ABSTRACT
The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because their approaches are inaccurate and as a result, the set of allowable targets for an ICT instruction is too large, making illegal jumps possible. In this paper, we propose the Unique Code Target (UCT) property for CFI. Namely, for each invocation of an ICT instruction, there should be one and only one valid target. We develop a prototype called uCFI to enforce this new property. During compilation, uCFI identifies the sensitive instructions that influence ICT and instruments the program to record necessary execution context. At runtime, uCFI monitors the program execution in a different process, and performs points-to analysis by interpreting sensitive instructions using the recorded execution context in a memory safe manner. It checks runtime ICT targets against the analysis results to detect CFI violations. We apply uCFI to SPEC benchmarks and 2 servers (nginx and vsftpd) to evaluate its efficacy of enforcing UCT and its overhead. We also test uCFI against control-hijacking attacks, including 5 real-world exploits, 1 proof of concept COOP attack, and 2 synthesized attacks that bypass existing defenses. The results show that uCFI strictly enforces the UCT property for protected programs, successfully detects all attacks, and introduces less than 10% performance overhead.
Supplemental Material
- Martin Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Ali Juanquan. 2017. FFmpeg CVE-2016--10191. http://www.freebuf.com/vuls/148389.html.Google Scholar
- Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. 1994. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation. Google ScholarDigital Library
- Michael Backes and Stefan Nürnberger. 2014. Oxymoron: Making Fine-grained Memory Randomization Practical by Allowing Code Sharing. In Proceedings of the 23rd USENIX Conference on Security Symposium. Google ScholarDigital Library
- David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- bird. 2017. CVE-2016--10190 FFmpeg Heap Overflow. https://security.tencent.com/index.php/blog/msg/116.Google Scholar
- Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking Blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-Oriented Programming: A New Class of Code-reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. Google ScholarDigital Library
- Erik Bosman and Herbert Bos. 2014. Framing Signals - A Return to Portable Shellcode. In Proceedings of the 35th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proceedings of the 24th USENIX Security Symposium. Google ScholarDigital Library
- Nicholas Carlini and David Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Conference on Security Symposium. Google ScholarDigital Library
- Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing Software by Enforcing Data-Flow Integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. Google ScholarDigital Library
- Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-Oriented Programming Without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats. In Proceedings of the 14th USENIX Security Symposium. Google ScholarDigital Library
- Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H Deng. 2014. ROPecker: A generic and practical approach for defending against ROP attacks. In Proceedings of the 21st Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 36th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2015. The Performance Cost of Shadow Stacks and Stack Canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. Google ScholarDigital Library
- Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers. In Proceedings of the 26th USENIX Security Symposium. Google ScholarDigital Library
- Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- dctf. 2017. sploit.php. https://github.com/dctf/exploits/blob/master/CVE-2015--8617/sploit.php.Google Scholar
- Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient Protection of Path-Sensitive Control Security. In Proceedings of the 26th USENIX Security Symposium. Google ScholarDigital Library
- Aeon Flux. 2013. sudo 1.8.0 < 1.8.3p1 - 'sudo_debug' glibc FORTIFY_SOURCE BypassGoogle Scholar
- Privilege Escalation. https://www.exploit-db.com/exploits/25134/.Google Scholar
- Xinyang Ge, Weidong Cui, and Trent Jaeger. 2017. GRIFFIN: Guarding Control Flows Using Intel Processor Trace. In Proceedings of the 22nd International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarDigital Library
- Xinyang Ge, Weidong Cui, and Trent Jaeger. 2017. Griffin Trace. https://github.com/TJAndHisStudents/Griffin-Trace.Google Scholar
- Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Gerogios Portokalidis. 2014. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Enes Göktac s, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Undermining Information Hiding (and What to Do about It). In Proceedings of the 25th USENIX Security Symposium. Google ScholarDigital Library
- Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the Line: Practical Cache Attacks on the MMU. In Proceedings of the 24th Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Yufei Gu, Qingchuan Zhao, Yinqian Zhang, and Zhiqiang Lin. 2017. PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy. Google ScholarDigital Library
- Fan Guo, Yongkun Li, Yinlong Xu, Song Jiang, and John C. S. Lui. 2017. SmartMD: A High Performance Deduplication Engine with Mixed Pages. In Proceedings of the 2017 USENIX Annual Technical Conference. Google ScholarDigital Library
- Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Cristiano Giuffrida, Herbert Bos, and Erik van der Kouwe. 2016. TypeSan: Practical Type Confusion Detection. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Michael Hicks. 2014. What is memory safety? http://www.pl-enthusiast.net/2014/07/21/memory-safety/.Google Scholar
- Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In Proceedings of the 37th IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Intel. 2016. Intel Releases New Technology Specifications to Protect Against ROP attacks. https://software.intel.com/en-us/blogs/2016/06/09/intel-release-new-technology-specifications-protect-rop-attacks.Google Scholar
- Kangkook Jee, Vasileios P. Kemerlis, Angelos D. Keromytis, and Georgios Portokalidis. 2013. ShadowReplica: Efficient Parallelization of Dynamic Data Flow Tracking. In Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In Proceedings of the USENIX Annual Technical Conference. Google ScholarDigital Library
- Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-pointer Integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation. Google ScholarDigital Library
- Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015a. Preventing Use-after-free with Dangling Pointers Nullification. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee. 2015b. Type Casting Verification: Stopping an Emerging Attack Vector. In Proceedings of the 24th USENIX Security Symposium. Google ScholarDigital Library
- Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Konrad Miller, Fabian Franz, Marc Rittinghaus, Marius Hillenbrand, and Frank Bellosa. 2013. XLH: More Effective Memory Deduplication Scanners Through Cross-layer Hints. In Proceedings of the 2013 USENIX Annual Technical Conference. Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proceedings of the 30th ACM SIG-PLAN Conference on Programming Language Design and Implementation. Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In Proceedings of the 9th International Symposium on Memory Management. Google ScholarDigital Library
- George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe Retrofitting of Legacy Code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google ScholarDigital Library
- Nergal. 2001. The Advanced Return-into-lib(c) Exploits. http://phrack.org/issues/58/4.html.Google Scholar
- Ben Niu and Gang Tan. 2014. Modular Control-flow Integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. Google ScholarDigital Library
- Ben Niu and Gang Tan. 2014. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Ben Niu and Gang Tan. 2015. Per-Input Control-Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking Holes in Information Hiding. In Proceedings of the 25th USENIX Security Symposium. Google ScholarDigital Library
- Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Proceedings of the 22nd USENIX Security Symposium. Google ScholarDigital Library
- PaX Team. 2003. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- Tristan Ravitch. 2017. Whole Program LLVM. https://github.com/travitch/whole-program-llvm.Google Scholar
- relax Karlsruhe Institute of Technology. 2016. Exploitation Training -- CVE-2013--2028: Nginx Stack Based Buffer Overflow. https://github.com/kitctf/nginxpwn.Google Scholar
- relax Tencent Xuanwu Lab. 2016. Return Flow Guard. http://xlab.tencent.com/en/2016/11/02/return-flow-guard/.Google Scholar
- Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C Google ScholarDigital Library
- Applications. In Proceedings of the 36th IEEE Symposium on Security and Privacy.Google Scholar
- Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee. 2016. Enforcing Kernel Security Invariants with Data Flow Integrity. In Proceedings of the 23th Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-edge Control-flow Integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium. Google ScholarDigital Library
- Erik van der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. DangSan: Scalable Use-after-free Detection. In Proceedings of the Twelfth European Conference on Computer Systems. Google ScholarDigital Library
- Victor van der Veen, Dennis Andriesse, Enes Göktacs, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. 2015. Practical Context-Sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Victor van der Veen, Enes Goktas, Moritz Contag, Andre Pawlowski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level. In Proceedings of the 37th IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- w00d. 2013. Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013--2028). http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013--2028.html.Google Scholar
- Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 19th ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting Violation of Control Flow Integrity Using Performance Counters. In Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Google ScholarDigital Library
- Yves Younan. 2015. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Yves Younan, Pieter Philippaerts, Lorenzo Cavallaro, R. Sekar, Frank Piessens, and Wouter Joosen. 2010. PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. Google ScholarDigital Library
- Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium. Google ScholarDigital Library
Index Terms
- Enforcing Unique Code Target Property for Control-Flow Integrity
Recommendations
Control-Flow Integrity: Precision, Security, and Performance
Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Per-Input Control-Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityControl-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically ...
Control-Flow Carrying Code
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications SecurityControl-Flow Integrity~(CFI) is an effective approach in mitigating control-flow hijacking attacks including code-reuse attacks. Most conventional CFI techniques use memory page protection mechanism, Data Execution Prevention~(DEP), as an underlying ...
Comments