More Web Proxy on the site http://driver.im/

Article

Enforcing forward-edge control-flow integrity in GCC & LLVM

Authors:

Peter Collingbourne,

Stephen Checkoway,

Úlfar Erlingsson,

Geoff PikeAuthors Info & Claims

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

Pages 941 - 955

Published: 20 August 2014 Publication History

Abstract

Constraining dynamic control transfers is a common technique for mitigating software vulnerabilities. This defense has been widely and successfully used to protect return addresses and stack data; hence, current attacks instead typically corrupt vtable and function pointers to subvert a forward edge (an indirect jump or call) in the control-flow graph. Forward edges can be protected using Control-Flow Integrity (CFI) but, to date, CFI implementations have been research prototypes, based on impractical assumptions or ad hoc, heuristic techniques. To be widely adoptable, CFI mechanisms must be integrated into production compilers and be compatible with software-engineering aspects such as incremental compilation and dynamic libraries.

This paper presents implementations of fine-grained, forward-edge CFI enforcement and analysis for GCC and LLVM that meet the above requirements. An analysis and evaluation of the security, performance, and resource consumption of these mechanisms applied to the SPEC CPU2006 benchmarks and common benchmarks for the Chromium web browser show the practicality of our approach: these fine-grained CFI mechanisms have significantly lower overhead than recent academic CFI prototypes. Implementing CFI in industrial compiler frameworks has also led to insights into design tradeoffs and practical challenges, such as dynamic loading.

References

[1]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Trans. Info. & System Security, 13(1):4:1-4:40, Oct. 2009.

Digital Library

[2]

T. Bao, J. Burket, and M. Woo. BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of USENIX Security 2014, Aug. 2014.

[3]

J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of ISSTA 2012, July 2012.

Digital Library

[4]

N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In Proceedings of USENIX Security 2014, Aug. 2014.

[5]

M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black. Fast byte-granularity software fault isolation. In Proceedings of SOSP 2009, Oct. 2009.

Digital Library

[6]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of CCS 2010, pages 559-572. ACM Press, Oct. 2010. URL https://cs.jhu.edu/~s/ papers/noret_ccs2010.html.

Digital Library

[7]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stack-Guard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of USENIX Security 1998, Jan. 1998.

Digital Library

[8]

"d0c_s4vage". Insecticides don't kill bugs, Patch Tuesdays do. Online: http://d0cs4vage. blogspot.com/2011/06/insecticidesdont-kill-bugs-patch.html, June 2013.

[9]

L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of NDSS 2012, Feb. 2012.

[10]

L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of USENIX Security 2014, Aug. 2014.

[11]

A. Edwards, A. Srivastava, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, Apr. 2001.

[12]

Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software guards for system address spaces. In Proceedings of OSDI 2006, pages 75-88, Nov. 2006.

Digital Library

[13]

Ú. Erlingsson, Y. Younan, and F. Piessens. Low-level software security by example. In P. Stavroulakis and M. Stamp, editors, Handbook of Information and Communication Security, pages 633-658. Springer Berlin Heidelberg, 2010.

[14]

C. Evans. Exploiting 64-bit linux like a boss. Online: http://scarybeastsecurity. blogspot.com/search?q=Exploiting+ 64-bit+linux, 2013.

[15]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland), May 2014.

Digital Library

[16]

E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of USENIX Security 2014, Aug. 2014.

[17]

Google Developers. Native client. Online: https://developers.google.com/ native-client/, 2013.

[18]

ISO. ISO/IEC 14882:2011 Information technology -- Programming languages -- C++. International Organization for Standardization, Geneva, Switzerland, Feb. 2012.

[19]

D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Proceedings of NDSS 2014. Internet Society, Feb. 2014. To appear.

[20]

K. Kortchinsky. 10 years later, which vulnerabilities still matter? Online: http://ensiwiki.ensimag.fr/ images/e/e8/GreHack-2012-talk- Kostya_Kortchinsky_Crypt0ad_- 10_years_later_which_in_memory_ vulnerabilities_still_matter.pdf, 2012.

[21]

G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. Rocksalt: better, faster, stronger SFI for the x86. In Proceedings of PLDI 2012, pages 395-404, June 2012.

Digital Library

[22]

Mozilla Foundation. Mozilla Foundation security advisory 2013-29. Online: https://www.mozilla.org/security/ announce/2013/mfsa2013-29.html, 2013.

