ACM Digital Library home
ACM home
Advanced Search
10.1145/1102120.1102165acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedings
ARTICLE

Control-flow integrity

Publication: CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityNovember 2005 Pages 340–353https://doi.org/10.1145/1102120.1102165
  • 557citation
  • 5,025
    • Downloads
Metrics
Total Citations557
Total Downloads5,025
Last 12 Months334
Last 6 weeks63

ABSTRACT

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple, and its guarantees can be established formally even with respect to powerful adversaries. Moreover, CFI enforcement is practical: it is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.

References

  1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Engineering Methods, 2005. A preliminary version appears as Microsoft Research Technical Report MSR-TR-05-17, February 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: principles, techniques, tools. Addison-Wesley, 1985. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Apple Computer. Prebinding notes, 2003. http://developer.apple.com/releasenotes/DeveloperTools/Prebinding.html.Google ScholarGoogle Scholar
  4. D. Atkinson. Call graph extraction in the presence of function pointers. In Proceedings of the International Conference on Software Engineering Research and Practice, 2002.Google ScholarGoogle Scholar
  5. K. Avijit, P. Gupta, and D. Gupta. TIED, LibsafePlus: Tools for runtime buffer overflow protection. In Proceedings of the Usenix Security Symposium, pages 45--56, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. S. Basu and P. Uppuluri. Proxy-annotated control flow graphs: Deterministic context-sensitive monitoring for intrusion detection. In ICDCIT: Proceedings of the International Conference on Distributed Computing and Internet Technology, pages 353--362, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the Usenix Security Symposium, pages 105--120, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. M. Bishop and M. Dilger. Checking for race conditions in file access. Computing Systems, 9(2):131--152, 1996.Google ScholarGoogle Scholar
  9. D. Brumley and D. Song. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the Usenix Security Symposium, pages 57--72, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the Usenix Security Symposium, pages 177--192, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st IEEE International Conference on Distributed Computing Systems, pages 409--419, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the Usenix Security Symposium, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the Usenix Security Symposium, pages 91--104, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the Usenix Security Symposium, pages 63--78, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J. Crandall and F. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the International Symposium on Microarchitecture, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Ú. Erlingsson and F. Schneider. IRM enforcement of java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 246--255, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Ú. Erlingsson and F. Schneider. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop, pages 87--95, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 194--210, 2004.Google ScholarGoogle Scholar
  19. H. Feng, O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly detection using call stack information. In Proceedings of the IEEE Symposium on Security and Privacy, pages 62--77, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. E. Florio. Gdiplus vuln - ms04-028 - crash test jpeg. full-disclosure at lists.netsys.com, 2004. Forum message, sent September 15.Google ScholarGoogle Scholar
  21. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120--128, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In Proceedings of the Usenix Security Symposium, pages 55--66, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J. Giffin, S. Jha, and B. Miller. Detecting manipulated remote call streams. In Proceedings of the Usenix Security Symposium, pages 61--79, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In NDSS '04: Proceedings of the Network and Distributed System Security Symposium, 2004.Google ScholarGoogle Scholar
  25. R. Gopalakrishna, E. Spafford, and J.Vitek. Efficient intrusion detection using automaton inlining. In Proceedings of the IEEE Symposium on Security and Privacy, pages 18--31, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. S. Govindavajhala and A. Appel. Using memory errors to attack a virtual machine. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154--165, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. N. Hamid, Z. Shao, V. Trifonov, S. Monnier, and Z. Ni. A Syntactic Approach to Foundational Proof-Carrying Code. Technical Report YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University, New Haven, CT, 2002.Google ScholarGoogle ScholarCross RefCross Ref
  28. N. Hardy. The confused deputy. ACM Operating Systems Review, 22(4):36--38, 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the Usenix Security Symposium, pages 191--206, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. D. Kirovski and M. Drinic. POPI --- a novel platform for intrusion prevention. In Proceedings of the International Symposium on Microarchitecture, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. L. Lam and T. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In RAID '04: Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pages 1--20, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  32. D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the Usenix Security Symposium, pages 177--190, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. E. Larson and T. Austin. High coverage detection of input-related security faults. In Proceedings of the Usenix Security Symposium, pages 121--136, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. S. McCamant and G. Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, MIT Laboratory for Computer Science, 2005.Google ScholarGoogle Scholar
  35. Microsoft Corporation. Changes to functionality in Microsoft Windows XP SP2: Memory protection technologies, 2004. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr%.mspx.Google ScholarGoogle Scholar
  36. G. Morrisett, D. Walker, K. Crary, and N. Glew. From system~F to typed assembly language. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages, pages 85--97, Jan. 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. D. Nebenzahl and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. In Proceedings of the IFIP International Information Security Conference, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  38. G. Necula. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, pages 106--119, January 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. G. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages, pages 128--139, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. N. Oh, P. P. Shirvani, and E. J. McCluskey. Control flow checking by software signatures. IEEE Transactions on Reliability, 51(2), 2002. Special Section on: Fault Tolerant VLSI Systems.Google ScholarGoogle Scholar
  41. PaX Project. The PaX project, 2004. http://pax.grsecurity.net/.Google ScholarGoogle Scholar
  42. J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20--27, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. M. Prasad and T. Chiueh. A binary rewriting defense against stack based buffer overflow attacks. In Proceedings of the Usenix Technical Conference, pages 211--224, 2003.Google ScholarGoogle Scholar
  44. N. Provos. Improving host security with system call policies. In Proceedings of the Usenix Security Symposium, pages 257--272, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. G. A. Reis, J. Chang, N. Vachharajani, R. Rangan, and D. I. August. SWIFT: Software implemented fault tolerance. In Proceedings of the International Symposium on Code Generation and Optimization, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of Network and Distributed System Security Symposium, 2004.Google ScholarGoogle Scholar
  47. K. Scott and J. Davidson. Safe virtual execution using software dynamic translation. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, page 209, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy, pages 144--155, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. C. Small. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. A. Sovarel, D. Evans, and N. Paul. Where's the FEEB?: The effectiveness of instruction set randomization. In Proceedings of the Usenix Security Symposium, pages 145--160, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. A. Srivastava, A. Edwards, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.Google ScholarGoogle Scholar
  53. A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools. Technical Report WRL Research Report 94/2, Digital Equipment Corporation, 1994.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Standard Performance Evaluation Corporation. SPEC CPU2000 benchmark suite, 2000. http://www.spec.org/osg/cpu2000/.Google ScholarGoogle Scholar
  55. G. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85--96, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. N. Tuck, B. Calder, and G. Varghese. Hardware and binary modification support for code pointer protection from buffer overflow. In Proceedings of the International Symposium on Microarchitecture, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. R. Venkatasubramanian, J. P. Hayes, and B. T. Murray. Low-cost on-line fault detection using control flow assertions. In Proceedings of 9th IEEE International On-Line Testing Symposium, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  58. D. Wagner and D. Dean. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy, pages 156--169, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. D. Wagner and P. Soto. Mimicry attacks on host based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communications Security, pages 255--264, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. R. Wahbe, S. Lucco, T. Anderson, and S. Graham. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium, 2003.Google ScholarGoogle Scholar
  62. J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In Proceedings of the Symposium on Reliable and Distributed Systems, 2003.Google ScholarGoogle Scholar
  63. J. Xu, Z. Kalbarczyk, S. Patel, and R. Iyer. Architecture support for defending against buffer overflow attacks, 2002.Google ScholarGoogle Scholar

Index Terms

  1. Control-flow integrity

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                Get this Publication

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                View Table of Contents
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!