Abstract
Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control flow. Researchers have spent more than a decade studying and refining defenses based on Control-Flow Integrity (CFI); this technique is now integrated into several production compilers. However, so far, no study has systematically compared the various proposed CFI mechanisms nor is there any protocol on how to compare such mechanisms. We compare a broad range of CFI mechanisms using a unified nomenclature based on (i) a qualitative discussion of the conceptual security guarantees, (ii) a quantitative security evaluation, and (iii) an empirical evaluation of their performance in the same test environment. For each mechanism, we evaluate (i) protected types of control-flow transfers and (ii) precision of the protection for forward and backward edges. For open-source, compiler-based implementations, we also evaluate (iii) generated equivalence classes and target sets and (iv) runtime performance.
- Martin Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005a. Control-flow integrity: Principles, implementations, and applications. In ACM Conference on Computer and Communications Security (CCS’05). Google ScholarDigital Library
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005b. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Methods and Software Engineering (ICFEM’05). Google ScholarDigital Library
- Orlando Arias, Lucas Davi, Matthias Hanreich, Yier Jin, Patrick Koeberl, Debayan Paul, Ahmad-Reza Sadeghi, and Dean Sullivan. 2015. HAFIX: Hardware-assisted flow integrity extension. In Annual Design Automation Conference (DAC’15).Google Scholar
- John Aycock. 2003. A brief history of just-in-time. Computing Surveys 35, 2, 97--113. Google ScholarDigital Library
- David F. Bacon and Peter F. Sweeney. 1996. Fast static analysis of C++ virtual function calls. ACM SIGPLAN Notices 31, 10, 324--341. Google ScholarDigital Library
- James R. Bell. 1973. Threaded code. Communications of the ACM 16, 6, 370--372. Google ScholarDigital Library
- Tyler Bletsch, Xuxian Jiang, and Vince Freeh. 2011. Mitigating code-reuse attacks with control-flow locking. In Annual Computer Security Applications Conference (ACSAC’11). New York, NY. Google ScholarDigital Library
- Dimitar Bounov, Rami Kici, and Sorin Lerner. 2016. Protecting C++ dynamic dispatch through vtable interleaving. In Symposium on Network and Distributed System Security (NDSS’16).Google ScholarCross Ref
- Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium, USENIX Security 15. Washington, D.C., August 12-14, 2015.Google Scholar
- Nicholas Carlini and David Wagner. 2014. ROP is still dangerous: Breaking modern defenses. In USENIX Security Symposium.Google Scholar
- Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, and Robert Huijie Deng. 2014. ROPecker: A generic and practical approach for defending against ROP attacks. In Symposium on Network and Distributed System Security (NDSS’14). Google ScholarCross Ref
- Nick Christoulakis, George Christou, Elias Athanasopoulos, and Sotiris Ioannidis. 2016. HCFI: Hardware-enforced control-flow integrity. In CODASPY’16.Google ScholarDigital Library
- Peter Collingbourne. 2015. LLVM—Control Flow Integrity. (2015). Retrieved March 1, 2017 from http://clang.llvm.org/docs/ControlFlowIntegrity.html.Google Scholar
- Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Christopher Liebchen, Marco Negro, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing control: On the effectiveness of control-flow integrity under stack attacks. In ACM Conference on Computer and Communications Security (CCS’15). Google ScholarDigital Library
- John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014a. KCoFI: Complete control-flow integrity for commodity operating system kernels. In 2014 IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014b. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE Symposium on Security and Privacy (S8P).Google ScholarDigital Library
- Thurston H. Y. Dang, Petros Maniatis, and David Wagner. 2015. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security (ASIACCS’15). Google ScholarDigital Library
- Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2012. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Symposium on Network and Distributed System Security (NDSS’12).Google Scholar
- Lucas Davi, Patrick Koeberl, and Ahmad-Reza Sadeghi. 2014a. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In Annual Design Automation Conference (DAC’14). Google ScholarDigital Library
- Lucas Davi, Daniel Lehmann, Ahmad-Reza Sadeghi, and Fabian Monrose. 2014b. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security Symposium.Google Scholar
- Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of object-oriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming (ECOOP’95). Google ScholarCross Ref
- Eddy H. Debaere and Jan M. van Campenhout. 1990. Interpretation and Instruction Path Coprocessing. MIT Press, Cambridge, MA.Google Scholar
- Isaac Evans, Samuel Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. 2015a. Missing the point: On the effectiveness of code pointer integrity. In IEEE Symposium on Security and Privacy (S8P’15).Google ScholarDigital Library
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015b. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Francisco Falcon. 2015. Exploiting Adobe Flash Player in the era of Control Flow Guard. BlackHat EU’15. Retrieved March 1, 2017 from https://www.blackhat.com/docs/eu-15/materials/eu-15-Falcon-Exploiting-Adobe-Flash-Player-In-The-Era-Of-Control-Flow-Guard.pdf.Google Scholar
