Abstract
Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, control-flow integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple and its guarantees can be established formally, even with respect to powerful adversaries. Moreover, CFI enforcement is practical: It is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.
Supplemental Material
Available for Download
Online appendix to control-flow integrity principles, implementations, and applications. The appendix supports the information on article 4.
- Abadi, M. 1998. Protection in programming language translations. In Proceedings of the 25th International Colloquium on Automata, Languages and Programming. Springer-Verlag, Berlin, 868--883. Google Scholar
Digital Library
- Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. 2005. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Engineering Methods. Springer-Verlag, Berlin, 111--124. Google Scholar
Digital Library
- Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. 2005. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, 340--353. Google Scholar
Digital Library
- Aho, A. V., Sethi, R., and Ullman, J. D. 1985. Compilers: Principles, Techniques, Tools. Addison-Wesley, Reading, MA. Google Scholar
Digital Library
- Apple Computer. 2003. Prebinding Notes. http://developer.apple.com/releasenotes/DeveloperTools/Prebinding.html.Google Scholar
- Atkinson, D. C. 2002. Call graph extraction in the presence of function pointers. In Proceedings of the 2nd International Conference on Software Engineering Research and Practice. ACM, New York.Google Scholar
- Avijit, K., Gupta, P., and Gupta, D. 2004. TIED, LibsafePlus: Tools for runtime buffer overflow protection. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 45--56. Google Scholar
Digital Library
- Basu, S. and Uppuluri, P. 2004. Proxy-annotated control flow graphs: Deterministic context-sensitive monitoring for intrusion detection. In Proceedings of the International Conference on Distributed Computing and Internet Technology (ICDCIT'04). Springer, Berlin, 353--362. Google Scholar
Digital Library
- Bauer, L., Ligatti, J., and Walker, D. 2005. Composing security policies with polymer. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'05). ACM, New York, 305--314. Google Scholar
Digital Library
- Bhatkar, S., Duvarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google Scholar
Digital Library
- Bishop, M. and Dilger, M. 1996. Checking for race conditions in file access. Comput. Syst. 9, 2, 131--152.Google Scholar
- Brumley, D. and Song, D. 2004. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 57--72. Google Scholar
Digital Library
- Budiu, M., Erlingsson, Ú., and Abadi, M. 2006. Architectural support for software-based protection. In Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID'06). ACM, New York, 42--51. Google Scholar
Digital Library
- Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 177--192. Google Scholar
Digital Library
- Chiueh, T. and Hsu, F. 2001. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st IEEE International Conference on Distributed Computing Systems. IEEE, Los Alamitos, CA, 409--419. Google Scholar
Digital Library
- Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. 2001. FormatGuard: Automatic protection from print format string vulnerabilities. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Cowan, C., Beattie, S., Johansen, J., and Wagle, P. 2003. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 91--104. Google Scholar
Digital Library
- Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., and Hinton, H. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 63--78. Google Scholar
Digital Library
- Crandall, J. R. and Chong, F. T. 2004. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the International Symposium on Microarchitecture. ACM, New York. Google Scholar
Digital Library
- Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., and Necula, G. C. 2006. XFI: Software guards for system address spaces. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. USENIX, Berkeley, CA, 75--88. Google Scholar
Digital Library
- Erlingsson, Ú. and Schneider, F. B. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop. IEEE, Los Alamitos, CA, 87--95. Google Scholar
Digital Library
- Erlingsson, Ú. and Schneider, F. B. 2000. IRM enforcement of java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 246--255. Google Scholar
Digital Library
- Evans, D. and Twyman, A. 1999. Policy-directed code safety. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA.Google Scholar
- Feng, H., Kolesnikov, O., Fogla, P., Lee, W., and Gong, W. 2003. Anomaly detection using call stack information. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 62--77. Google Scholar
Digital Library
- Feng, H. H., Giffin, J. T., Huang, Y., Jha, S., Lee, W., and Miller, B. P. 2004. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 194--210.Google Scholar
- Florio, E. 2004. Gdiplus vuln - ms04-028 - crash test jpeg. full-disclosure at lists.netsys.com. Forum message.Google Scholar