[23]

MWR InfoSecurity. Pwn2Own at CanSecWest 2013. Online: https://labs.mwrinfosecurity. com/blog/2013/03/06/pwn2own-at-cansecwest-2013, 2013.

[24]

T. Mytkowicz, A. Diwan, M. Hauswirth, and P. Sweeney. Producing wrong data without doing anything obviously wrong! In Proceedings of ASPLOS 2009, Mar. 2009.

Digital Library

[25]

NIST. CVE-2010-0249. Online: https: //web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2010-0249, 2010.

[26]

NIST. CVE-2010-3971. Online: https: //web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2010-3971, 2010.

[27]

NIST. CVE-2011-1255. Online: https: //web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2011-1255, 2011.

[28]

B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of CCS 2013, Nov. 2013.

Digital Library

[29]

J. Pewny and T. Holz. Control-flow restrictor: Compiler-based CFI for iOS. In Proceedings of ACSAC 2013, Dec. 2013.

Digital Library

[30]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Info. & System Security, 15(1), Mar. 2012.

Digital Library

[31]

Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of IEEE Symposium on Security and Privacy ("Oakland") 2011, May 2011.

Digital Library

[32]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of CCS 2011, Oct. 2011.

Digital Library

[33]

B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In Proceedings of USENIX Security 2013, Aug. 2013.

Digital Library

[34]

C. Zhang, T. Wei, Z. Chen, L. Duan, S. McCamant, L. Szekeres, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), May 2013.

Digital Library

[35]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of USENIX Security 2013, Aug. 2013.

Digital Library

Cited By

Kasten FZieris PHorsch J(2024)Integrating Static Analyses for High-Precision Control-Flow IntegrityProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678920(419-434)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678920
Xiang HCheng ZLi JMa JLu KLuo BLiao XXu JKirda ELie D(2024)Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin AwarenessProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670308(4524-4538)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670308
Orthen BBraunsdorf OZieris PHorsch J(2024)SoftBound+CETS RevisitedProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652285(22-28)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652285
Show More Cited By

Enforcing forward-edge control-flow integrity in GCC & LLVM
1. Software and its engineering
  1. Software notations and tools

Recommendations

Control-Flow Integrity: Precision, Security, and Performance

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Analyzing control flow integrity with LLVM-CFI
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without ...
Control-flow integrity
CCS '05: Proceedings of the 12th ACM conference on Computer and communications security

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

August 2014

1067 pages

ISBN:9781931971157

Program Chair:
Kevin Fu
University of Michigan

Sponsors

Akamai: Akamai
Google Inc.
IBMR: IBM Research
NSF
Microsoft Reasearch: Microsoft Reasearch
USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 20 August 2014

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

93
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kasten FZieris PHorsch J(2024)Integrating Static Analyses for High-Precision Control-Flow IntegrityProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678920(419-434)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678920
Xiang HCheng ZLi JMa JLu KLuo BLiao XXu JKirda ELie D(2024)Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin AwarenessProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670308(4524-4538)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670308
Orthen BBraunsdorf OZieris PHorsch J(2024)SoftBound+CETS RevisitedProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652285(22-28)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652285
Berlakovich FBrunthaler SFedorova ANarayanan DDi Luna GQuerzoni L(2023)R2C: AOCR-Resilient Diversity with Reactive and Reflective CamouflageProceedings of the Eighteenth European Conference on Computer Systems10.1145/3552326.3587439(488-504)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3552326.3587439
Sun RGuo YWang ZZeng Q(2023)AttnCall: Refining Indirect Call Targets in Binaries with AttentionComputer Security – ESORICS 202310.1007/978-3-031-51482-1_20(391-409)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51482-1_20
Bauer MGrishchenko IRossow C(2022)TyPro: Forward CFI for C-Style Indirect Function Calls Using Type PropagationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564627(346-360)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564627
Zhou QWu QLiu DJi SLu KYin HStavrou ACremers CShi E(2022)Non-Distinguishable Inconsistencies as a Deterministic Oracle for Detecting Security BugsProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560661(3253-3267)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560661
Cloosters TPaaßen DWang JDraissi OJauernig PStapf EDavi LSadeghi A(2022)RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545997(30-42)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545997
Demicco DErinfolami RPrakash A(2021)Program Obfuscation via ABI DebiasingProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488017(146-157)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488017
Yagemann CNoureddine MHassan WChung SBates ALee WKim YKim JVigna GShi E(2021)Validating the Integrity of Audit Logs Against Execution Repartitioning AttacksProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484551(3337-3351)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484551
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents