Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin Awareness
Pages 4524 - 4538
Abstract
Control-flow integrity (CFI) is a strong and efficient defense mechanism against memory-corruption attacks. The practical versions of CFI, which have been integrated into compilers, employ static analysis to collect all possibly valid target functions of indirect calls. They are however less effective because the static analysis is imprecise. While more precise CFI techniques have been proposed, such as dynamic CFI, they are not yet practical due to issues on performance, compatibility, and deployability. We believe that to be practical, CFI based on static analysis is still the promising direction. However, these years have not seen much progress on the effectiveness of such practical CFI.
This paper aims to boost the effectiveness of practical CFI by dramatically optimizing the target-function sets (aka equivalence class or EC) of indirect calls. We first identify two fundamental limitations that lead to the imprecision of static indirect-call analysis: incomplete field sensitivity due to variable field indexes and the unawareness of the origins of point-to targets. We then propose two novel analysis techniques, complete field sensitivity and origin awareness, which handle variable field indexes and distinguish target origins. The techniques dramatically reduce the size of target functions. To enforce the origin awareness, we further employ Intel Memory Protection Keys to safely store the origin information. We implement our techniques as a system called ECCut. The evaluation results show that compared to the mainline LLVM CFI, ECCut achieves a substantial reduction of 94.8% and 90.3% in the average and the largest EC sizes. While compared to the state-of-the-art origin-aware CFI (i.e., OS-CFI), ECCut reduces the average and the largest EC sizes by 90.2% and 89.3% respectively. Additionally, ECCut introduces an acceptable performance overhead (7.2% on average) observed across a comprehensive range of C/C++ benchmark tests in SPEC CPU2006, SPEC CPU2017, and six real-world applications.
References
[1]
[n. d.]. Design of Intel MPX. https://intel-mpx.github.io/design/.
[2]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS '05). Association for Computing Machinery, New York, NY, USA, 340--353. https://doi.org/10.1145/1102120.1102165
[3]
Starr Andersen and Vincent Abella. 2004. Data execution prevention. Changes to functionality in microsoft windows xp service pack 2 (2004).
[4]
Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. 2017. Control-Flow Integrity: Precision, Security, and Performance. ACM Comput. Surv. 50, 1, Article 16 (apr 2017), 33 pages. https://doi.org/10.1145/3054924
[5]
Nathan Burow, Derrick McKee, Scott A Carr, and Mathias Payer. 2018. Cfixx: Object type integrity for c virtual dispatch. In Symposium on Network and Distributed System Security (NDSS).
[6]
N. Carlini, A. Barresi, M. Payer, D. Wagner, and T.R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. 24Th USENIX Security Symposium (USENIX Security 15) (01 2015), 161--176.
[7]
Nicholas Carlini and David Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Conference on Security Symposium (San Diego, CA) (SEC'14). USENIX Association, USA, 385--399.
[8]
Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer. 2005. Non-control-data attacks are realistic threats. In USENIX security symposium, Vol. 5. 146.
[9]
R. Joseph Connor, Tyler McDaniel, Jared M. Smith, and Max Schuchard. 2020. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 1409--1426. https://www.usenix.org/conference/usenixsecurity20/presentation/connor
[10]
Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Marco Negro, Christopher Liebchen, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 952--963. https://doi.org/10.1145/2810103.2813671
[11]
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. Stack-guard: automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX security symposium, Vol. 98. San Antonio, TX, 63--78.
[12]
John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In 2014 IEEE Symposium on Security and Privacy. 292--307. https://doi.org/10.1109/SP.2014.26
[13]
Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2015. The Performance Cost of Shadow Stacks and Stack Canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (Singapore, Republic of Singapore) (ASIA CCS '15). Association for Computing Machinery, New York, NY, USA, 555--566. https://doi.org/10.1145/2714576.2714635
[14]
Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In NDSS.
[15]
Lucas Davi, Patrick Koeberl, and Ahmad-Reza Sadeghi. 2014. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC). 1--6. https://doi.org/10.1109/DAC.2014.6881460
[16]
Lucas Davi and Ahmad-Reza Sadeghi. 2015. Building Control-Flow Integrity Defenses. In Building Secure Defenses Against Code-Reuse Attacks. Springer International Publishing, Cham, 27--54. https://doi.org/10.1007/978--3--319--25546-0_3
[17]
Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Conference on Security Symposium (San Diego, CA) (SEC'14). USENIX Association, USA, 401--416.
[18]
Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient Protection of Path-Sensitive Control Security. In USENIX Security Symposium. 131--148.