- Ivan Fratric. 2012. ROPGuard: Runtime Prevention of Return-Oriented Programming Attacks. Retrieved March 1, 2017 from http://www.ieee.hr/_download/repository/Ivan_Fratric.pdf. (2012).Google Scholar
- Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-grained control-flow integrity for kernel software. In IEEE European Symposium on Security and Privacy. Google ScholarCross Ref
- Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy (S8P’14).Google ScholarDigital Library
- David Grove and Craig Chambers. 2001. A framework for call graph construction algorithms. ACM Transactions on Programming Languages and Systems 23, 6, 685--746. Google ScholarDigital Library
- Brian Hackett and Alex Aiken. 2006. How is aliasing used in systems software? Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 69--80. Google ScholarDigital Library
- Ben Hardekopf and Calvin Lin. 2007. The ant and the grasshopper. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07), Vol. 42. ACM Press, New York, NY, 290. DOI:http://dx.doi.org/10.1145/1250734.1250767 Google ScholarDigital Library
- Ben Hardekopf and Calvin Lin. 2011. Flow-sensitive pointer analysis for millions of lines of code. In International Symposium on Code Generation and Optimization (CGO’11). IEEE, 289--298. DOI:http://dx.doi.org/10.1109/CGO.2011.5764696 Google ScholarCross Ref
- Michael Hind. 2001. Pointer analysis. In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE’01). ACM Press, New York, NY, 54--61. DOI:http://dx.doi.org/10.1145/379605.379665 Google ScholarDigital Library
- Michael Hind and Anthony Pioli. 2000. Which pointer analysis should I use? ACM SIGSOFT Software Engineering Notes 25, 5, 113--123. Google ScholarDigital Library
- Urs Hölzle and David Ungar. 1994. Optimizing dynamically-dispatched calls with run-time type feedback. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’94). Google ScholarDigital Library
- Intel Inc. 2013. Intel 64 and IA-32 Architectures. Software Developer’s Manual.Google Scholar
- Dongseok Jang, Zachary Tatlock, and Sorin Lerner. 2014. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS’14). Google ScholarCross Ref
- Vladimir Kiriansky. 2013. Secure Execution Environment via Program Shepherding. Master’s thesis. Massachusetts Institute of Technology, Cambridge, MA.Google Scholar
- Vladimir Kiriansky, Derek Bruening, and Saman Amarasinghe. 2002. Secure execution via program shepherding. In USENIX Security Symposium.Google ScholarDigital Library
- Peter M. Kogge. 1982. An architectural trail to threaded-code systems. Computer 15, 3, 22--32. DOI:http://dx.doi.org/10.1109/MC.1982.1653970 Google ScholarDigital Library
- Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated software diversity. In IEEE Symposium on Security and Privacy (S8P’14).Google ScholarDigital Library
- O. Lhoták and Laurie Hendren. 2006. Context-sensitive points-to analysis: Is it worth it? Compiler Construction 47--64.Google Scholar
- Ali José Mashtizadeh, Andrea Bittau, Dan Boneh, and David Mazières. 2015. CCFI: Cryptographically enforced control flow integrity. In ACM Conference on Computer and Communications Security (CCS’15). Google ScholarDigital Library
- Bill McCarty. 2004. SELinux: NSA’s Open Source Security Enhanced Linux. O’Reilly Media, Inc., Sebastopol, CA.Google Scholar
- Microsoft. 2006. Data Execution Prevention (DEP). Retrieved March 1, 2017 from http://support.microsoft.com/kb/875352/EN-US/.Google Scholar
- Microsoft. 2015a. Visual Studio 2015—Compiler Options—Enable Control Flow Guard. Retrieved March 1, 2017 from https://msdn.microsoft.com/en-us/library/dn919635.aspx.Google Scholar
- Microsoft. 2015b. SetProcessValidCallTargets function. Retrieved March 1, 2017 from https://msdn.microsoft.com/en-us/enus/library/windows/desktop/dn934202(v=vs.85).aspx. (2015).Google Scholar
- Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2002. Parameterized object sensitivity for points-to and side-effect analyses for java. ACM SIGSOFT Software Engineering Notes 27, 4 (2002), 1.Google ScholarDigital Library
- Markus Mock, Manuvir Das, Craig Chambers, and Susan J. Eggers. 2001. Dynamic points-to sets. In ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE’01). Google ScholarDigital Library
- Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin Hamlen, and Michael Franz. 2015. Opaque control-flow integrity. In Symposium on Network and Distributed System Security (NDSS’15). Google ScholarCross Ref
- Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09). Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In ISMM’10.Google ScholarDigital Library
- Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer, Berlin. DOI:http://dx.doi.org/10.1007/978-3-662-03811-6 Google ScholarCross Ref
- Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 2009. Principles of Program Analysis. Springer, New York, NY.Google Scholar
- Ben Niu and Gang Tan. 2014a. Modular control-flow integrity. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14).Google ScholarDigital Library
- Ben Niu and Gang Tan. 2014b. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In ACM Conference on Computer and Communications Security (CCS’14).Google ScholarDigital Library
- Ben Niu and Gang Tan. 2015a. MCFI readme. Retrieved March 1, 2017 from https://github.com/mcfi/MCFI/blob/master/README.md.Google Scholar
- Ben Niu and Gang Tan. 2015b. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, CO, October 12--6, 2015.Google ScholarDigital Library
- Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security Symposium.Google Scholar
- Baiju Patel. 2016. Intel releases new technology specifications to protect against ROP attacks. Retrieved March 1, 2017 from http://blogs.intel.com/evangelists/2016/06/09/intel-release-new-technology-specifications-protect-rop-attacks/.Google Scholar
- PaX-Team. 2003a. PaX ASLR (Address Space Layout Randomization). Retrieved March 1, 2017 from http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- PaX-Team. 2003b. PaX Future. Retrieved March 1, 2017 from https://pax.grsecurity.net/docs/pax-future.txt.Google Scholar
- Mathias Payer, Antonio Barresi, and Thomas R. Gross. 2015. Fine-grained control-flow integrity through binary hardening. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’15). Milan, Italy, July 9--10, 2015. Google ScholarDigital Library
- Jannik Pewny and Thorsten Holz. 2013. Control-flow restrictor: Compiler-based CFI for iOS. In Annual Computer Security Applications Conference (ACSAC’13). Google ScholarDigital Library
- Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information System Security 15. Google ScholarDigital Library
- Erven Rohou, Bharath Narasimha Swamy, and André Seznec. 2015. Branch prediction and the performance of interpreters: Don’t trust folklore. In IEEE/ACM International Symposium on Code Generation and Optimization (CGO’15). Google ScholarCross Ref
- Atanas Rountev, Scott Kagan, and Michael Gibas. 2004. Evaluating the imprecision of static analysis. In Proceedings of the ACM-SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE’04). ACM Press, New York, NY, 14. DOI:http://dx.doi.org/10.1145/996821.996829 Google ScholarDigital Library
- Andrei Sabelfeld and A. C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1, 5--19. DOI:http://dx.doi.org/10.1109/JSAC.2002.806121 Google ScholarDigital Library
- Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In IEEE Symposium on Security and Privacy (S8P’15).Google ScholarDigital Library
- Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS’07.Google Scholar
- Micha Sharir and Amir Pnueli. 1981. Two approaches to interprocedural data flow analysis. In Program Flow Analysis, Steven S. Muchnick and Neil D. Jones (Eds.). Prentice Hall, Upper Saddle River, NJ.Google Scholar
- Yannis Smaragdakis and George Balatsouras. 2015. Pointer analysis. Foundations and Trends in Programming Languages 2, 1, 1--69. DOI:http://dx.doi.org/10.1561/2500000014 Google ScholarDigital Library
- Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well. ACM SIGPLAN Notices 46, 1, 17.Google ScholarDigital Library
- Dean Sullivan, Orlando Arias, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, and Yier Jin. 2016. Strategy without tactics: Policy-agnostic hardware-enhanced control-flow integrity. In Annual Design Automation Conference (DAC’16). Google ScholarDigital Library
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy (S8P’13).Google ScholarDigital Library
- Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In USENIX Security Symposium.Google Scholar
- Frank Tip and Jens Palsberg. 2000. Scalable propagation-based call graph construction algorithms. ACM SIGPLAN Notices 35, 10, 281--293. Google ScholarDigital Library
- Arjan van de Ven and Ingo Molnar. 2004. Exec Shield. Retrieved March 1, 2017 from https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf. (2004).Google Scholar
- Victor van der Veen, Dennis Andriesse, Enes Göktaş, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. 2015. PathArmor: Practical ROP protection using context-sensitive CFI. In ACM Conference on Computer and Communications Security (CCS’15).Google Scholar
- Zhi Wang and Xuxian Jiang. 2010. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE S8P’10. Google ScholarDigital Library
- David Weston and Matt Miller. 2016. Windows 10 Mitigation Improvements. BlackHat’16. Retrieved March 1, 2017 from https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf.Google Scholar
- Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In IEEE/IFIP Conference on Dependable Systems and Networks (DSN’12).Google Scholar
- Pinghai Yuan, Qingkai Zeng, and Xuhua Ding. 2015. Hardware-assisted fine-grained code-reuse attack detection. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID’15). Google ScholarDigital Library
- Chao Zhang, Chengyu Song, Kevin Zhijie Chen, Zhaofeng Chen, and Dawn Song. 2015. VTint: Defending virtual function tables’ integrity. In Symposium on Network and Distributed System Security (NDSS’15).Google Scholar
- Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical control flow integrity 8 randomization for binary executables. In IEEE Symposium on Security and Privacy (S8P’13).Google Scholar
- Mingwei Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In USENIX Security Symposium.Google Scholar
Index Terms
- Control-Flow Integrity: Precision, Security, and Performance
Recommendations
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Control-Flow Hijacking: Are We Making Progress?
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMemory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today's systems. Over the last 10+ years the security community developed several defenses [4]. Data Execution Prevention (DEP) protects against code ...
Control-Flow Carrying Code
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications SecurityControl-Flow Integrity~(CFI) is an effective approach in mitigating control-flow hijacking attacks including code-reuse attacks. Most conventional CFI techniques use memory page protection mechanism, Data Execution Prevention~(DEP), as an underlying ...
Comments