ABSTRACT
Control-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically generated CFG includes all edges for all possible inputs; however, for a concrete input, the CFG may include many unnecessary edges.
We present Per-Input Control-Flow Integrity (PICFI), which is a new CFI technique that can enforce a CFG computed for each concrete input. PICFI starts executing a program with the empty CFG and lets the program itself lazily add edges to the enforced CFG if such edges are required for the concrete input. The edge addition is performed by PICFI-inserted instrumentation code. To prevent attackers from arbitrarily adding edges, PICFI uses a statically computed all-input CFG to constrain what edges can be added at runtime. To minimize performance overhead, operations for adding edges are designed to be idempotent, so they can be patched to no-ops after their first execution. As our evaluation shows, PICFI provides better security than conventional fine-grained CFI with comparable performance overhead.
- Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. Control-Flow Integrity. In 12th ACM Conference on Computer and Communications Security (CCS) (2005), pp. 340--353. Google ScholarDigital Library
- Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. Preventing Memory Error Exploits with WIT. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (May 2008), pp. 263--277. Google ScholarDigital Library
- Ansel, J., Marchenko, P., Erlingsson, Ú., Taylor, E., Chen, B., Schuff, D., Sehr, D., Biffle, C., and Yee, B. Language-Independent Sandboxing of Just-In-Time Compilation and Self-Modifying Code. In ACM Conference on Programming Language Design and Implementation (PLDI) (2011), pp. 355--366. Google ScholarDigital Library
- Arias, O., Davi, L., Hanreich, M., Jin, Y., Koeberl, P., Paul, D., Sadeghi, A.-R., and Sullivan, D. HAFIX: Hardware-Assisted Flow Integrity Extension. In 52nd Design Automation Conference (DAC) (June 2015). Google ScholarDigital Library
- Blazakis, D. Interpreter Exploitation. In Proceedings of the 4th USENIX Conference on Offensive Technologies (2010), WOOT'10, USENIX Association, pp. 1--9. Google ScholarDigital Library
- Bosman, E., and Bos, H. Framing signals - a return to portable shellcode. In Security and Privacy (SP), 2014 IEEE Symposium on (May 2014), pp. 243--258. Google ScholarDigital Library
- Carlini, N., Barresi, A., Payer, M., Wagner, D., and Gross, T. R. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., Aug. 2015), USENIX Association. Google ScholarDigital Library
- Carlini, N., and Wagner, D. ROP is Still Dangerous: Breaking Modern Defenses. In 23rd USENIX Security Symposium (USENIX Security 14) (Aug. 2014), USENIX Association. Google ScholarDigital Library
- Davi, L., Dmitrienko, R., Egele, M., Fischer, T., Holz, T., Hund, R., Nurnberger, S., and Sadeghi, A. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Network and Distributed System Security Symposium (NDSS) (2012).Google Scholar
- Davi, L., Lehmann, D., Sadeghi, A., and Monrose, F. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In 23rd USENIX Security Symposium (USENIX Security 14) (Aug. 2014), USENIX Association. Google ScholarDigital Library
- Deng, L., Zeng, Q., and Liu, Y. ISboxing: An Instruction Substitution Based Data Sandboxing for x86 Untrusted Libraries. In ICT Systems Security and Privacy Protection, H. Federrath and D. Gollmann, Eds., vol. 455 of IFIP Advances in Information and Communication Technology. Springer International Publishing, 2015, pp. 386--400.Google Scholar
- Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., and Necula, G. XFI: Software Guards for System Address Spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006), pp. 75--88. Google ScholarDigital Library
- Goktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out Of Control: Overcoming Control-Flow Integrity. In Security and Privacy (SP), 2014 IEEE Symposium on (May 2014). Google ScholarDigital Library
- Homescu, A., Brunthaler, S., Larsen, P., and Franz, M. Librando: Transparent Code Randomization for Just-In-Time Compilers. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security (2013), CCS '13, ACM, pp. 993--1004. Google ScholarDigital Library
- Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., and Song, D. Code-Pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014), pp. 147--163. Google ScholarDigital Library