[19]
Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 901--913. https://doi.org/10.1145/2810103.2813646
[20]
Xinyang Ge, Weidong Cui, and Trent Jaeger. 2017. GRIFFIN: Guarding Control Flows Using Intel Processor Trace. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems (Xian, China) (ASPLOS '17). Association for Computing Machinery, New York, NY, USA, 585--598. https://doi.org/10.1145/3037697.3037716
[21]
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). 179--194. https://doi.org/10.1109/EuroSP.2016.24
[22]
Eric Grevstad. 2004. CPU-based security: The NX bit. Earthweb: Hardware (2004).
[23]
Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of Control: Overcoming Control-Flow Integrity. In 2014 IEEE Symposium on Security and Privacy. 575--589. https://doi.org/10.1109/SP.2014.43
[24]
Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L Scott, Kai Shen, and Mike Marty. 2019. Hodor:{Intra-Process} isolation for {High-Throughput} data plane libraries. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). 489--504.
[25]
Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Chung, William Harris, Taesoo Kim, and Wenke Lee. 2018. Enforcing Unique Code Target Property for Control-Flow Integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1470--1486. https://doi.org/10.1145/3243734.3243797
[26]
Intel. 2018. Control-flow Enforcement. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
[27]
Intel. 2018. Intel® 64 and IA-32 Architectures Software Developers Manual.
[28]
Mohannad Ismail, Jinwoo Yom, Christopher Jelesnianski, Yeongjin Jang, and Changwoo Min. 2021. VIP: Safeguard Value Invariant Property for Thwarting Critical Memory Corruption Attacks. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 1612--1626. https://doi.org/10.1145/3460120.3485376
[29]
Mustakimur Khandaker, Abu Naser, Wenqing Liu, Zhi Wang, Yajin Zhou, and Yueqiang Cheng. 2019. Adaptive Call-Site Sensitive Control Flow Integrity. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). 95--110. https://doi.org/10.1109/EuroSP.2019.00017
[30]
Mustakimur Rahman Khandaker, Wenqing Liu, Abu Naser, Zhi Wang, and Jie Yang. 2019. Origin-Sensitive Control Flow Integrity. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC'19). USENIX Association, USA, 195--211.
[31]
Sun Kim, Cong Sun, Dongrui Zeng, and Gang Tan. 2021. Refining Indirect Call Targets at the Binary Level. In Network and Distributed System Security Symposium. https://doi.org/10.14722/ndss.2021.24386
[32]
Sun Hyoung Kim, Cong Sun, Dongrui Zeng, and Gang Tan. 2021. Refining Indirect Call Targets at the Binary Level. In NDSS.
[33]
C. Lattner and V. Adve. 2004. LLVM: a compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004. 75--86. https://doi.org/10.1109/CGO.2004.1281665
[34]
Hojoon Lee, Chihyun Song, and Brent Byunghoon Kang. 2018. Lord of the x86 rings: A portable user mode privilege separation architecture on x86. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1441--1454.
[35]
Jinku Li, Xiaomeng Tong, Fengwei Zhang, and Jianfeng Ma. 2018. Fine-CFI: Fine-Grained Control-Flow Integrity for Operating System Kernels. IEEE Transactions on Information Forensics and Security 13, 6 (June 2018), 1535--1550. https://doi.org/10.1109/TIFS.2018.2797932
[36]
Yuan Li, Mingzhe Wang, Chao Zhang, Xingman Chen, Songtao Yang, and Ying Liu. 2020. Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 1821--1835. https://doi.org/10.1145/3372297.3417867
[37]
Yan Lin and Debin Gao. 2021. When Function Signature Recovery Meets Compiler Optimization. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24--27 May 2021. IEEE, 36--52. https://doi.org/10.1109/SP40001.2021.00006
[38]
Ziyi Lin, Jinku Li, Bowen Li, Haoyu Ma, Debin Gao, and Jianfeng Ma. 2023. Type-Squeezer: When Static Recovery of Function Signatures for Binary Executables Meets Dynamic Analysis. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security.
[39]
Yutao Liu, Peitao Shi, Xinran Wang, Haibo Chen, Binyu Zang, and Haibing Guan. 2017. Transparent and Efficient CFI Enforcement with Intel Processor Trace. In 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA). 529--540. https://doi.org/10.1109/HPCA.2017.18
[40]
Kangjie Lu and Hong Hu. 2019. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 1867--1881. https://doi.org/10.1145/3319535.3354244
[41]
M.D.Network. [n. d.]. Control flow guard, 2015, [online]. https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx.
