywords

  • control-data attacks
  • duplication
  • return addresses
  • function pointers

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   72.00
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009)

    CrossRef  Google Scholar 

  2. Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 51–66. USENIX Association, Berkeley (2009)

    Google Scholar 

  3. Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: ACM Conference on Programming Language Design and Implementation (1994)

    Google Scholar 

  4. Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the 2000 USENIX Technical Conference, San Diego, California, USA (June 2000)

    Google Scholar 

  5. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., pp. 105–120 (August 2003)

    Google Scholar 

  6. Bulba and Kil3r. Bypassing Stackguard and Stackshield. Phrack, 56 (2000)

    Google Scholar 

  7. Chiueh, T.-C., Hsu, F.-H.: RAD: A Compile-Time Solution to Buffer Overflow Attacks. In: ICDCS 2001, pp. 409–417 (2001)

    Google Scholar 

  8. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuardTM: Protecting Pointers from Buffer Overflow Vulnerabilities. In: Proc. of the 12th Usenix Security Symposium (2003)

    Google Scholar 

  9. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks (1998)

    Google Scholar 

  10. Solar Designer. Getting around non-executable stack (and fix). Posting to BuqTraq mailing list (August 1997), http://seclists.org/bugtraq/1997/Aug/63

  11. IBM. Gcc extension for protecting applications from stack-smashing attacks, http://www.trl.ibm.com/projects/security/ssp/

  12. Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: 3rd International Workshop on Automatic Debugging (1997)

    Google Scholar 

  13. Kendall, S.C.: Bcc: Runtime Checking for C Programs. In: USENIX Summer Conference (1983)

    Google Scholar 

  14. Lhee, K.-S., Chapin, S.J.: Type-Assisted Dynamic Buffer Overflow Detection. In: 11th USENIX Security Symposium (2002)

    Google Scholar 

  15. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ”Return-Less” kernels. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 195–208. ACM, New York (2010)

    CrossRef  Google Scholar 

  16. Lin, C., Rajagopalan, M., Baker, S., Collberg, C., Debray, S., Hartman, J.: Protecting against unexpected system calls. In: Proceedings of the 14th USENIX Security Symposium, Baltimore, Maryland, USENIX Association (August 2005)

    Google Scholar 

  17. LLVM Developer Group. The LLVM Compiler Infrastructure, http://llvm.org/

  18. Lvin, V.B., Novark, G., Berger, E.D., Zorn, B.G.: Archipelago: trading address space for reliability and security. SIGOPS Oper. Syst. Rev. 42, 115–124 (2008)

    CrossRef  Google Scholar 

  19. Oiwa, Y., Sekiguchi, T., Sumii, E., Yonezawa, A.: Fail-Safe ANSI-C Compiler: An Approach to Making C Programs Secure: Progress Report. In: International Symposium on Software Security 2002 (2002)

    Google Scholar 

  20. Patil, H., Fischer, C.N.: Low-Cost, Concurrent Checking of Pointer and Array Accesses in C Programs. Software: Practice and Experience 27(1) (1997)

    Google Scholar 

  21. Philippaerts, P., Younan, Y., Muylle, S., Piessens, F., Lachmund, S., Walter, T.: Code Pointer Masking: Hardening Applications against Code Injection Attacks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 194–213. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  22. Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., pp. 257–272 (August 2003)

    Google Scholar 

  23. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: 25th Annual Computer Security Applications Conference (2009)

    Google Scholar 

  24. Rosenberg, D.: Breaking LibTIFF, http://vulnfactory.org/blog/2010/06/29/breaking-libtiff/

  25. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: Exploit hardening made easy. In: Proceedings of the USENIX Security Symposium (2011)

    Google Scholar 

  26. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: di Vimercati, S.D.C., Syverson, P. (eds.) Proceedings of CCS 2007, pp. 552–561. ACM Press (October 2007)

    Google Scholar 

  27. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington, D.C., pp. 298–307 (October 2004)

    Google Scholar 

  28. Spafford, E.H.: The internet worm program: an analysis. SIGCOMM Comput. Commun. Rev. 19, 17–57 (1989)

    CrossRef  Google Scholar 

  29. Standard Performance Evaluation Corporation. SPEC CINT2006, http://www.spec.org/cpu2006/CINT2006/

  30. Steffen, J.L.: Adding Run-Time Checking to the Portable C Compiler. Software: Practice and Experience 22(4) (1992)

    Google Scholar 

  31. Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: Proceedings of the Second European Workshop on System Security, EUROSEC 2009, pp. 1–8. ACM, New York (2009)

    CrossRef  Google Scholar 

  32. The PaX Team. Documentation of ASLR in PaX, http://pax.grsecurity.net/docs/aslr.txt

  33. The PaX Team. Documentation of PAGEEXEC in PaX, http://pax.grsecurity.net/docs/pageexec.txt

  34. Van Acker, S., Nikiforakis, N., Philippaerts, P., Younan, Y., Piessens, F.: ValueGuard: Protection of Native Applications against Data-Only Buffer Overflows. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 156–170. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  35. Vendicator. Stack Shield technical info file v0.7 (January 2001), http://www.angelfire.com/sk/stackshield/

  36. Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: Runtime Intrusion Prevention Evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC. ACM (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Noorman, J., Nikiforakis, N., Piessens, F. (2012). There Is Safety in Numbers: Preventing Control-Flow Hijacking by Duplication. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34210-3_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34209-7

  • Online ISBN: 978-3-642-34210-3

  • eBook Packages: Computer ScienceComputer Science (R0)