- McCamant, S., and Morrisett, G. Evaluating SFI for a CISC Architecture. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15 (2006), USENIX-SS'06, USENIX Association. Google ScholarDigital Library
- Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K. W., and Franz, M. Opaque Control-Flow Integrity. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS) (San Diego, California, February 2015).Google ScholarCross Ref
- Niu, B., and Tan, G. Monitor Integrity Protection with Space Efficiency and Separate Compilation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013), CCS '13, ACM, pp. 199--210. Google ScholarDigital Library
- Niu, B., and Tan, G. Modular Control-Flow Integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (2014), PLDI '14, ACM, pp. 577--587. Google ScholarDigital Library
- Niu, B., and Tan, G. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2014), CCS '14, ACM, pp. 1317--1328. Google ScholarDigital Library
- Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In 22nd Usenix Security Symposium (2013). Google ScholarDigital Library
- Payer, M., Barresi, A., and Gross., T. R. Fine-Grained Control-Flow Integrity through Binary Hardening. In Proceedings of the 12th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) (Milano, Italy, July 2015).Google ScholarDigital Library
- Pewny, J., and Holz, T. Control-Flow Restrictor: Compiler-based CFI for iOS. In ACSAC '13: Proceedings of the 2013 Annual Computer Security Applications Conference (2013). Google ScholarDigital Library
- Saha, S., Lozi, J.-P., Thomas, G., Lawall, J., and Muller, G. Hector: Detecting Resource-Release Omission Faults in Error-Handling Code for Systems . In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on (June 2013), pp. 1--12. Google ScholarDigital Library
- Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C+ Applications. In 36th IEEE Symposium on Security and Privacy (Oakland) (May 2015).Google ScholarDigital Library
- Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. Adapting Software Fault Isolation to Contemporary CPU Architectures. In 19th Usenix Security Symposium (2010), pp. 1--12. Google ScholarDigital Library
- Shacham, H. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In 14th ACM Conference on Computer and Communications Security (CCS) (2007), pp. 552--561. Google ScholarDigital Library
- Song, C., Zhang, C., Wang, T., Lee, W., and Melski, D. Exploiting and Protecting Dynamic Code Generation. In 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8--11, 2014 (2015).Google Scholar
- Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., and Pike, G. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In 23rd USENIX Security Symposium (USENIX Security 14) (Aug. 2014), USENIX Association. Google ScholarDigital Library
- Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. Efficient Software-based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles (1993), SOSP '93, ACM, pp. 203--216. Google ScholarDigital Library
- Wang, Z., and Jiang, X. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In Security and Privacy (SP), 2010 IEEE Symposium on (May 2010), pp. 380--395. Google ScholarDigital Library
- Yee, B., Sehr, D., Dardyk, G., Chen, J., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In Security and Privacy, 2009 IEEE Symposium on (May 2009), pp. 79--93. Google ScholarDigital Library
- Zeng, B., Tan, G., and Morrisett, G. Combining Control-flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing. In 18th ACM Conference on Computer and Communications Security (CCS) (2011), pp. 29--40. Google ScholarDigital Library
- Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical Control Flow Integrity and Randomization for Binary Executables. In Security and Privacy (SP), 2013 IEEE Symposium on (May 2013), pp. 559--573. Google ScholarDigital Library
- Zhang, M., and Sekar, R. Control Flow Integrity for COTS Binaries. In Proceedings of the 22Nd USENIX Conference on Security (2013), SEC'13. Google ScholarDigital Library
Index Terms
- Per-Input Control-Flow Integrity
Recommendations
Control-Flow Integrity: Precision, Security, and Performance
Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Modular control-flow integrity
PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and ImplementationControl-Flow Integrity (CFI) is a software-hardening technique. It inlines checks into a program so that its execution always follows a predetermined Control-Flow Graph (CFG). As a result, CFI is effective at preventing control-flow hijacking attacks. ...
Comments