More Web Proxy on the site http://driver.im/

research-article

Free access

Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks

Authors:

R. SekarAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 91 - 100

https://doi.org/10.1145/2818000.2818016

Published: 07 December 2015 Publication History

Abstract

Despite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control --- the ability to execute arbitrary low-level code. Attackers have shown time and again their ability to overcome widely deployed countermeasures such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by crafting Return Oriented Programming (ROP) attacks. Although Turing-complete ROP attacks have been demonstrated in research papers, real-world ROP payloads have had a more limited objective: that of disabling DEP so that injected native code attacks can be carried out. In this paper, we provide a systematic defense, called Control Flow and Code Integrity (CFCI), that makes injected native code attacks impossible. CFCI achieves this without sacrificing compatibility with existing software, the need to replace system programs such as the dynamic loader, and without significant performance penalty. We will release CFCI as open-source software by the time of this conference.

References

[1]

CVE-2000-0854: Earliest side-loading attack.

[2]

CVE-2007-3508: Integer overflow in loader. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3508.

[3]

CVE-2010-0830: Integer signedness error in loader. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830.

[4]

CVE-2010-3847: privilege escalation in loader with $origin for the ld_audit environment variable. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847.

[5]

CVE-2010-3856: privilege escalation in loader with the ld audit environment. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856.

[6]

CVE-2011-0562: Untrusted search path vulnerability in adobe reader.

[7]

CVE-2011-0570: Untrusted search path vulnerability in adobe reader. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0570.

[8]

CVE-2011-0588: Untrusted search path vulnerability in adobe reader. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0588.

[9]

CVE-2011-1658: privilege escalation in loader with $origin in rpath. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658.

[10]

CVE-2011-2398: privilege escalation in loader. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2398.

[11]

CVE-2012-0158: Side loading attack via microsoft office. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158.

[12]

CVE-2013-0977: overlapping segments. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977.

[13]

CVE-2014-1273: text relocation. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273.

[14]

LibJIT. https://code.google.com/p/libjit-linear-scan-register-allocator/.

[15]

WinSxS: Side-by-side assembly. http://en.wikipedia.org/wiki/Side-by-side_assembly.

[16]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, 2005.

Digital Library

[17]

P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In USENIX Security, 2009.

Digital Library

[18]

M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In USENIX Security, 2014.

Digital Library

[19]

E. Bendersky. LibJIT Samples. https://github.com/eliben/libjit-samples, 2013.

[20]

S. Bhatkar and R. Sekar. Data space randomization. In DIMVA, 2008.

Digital Library

[21]

S. Bhatkar, R. Sekar, and D. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security, 2005.

Digital Library

[22]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014.

Digital Library

[23]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In S&P, 2015.

Digital Library

[24]

L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nãijrnberger, and A. reza Sadeghi. MoCFI: a framework to mitigate control-flow attacks on smartphones. In NDSS, 2012.

[25]

L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security, 2014.

Digital Library

[26]

L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In NDSS, 2015.

[27]

T. Durden. Bypassing pax aslr protection. Technical report, Phrack Magazine, vol. 0x0b, no. 0x3b, 2002.

[28]

I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In CCS, 2015.

Digital Library

[29]

A. D. Federico, A. Cama, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. How the elf ruined christmas. In USENIX Security, 2015.

[30]

B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86. In USENIX ATC, 2008.

Digital Library

[31]

E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security, 2014.

[32]

E. Gãűkta, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In S&P, 2014.

[33]

N. Hasabnis, A. Misra, and R. Sekar. Light-weight bounds checking. In ACM CGO, 2012.

Digital Library

[34]

R. W. M. Jones, P. H. J. Kelly, M. C, and U. Errors. Backwards-compatible bounds checking for arrays and pointers in c programs. In AADEBUG, 1997.

[35]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In OSDI, 2014.

Digital Library

[36]

L. Li, J. E. Just, and R. Sekar. Address-space randomization for windows systems. In ACSAC, 2006.

Digital Library

[37]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In USENIX Security, 2006.

Digital Library

[38]

V. Mohan, P. Larseny, S. Brunthalery, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In NDSS, 2015.

[39]

S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: highly compatible and complete spatial memory safety for c. In PLDI, 2009.

Digital Library

[40]

S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. BIRD: binary interpretation using runtime disassembly. In CGO, 2006.

Digital Library

[41]

S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. Foreign code detection on the windows/x86 platform. In ACSAC, 2006.

Digital Library

[42]

Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 2001.

[43]

B. Niu and T. Gang. Per-input control-flow integrity. In CCS, 2015.

Digital Library

[44]

B. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity.

[45]

B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In CCS, 2013.

Digital Library

[46]

B. Niu and G. Tan. Modular control-flow integrity. In PLDI, 2014.

Digital Library

[47]

PaX. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt, 2001.

[48]

M. Payer, T. Hartmann, and T. R. Gross. Safe loading - a foundation for secure execution of untrusted programs. In S&P, 2012.

Digital Library

[49]

J. Pewny and T. Holz. Control-flow Restrictor: Compiler-based CFI for iOS. In ACSAC, 2013.

Digital Library

[50]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In SOSP, 2007.

Digital Library

[51]

H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, 2007.

Digital Library

[52]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS, 2004.

Digital Library

[53]

R. Shapiro, S. Bratus, and S. W. Smith. "weird machines" in elf: A spotlight on the underappreciated metadata. In USENIX WOOT, 2013.

Digital Library

[54]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In S&P, 2013.

Digital Library

[55]

C. Song, C. Zhang, T. Wang, W. Lee, and D. Melski. Exploiting and protecting dynamic code generation. In NDSS, 2015.

[56]

A. Stewart. DLL side-loading: A thorn in the side of the anti-virus industry, 2014. http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf.

[57]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In USENIX Security, 2014.

Digital Library

[58]

V. van der Veen, D. Andriesse, E. Goktas, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive cfi. In CCS, 2015.

Digital Library

[59]

W. Xu, D. C. DuVarney, and R. Sekar. An efficient and backwards-compatible transformation to ensure memory safety of c programs. 2004.

Digital Library

[60]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: a sandbox for portable, untrusted x86 native code. In S&P, 2009.

Digital Library

[61]

Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. Paricheck: an efficient pointer arithmetic checker for c programs. In ACM ASIACCS, 2010.

Digital Library

[62]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In CCS, 2011.

Digital Library

[63]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In S&P, 2013.

Digital Library

[64]

M. Zhang. PSI: Platform for Static binary Instrumentation. http://seclab.cs.sunysb.edu/seclab/download.html.

[65]

M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In ACM VEE, 2014.

Digital Library

[66]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security, 2013.

Digital Library

[67]

M. Zhang and R. Sekar. Squeezing the dynamic loader for fun and profit. http://seclab.cs.sunysb.edu/seclab/pubs/seclab15-12.pdf, 2015.

Cited By

Liu DMeng XWang PZhou XXie WWang B(2025)Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernelComputers & Security10.1016/j.cose.2024.104189150(104189)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104189
Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Show More Cited By

Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks
1. Security and privacy
  1. Systems security

Recommendations

Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Control flow integrity for COTS binaries
SEC'13: Proceedings of the 22nd USENIX conference on Security

Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI ...
Formally verified software countermeasures for control-flow integrity of smart card C code
Abstract
Fault attacks can target smart card programs to disrupt an execution and take control of the data or the embedded functionalities. Among all possible attacks, control-flow attacks aim at disrupting the normal execution flow. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Science Foundation

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
1,238
Total Downloads

Downloads (Last 12 months)275
Downloads (Last 6 weeks)46

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu DMeng XWang PZhou XXie WWang B(2025)Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernelComputers & Security10.1016/j.cose.2024.104189150(104189)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104189
Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Deshpande CParzefall FHetzelt FFranz M(2024)Polynima: Practical Hybrid Recompilation for Multithreaded BinariesProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650065(1126-1141)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650065
Zhang RWu JPei BSang CZhang Q(2024)Binary Rewritten based Control Flow Integrity Protection for Wireless Industrial Communication SystemICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10622384(1715-1720)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10622384
Moghadam VSerra GAromolo FButtazzo GPrinetto P(2024)Memory Integrity Techniques for Memory-Unsafe Languages: A SurveyIEEE Access10.1109/ACCESS.2024.338047812(43201-43221)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380478
Lin WGuo QYin JZuo XWang RGong X(2024)FSmell: Recognizing Inline Function in Binary CodeComputer Security – ESORICS 202310.1007/978-3-031-51476-0_24(487-506)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_24
Zhao SYu XLuo JXie G(2023)Speculation-Free Function Table Construction in LLVM IR for Fine-Grained Control Flow IntegrityJournal of Circuits, Systems and Computers10.1142/S021812662350281X32:16Online publication date: 29-May-2023
https://doi.org/10.1142/S021812662350281X
Jiang MDai QZhang WChang RZhou YLuo XWang RLiu YRen K(2023)A Comprehensive Study on ARM Disassembly ToolsIEEE Transactions on Software Engineering10.1109/TSE.2022.318781149:4(1683-1703)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3187811
Li SWang WLi WZhang D(2023)Hardware-Based Software Control Flow Integrity: Review on the State-of-the-Art Implementation TechnologyIEEE Access10.1109/ACCESS.2023.333704311(133255-133280)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3337043
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents