Lucas Davi
ABSTRACT
Embedded systems have become pervasive and are built into a vast number of devices such as sensors, vehicles, mobile and wearable devices. However, due to resource constraints, they fail to provide sufficient security, and are particularly vulnerable to runtime attacks (code injection and ROP). Previous works have proposed the enforcement of control-flow integrity (CFI) as a general defense against runtime attacks. However, existing solutions either suffer from performance overhead or only enforce coarse-grain CFI policies that a sophisticated adversary can undermine. In this paper, we tackle these limitations and present the design of novel security hardware mechanisms to enable fine-grained CFI checks. Our CFI proposal is based on a state model and a per-function CFI label approach. In particular, our CFI policies ensure that function returns can only transfer control to active call sides (i.e., return landing pads of functions currently executing). Further, we restrict indirect calls to target the beginning of a function, and lastly, deploy behavioral heuristics for indirect jumps.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13(1), 2009. Google Scholar
Digital Library
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symposium on Security and Privacy, S&P '08, 2008. Google ScholarDigital Library
- Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 1996.Google Scholar
- M. Budiu, U. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Workshop on Architectural and System Support for Improving Software Dependability, ASID '06, 2006. Google ScholarDigital Library
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security, CCS '10, 2010. Google ScholarDigital Library
- L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Network and Distributed System Security Symposium, NDSS '12, 2012.Google Scholar
- J. DeMott. Bypassing EMET 4.1. http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/, 2014.Google Scholar
- E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy, S&P '14, 2014.Google ScholarDigital Library
- T. H. Jannik Pewny. Control-flow restrictor: Compiler-based CFI for iOS. In Annual Computer Security Applications Conference, ACSAC '13, 2013. Google ScholarDigital Library
- A. K. Kanuparthi, J. Rajendran, M. Zahran, and R. Karri. Dynamic sequence checking of programs to detect code reuse attacks. Technical report, 2013. http://isis.poly.edu/~arun/tvlsi.pdf.Google Scholar
- P. Kocher, R. Lee, G. McGraw, and A. Raghunathan. Security as a new dimension in embedded system design. In Annual Design Automation Conference, DAC '04, 2004. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX conference on Security, SSYM'13, 2013. Google ScholarDigital Library
- J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4), July 2004. Google ScholarDigital Library
- J. Rattner. Extreme scale computing. ISCA Keynote, 2012.Google Scholar
- S. Ravi, A. Raghunathan, P. Kocher, and S. Hattangady. Security in embedded systems: Design challenges. ACM Trans. Embed. Comput. Syst., 3(3), Aug. 2004. Google ScholarDigital Library
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM Conf. on Computer and Communications Security, CCS '07, 2007. Google ScholarDigital Library
- K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, S&P '13, 2013. Google ScholarDigital Library
- Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN '12, 2012. Google ScholarDigital Library
- M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX conference on Security, SSYM'13, 2013. Google ScholarDigital Library
- T. Zhang, X. Zhuang, S. Pande, and W. Lee. Anomalous path detection with hardware support. In Proceedings of the 2005 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, CASES '05, 2005. Google ScholarDigital Library
- Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation
Recommendations
Fine-Grained Control-Flow Integrity Through Binary Hardening
DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148Applications written in low-level languages without type or memory safety are prone to memory corruption. Attackers gain code execution capabilities through memory corruption despite all currently deployed defenses. Control-Flow Integrity CFI is a ...
Hardware control flow integrity
The Continuing Arms RaceControl-Flow Integrity (CFI) is a promising and general defense against control-flow hijacking with formal underpinnings. A key insight from the extensive research on CFI is that its effectiveness depends on the precision and coverage of a program's ...
A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems
Runtime attacks on memory, such as buffer overflow based stack smashing and code reuse attacks, are common in embedded systems. Control flow integrity (CFI) has been acknowledged as one promising approach to protect against such runtime attacks. However,...
Comments