[42]
Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin Hamlen, and Michael Franz. 2015. Opaque Control-Flow Integrity. In NDSS, Vol. 26. 27--30. https://doi.org/10.14722/ndss.2015.23271
[43]
Ben Niu and Gang Tan. 2014. Modular Control-Flow Integrity. ACM SIGPLAN Notices 49 (06 2014). https://doi.org/10.1145/2594291.2594295
[44]
Ben Niu and Gang Tan. 2014. RockJIT: Securing Just-In-Time compilation using modular Control-Flow Integrity. Proceedings of the ACM Conference on Computer and Communications Security (11 2014), 1317--1328. https://doi.org/10.1145/2660267.2660281
[45]
Ben Niu and Gang Tan. 2015. Per-Input Control-Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 914--926. https://doi.org/10.1145/2810103.2813644
[46]
Soyeon Park, Sangho Lee, Wen Xu, HyunGon Moon, and Taesoo Kim. 2019. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In 2019 USENIX Annual Technical Conference (USENIX ATC 19). USENIX Association, Renton, WA, 241--254.
[47]
Aravind Prakash, Xunchao Hu, and Heng Yin. 2015. vfGuard: Strict Protection for Virtual Function Calls in COTS C Binaries. In NDSS.
[48]
David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for {PKU-based} Memory Isolation Systems. In 31st USENIX Security Symposium (USENIX Security 22). 936--952.
[49]
David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. 2020. Donky: Domain Keys--Efficient In-Process Isolation for RISC-V and x86. In 29th USENIX Security Symposium (USENIX Security 20). 1677--1694.
[50]
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C Applications. In 2015 IEEE Symposium on Security and Privacy. 745--762. https://doi.org/10.1109/SP.2015.51
[51]
E. J. Schwartz, T. Avgerinos, and D. Brumley. 2010. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In 2010 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 317--331. https://doi.org/10.1109/SP.2010.26
[52]
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington DC, USA) (CCS '04). Association for Computing Machinery, New York, NY, USA, 298--307. https://doi.org/10.1145/1030083.1030124
[53]
Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural Static Value-Flow Analysis in LLVM (CC 2016). Association for Computing Machinery, New York, NY, USA, 265--266. https://doi.org/10.1145/2892208.2892235
[54]
PaX Team. 2003. PaX address space layout randomization (ASLR). http://pax.grsecurity. net/docs/aslr. txt (2003).
[55]
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 941--955.
[56]
Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. {ERIM}: Secure, Efficient In-process Isolation with Protection Keys (MPK). In 28th USENIX Security Symposium (USENIX Security 19). 1221--1238.
[57]
Victor van der Veen, Dennis Andriesse, Enes Göktas, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. 2015. Practical Context-Sensitive CFI. 927--940. https://doi.org/10.1145/2810103.2813673
[58]
Victor Van Der Veen, Enes Göktas, Moritz Contag, Andre Pawoloski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 934--953.
[59]
Alexios Voulimeneas, Jonas Vinck, Ruben Mechelinck, and Stijn Volckaert. 2022. You shall not (by) pass! practical, secure, and fast PKU-based sandboxing. In Proceedings of the Seventeenth European Conference on Computer Systems. 266--282.
[60]
Zhi Wang and Xuxian Jiang. 2010. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In 2010 IEEE Symposium on Security and Privacy. 380--395. https://doi.org/10.1109/SP.2010.30
[61]
Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012). 1--12. https://doi.org/10.1109/DSN.2012.6263958
[62]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, László Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In 2013 IEEE Symposium on Security and Privacy. 559--573. https://doi.org/10.1109/SP.2013.44
[63]
Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., 337--352.
Index Terms
- Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin Awareness
Recommendations
Integrating Static Analyses for High-Precision Control-Flow Integrity
RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and DefensesMemory corruptions are still one of the most prevalent and severe security vulnerabilities in today’s programs. For this reason, several techniques for mitigating software vulnerabilities exist and are used in production systems. An important mitigation ...
Per-Input Control-Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityControl-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically ...
Combining control-flow integrity and static analysis for efficient and validated data sandboxing
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityIn many software attacks, inducing an illegal control-flow transfer in the target system is one common step. Control-Flow Integrity (CFI) protects a software system by enforcing a pre-determined control-flow graph. In addition to providing strong ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Key R&D Program of Shaanxi Province of China
- 111 Center
- National Natural Science Foundation of China
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 151Total Downloads
- Downloads (Last 12 months)151
- Downloads (Last 6 weeks)109
Reflects downloads up to 26 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in