ABSTRACT
Current Control-Flow Integrity (CFI) implementations track control edges individually, insensitive to the context of preceding edges. Recent work demonstrates that this leaves sufficient leeway for powerful ROP attacks. Context-sensitive CFI, which can provide enhanced security, is widely considered impractical for real-world adoption. Our work shows that Context-sensitive CFI (CCFI) for both the backward and forward edge can be implemented efficiently on commodity hardware. We present PathArmor, a binary-level CCFI implementation which tracks paths to sensitive program states, and defines the set of valid control edges within the state context to yield higher precision than existing CFI implementations. Even with simple context-sensitive policies, PathArmor yields significantly stronger CFI invariants than context-insensitive CFI, with similar performance.
- Apache benchmark. http://httpd.apache.org/docs/2.0/programs/ab.html.Google Scholar
- LLVM DSA - Reproduce the Result in PLDI 07 Paper. http://lists.cs.uiuc.edu/pipermail/llvmdev/2015-May/085390.html.Google Scholar
- OpenSSH portable regression tests. http://www.dtucker.net/openssh/regress.Google Scholar
- pyftpdlib. https://code.google.com/p/pyftpdlib.Google Scholar
- SendEmail. http://caspian.dotconf.net/menu/Software/SendEmail.Google Scholar
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In ACM CCS, 2005. Google ScholarDigital Library
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. A theory of secure control-flow. In ICFEM, 2005. Google ScholarDigital Library
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM TISSEC, 13(1), 2009. Google ScholarDigital Library
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE S&P, 2008. Google ScholarDigital Library
- A. R. Bernat and B. P. Miller. Anywhere, any-time binary instrumentation. In PASTE, 2011. Google ScholarDigital Library
- S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX SEC, 2005. Google ScholarDigital Library
- T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In ACSAC, 2011. Google ScholarDigital Library
- E. Bosman and H. Bos. Framing signals--A return to portable shellcode. In IEEE S&P, 2014. Google ScholarDigital Library
- B. Buck and J. K. Hollingsworth. An API for runtime code patching. IJHPCA, 14(4), 2000. Google ScholarDigital Library
- N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In USENIX SEC, 2015. Google ScholarDigital Library
- N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX SEC, 2014. Google ScholarDigital Library
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM CCS, 2010. Google ScholarDigital Library
- X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida. StackArmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In NDSS, 2015.Google ScholarCross Ref
- Y. Cheng, Z. Zhou, M. Yu, X. Ding, , and R. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In NDSS, 2014.Google ScholarCross Ref
- T.-C. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDCS, 2001. Google ScholarDigital Library
- M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to protect return addresses from attack. In ASSAV, 2004.Google Scholar
- J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE S&P, 2014. Google ScholarDigital Library
- T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In ASIACCS, 2015. Google ScholarDigital Library
- L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX SEC, 2014. Google ScholarDigital Library
- U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006. Google ScholarDigital Library
- I. Fratric. Runtime prevention of return-oriented programming attacks, 2012. Technical report.Google Scholar
- E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.Google Scholar
- E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX SEC, 2014.Google Scholar
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In USENIX SEC, 2002. Google ScholarDigital Library
- S. Krishnamoorthy, M. Hsiao, and L. Lingappan. Tackling the path explosion problem in symbolic execution-driven test generation for programs. In IEEE ATS, 2010. Google ScholarDigital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In OSDI, 2014. Google ScholarDigital Library
- C. Lattner, A. Lenharth, and V. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In PLDI, pages 278--289, 2007. Google ScholarDigital Library
- B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In ACM CCS, 2013. Google ScholarDigital Library
- B. Niu and G. Tan. Modular control-flow integrity. In PLDI, 2014. Google ScholarDigital Library
- B. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In ACM CCS, 2014. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX SEC, 2013. Google ScholarDigital Library
- M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In DIMVA, 2015.Google ScholarDigital Library
- M. Prasad and T. cker Chiueh. A binary rewriting defense against stack-based buffer overflow attacks. In USENIX ATC, 2003.Google Scholar
- B. G. Roth and E. H. Spafford. Implicit buffer overflow protection using memory segregation. In ARES, 2011. Google ScholarDigital Library
- F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming. In IEEE S&P, 2015.Google Scholar
- F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In RAID, 2014.Google ScholarCross Ref
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM CCS, 2007. Google ScholarDigital Library
- S. Sinnadurai, Q. Zhao, and W.-F. Wong. Transparent runtime shadow stack: Protection against malicious return address modifications, 2004. Technical report.Google Scholar
- A. Slowinska, T. Stancescu, and H. Bos. Howard: a dynamic excavator for reverse engineering data structures. In NDSS, 2011.Google Scholar
- K. Z. Snow, L. Davi, A. Dmitrienko, C. Liebchen, F. Monrose, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE S&P, May 2013. Google ScholarDigital Library
- M. L. Soffa, K. R. Walcott, and J. Mars. Exploiting hardware advances for software testing and debugging (nier track). In ICSE, 2011. Google ScholarDigital Library
- C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Úlfar Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC and LLVM. In USENIX SEC, 2014. Google ScholarDigital Library
- D. Wagner and D. Dean. Intrusion detection via static analysis. In IEEE S&P, 2001. Google ScholarDigital Library
- Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE S&P, 2010. Google ScholarDigital Library
- Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In IEEE DSN, 2012.Google Scholar
- Y. Younan, D. Pozza, F. Piessens, and W. Joosen. Extended protection against stack smashing attacks without performance loss. In ACSAC, 2006. Google ScholarDigital Library
- B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In USENIX SEC, 2013. Google ScholarDigital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control-flow integrity and randomization for binary executables. In IEEE S&P, 2013. Google ScholarDigital Library
- M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In VEE, 2014. Google ScholarDigital Library
- M. Zhang and R. Sekar. Control flow integrity forhphantomxxxxCOTS binaries. In USENIX SEC, 2013. Google ScholarDigital Library
Index Terms
- Practical Context-Sensitive CFI
Recommendations
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Per-Input Control-Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityControl-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically ...
BCI-CFI: A context-sensitive control-flow integrity method based on branch correlation integrity
Abstract ContextAs part of the arms race, one emerging attack methodology has been control-hijacking attacks, e.g., return-oriented programming (ROP). Control-flow integrity (CFI) is a generic and effective defense against most ...
Comments