Abstract
This paper presents a stateful forward-edge CFI mechanism based on a novel use of the Intel Memory Protection Extensions (MPX) technology. To enforce stateful CFI policies, we protect against malicious modification of pointers on the dereference pathes of indirect jumps or function calls by saving these pointers into shadow memory. Intel MPX, which stores pointer’s bounds into shadow memory, offers the capability of managing the copy for these indirect dereferenced pointers. There are two challenges in applying MPX to forward-edge CFI enforcement. First, as MPX is designed to protect against every pointers that may incurs memory errors, MPX incurs unacceptable runtime overhead. Second, the MPX defense has holes when maintaining interoperability with legacy code. We address these challenges by only protecting the pointers on the dereference pathes of indirect function calls and jumps, and making a further check on the loaded pointer value. We have implemented our mechanism on the LLVM compiler and evaluated it on a commodity Intel Skylake machine with MPX support. Evaluation results show that our mechanism is effective in enforcing forward-edge CFI, while incurring acceptable performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM 14th Conference on Computer and Communications Security (CCS 2007), pp. 552–561 (2007)
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX 18th Security Symposium (SEC2009), pp. 383–398 (2009)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM 6th Symposium on Information, Computer and Communications Security (ASIACCS), pp. 30–40 (2011)
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE 36th Symposium on Security and Privacy (S&P 2015), pp. 745–762 (2015)
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX 23rd Security Symposium (SEC 2014), pp. 385–399 (2014)
Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: eternal war in memory. In: IEEE 34th Symposium on Security and Privacy (S&P 2013), pp. 48–62 (2013)
Cowan, C., et al.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX 7th Security Symposium (SEC 1998), pp. 63–78 (1998)
LNCS Microsoft Corporation: Data Execution Prevention. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85)
Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: IEEE 22nd Symposium on Reliable Distributed Systems (SRDS 2003), pp. 260–269 (2003)
Abadi, M., Budiu, M., Erlingsson, Ú, Ligatti, J.: Control-flow integrity. In: ACM 12th Computer and Communications Security (CCS 2005), pp. 340–353 (2005)
Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50, 16:1–16:33 (2017)
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX 24th Conference on Security Symposium (SEC 2015), pp. 161–176 (2015)
Evans, I., et al.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 901–913 (2015)
Conti, M., et al.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 952–963 (2015)
Mashtizadeh, A. J., Bittau, A., Boneh, D., Mazières, D.: Ccfi: cryptographically enforced control flow integrity. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 941–951 (2015)
Zhang, J., Hou, R., Fan, J., Liu, K., Zhang, L., McKee, S.: Raguard: a hardware based mechanism for backward-edge control-flow integrity. In: ACM Computing Frontiers Conference (CF 2017), pp. 27–34 (2017)
Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: USENIX 22th Conference on Security (SEC 2013), pp. 337–352 (2013)
Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: IEEE 34th Symposium on Security and Privacy (S&P 2013), pp. 559–573 (2013)
Tice, C., et al.: Enforcing forward-edge control-flow integrity GCC & LLVM. In: USENIX 23rd Security Symposium (SEC 2014), pp. 941–954 (2014)
Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: IEEE 1st European Symposium on Security and Privacy (EuroS&P), pp. 179–194 (2016)
Devietti, J., Blundell, C., Martin, M.M.K., Zdancewic, S.: Hardbound: architectural support for spatial safety of the c programming language. In: ACM 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2008), pp. 103–114 (2008)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: Softbound: highly compatible and complete spatial memory safety for C. In: ACM 30th SIGPLAN Conference on Programming Language Design and Implementation on proceedings (2009 PLDI), pp. 245–258. ACM, Dulin (2010)
Nagarakatte, S., Martin, M.M.K., Zdancewic, S.: Watchdoglite: hardware-accelerated compiler-based pointer checking. In: Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO 2014), pp. 175–184 (2014)
Intel Corporation: Intel Memory Protection Extensions Enabling Guide. https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf
Intel Corporation: Intel memory ptrotection extensions. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 1, chap. 17 (2017)
Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel MPX explained: an empirical study of intel MPX and software-based bounds checking approaches. In: Arxiv CoRR, vol. abs/1702.00719 (2017)
GCC Wiki: Intel Memory Protection Extensions (Intel MPX) support in the GCC compiler. https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler
gcc-mirror. https://github.com/gcc-mirror/gcc/tree/master/libmpx
The LLVM Compiler Infrastructure. http://llvm.org/
Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: runtime intrusion prevention evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), pp. 41–50 (2011)
SPEC CPU2006 Benchmark. http://www.spec.org/cpu2006/
Linux kernel profiling with perf. https://perf.wiki.kernel.org/index.php/Tutorial
Clang 7 documentation: Control Flow Integrity. https://clang.llvm.org/docs/ControlFlowIntegrity.html
Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (S&P 2010), pp. 380–395 (2010)
Niu, B., Tan, G.: Modular control-flow Integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (OSDI 2014), pp. 577–587 (2014)
Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 914–926 (2015)
Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8
Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS 2015)
Elsabagh, M., Fleck, D., Stavrou, A.: Strict virtual call integrity checking for C++ binaries. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS 2015)
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX 11th Conference on Operating Systems Design and Implementation (OSDI 2014), pp. 147–163 (2014)
Davi, L., et al.: HAFIX: hardware-assisted flow integrity eXtension. In: Proceedings of the 52nd ACM/EDAC/IEEE Design Automation Conference (DAC 2015), pp. 1–6 (2015)
Sullivan, D., Arias, O., Davi, L., Larsen, P., Sadeghi, A.-R., Jin, Y.: Strategy without tactics: policy-agnostic hardware-enhanced control-flow integrity. In: Proceedings of the 53rd Annual Design Automation Conference (DAC 2016), pp. 163:1–163:6 (2016)
Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S.: HCFI: hardware-enforced Control-Flow Integrity. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016), pp. 38–49 (2016)
Intel Corporation: Control-flow enforcement technology preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013)
van der Veen, V., et al.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 927–940 (2015)
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 1–12 (2012)
Yuan, P., Zeng, Q., Ding, X.: Hardware-assisted finegrained code-reuse attack detection. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015), pp. 66–85 (2015)
Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with intel processor trace. In: 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA 2017), pp. 529–540 (2017)
Ge, X., Cui, W., Jaeger, T.: GRIFFIN: guarding control flows using intel processor trace. In: Proceedings of the 22nd International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2017), pp. 585–598 (2017)
Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using intel processor trace. In: Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY 2017), pp. 173–184 (2017)
Tuck, N., Calder, B., Varghese, G.: Hardware and binary modification support for code pointer protection from buffer overflow. In: Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2004), pp. 209–220 (2004)
Qualcomm Technologies Inc: Pointer Authentication on ARMv8.3. file:///E:/beifeng/code%20reuse%20attack/PointerAuthentication/whitepaper-pointer-authentication-on-armv8-3.pdf
Acknowledgments
We thank the anonymous reviewers for their valuable comments. This work was supported by the China National Science Fund for Outstanding Young Scholars under grant No. 61522212; National Key R&D Plan under grant No. 2017YFB1001602; Frontier Science Research Projects, Chinese Academy of Science, under grant No. QYZDB-SSW-JSC010; and National Natural Science Foundation of China (NSFC) under grant No. 61521092 and No. 61502459.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhang, J. et al. (2018). Stateful Forward-Edge CFI Enforcement with Intel MPX. In: Li, C., Wu, J. (eds) Advanced Computer Architecture. ACA 2018. Communications in Computer and Information Science, vol 908. Springer, Singapore. https://doi.org/10.1007/978-981-13-2423-9_7
Download citation
DOI: https://doi.org/10.1007/978-981-13-2423-9_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-2422-2
Online ISBN: 978-981-13-2423-9
eBook Packages: Computer ScienceComputer Science (R0)