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 120--128. Google Scholar
Digital Library
- Frantzen, M. and Shuey, M. 2001. StackGhost: Hardware facilitated stack protection. In Proceedings of the USENIXSecurity Symposium. USENIX, Berkeley, CA, 55--66. Google Scholar
Digital Library
- Giffin, J. T., Jha, S., and Miller, B. P. 2002. Detecting manipulated remote call streams. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 61--79. Google Scholar
Digital Library
- Giffin, J. T., Jha, S., and Miller, B. P. 2004. Efficient context-sensitive intrusion detection. In Proceedings of the Network and Distributed System Security Symposium (NDSS'04). ISOC, Reston, VA.Google Scholar
- Gopalakrishna, R., Spafford, E. H., and Vitek, J. 2005. Efficient intrusion detection using automaton in-lining. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 18--31. Google Scholar
Digital Library
- Govindavajhala, S. and Appel, A. W. 2003. Using memory errors to attack a virtual machine. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 154--165. Google Scholar
Digital Library
- Hamid, N., Shao, Z., Trifonov, V., Monnier, S., and Ni, Z. 2002. A Syntactic Approach to Foundational Proof-Carrying Code. Tech. rep. YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University.Google Scholar
- Hardy, N. 1988. The confused deputy. ACM Oper. Syst. Rev. 22, 4, 36--38. Google Scholar
Digital Library
- Harris, L. C. and Miller, B. P. 2005. Practical analysis of stripped binary code. SIGARCH Comput. Archit. News 33, 5, 63--68. Google Scholar
Digital Library
- Hennessy, J. L. and Patterson, D. A. 2006. Computer Architecture: A Quantitative Approach 4th Ed. Morgan Kaufmann Publishers, San Francisco, CA. Google Scholar
Digital Library
- Kennedy, A. 2005. Securing the .NET programming model. APPSEM II Workshop. http://research.microsoft.com/~akenn/sec/index.html.Google Scholar
- Kiriansky, V., Bruening, D., and Amarasinghe, S. 2002. Secure execution via program shepherding. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 191--206. Google Scholar
Digital Library
- Kirovski, D. and Drinic, M. 2004. POPI: A novel platform for intrusion prevention. In Proceedings of the International Symposium on Microarchitecture. IEEE, Los Alamitos, CA.Google Scholar
- Lam, L. and Chiueh, T. 2004. Automatic extraction of accurate application-specific sandboxing policy. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID'04). Springer, Berlin, 1--20.Google Scholar
- Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 177--190. Google Scholar
Digital Library
- Larson, E. and Austin, T. 2003. High coverage detection of input-related security faults. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 121--136. Google Scholar
Digital Library
- Mccamant, S. and Morrisett, G. 2005. Efficient, verifiable binary sandboxing for a CISC architecture. Tech. rep. MIT-LCS-TR-988, MIT Laboratory for Computer Science. http://publications.csail.mit.edu/lcs/pubs/pdf/MIT-LCS-TR-988.pdf.Google Scholar
- Microsoft Corporation. 2004. Changes to Functionality in Microsoft Windows XP SP2: Memory Protection Technologies. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx.Google Scholar
- Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From System F to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3, 527--568. Google Scholar
Digital Library
- Nebenzahl, D. and Wool, A. 2004. Install-time vaccination of Windows executables to defend against stack smashing attacks. In Proceedings of the IFIP International Information Security Conference. Springer, Berlin.Google Scholar
- Necula, G. 1997. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages. ACM, New York, 106--119. Google Scholar
Digital Library
- Necula, G. C., McPeak, S., and Weimer, W. 2002. Cured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages. ACM, New York, 128--139. Google Scholar
Digital Library
- Oh, N., Shirvani, P. P., and McCluskey, E. J. 2002. Control flow checking by software signatures. IEEE Trans. Reliab. 51, 2.Google Scholar
Cross Ref
- Pax Project. 2004. The PaX Project. http://pax.grsecurity.net/.Google Scholar
- Pincus, J. and Baker, B. 2004. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Secur. Privacy 2, 4, 20--27. Google Scholar
Digital Library
- Prasad, M. and Chiueh, T. 2003. A binary rewriting defense against stack-based buffer overflow attacks. In Proceedings of the USENIX Technical Conference. USENIX, Berkeley, CA, 211--224.Google Scholar
- Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 257--272. Google Scholar
Digital Library
- Reis, G. A., Chang, J., Vachharajani, N., Rangan, R., and August, D. I. 2005. SWIFT: Software implemented fault tolerance. In Proceedings of the International Symposium on Code Generation and Optimization. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Ruwase, O. and Lam, M. S. 2004. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security Symposium. ISOC, Reston, VA.Google Scholar
- Schneider, F. B. 2000. Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 1, 30--50. Google Scholar
Digital Library
- Scott, K. and Davidson, J. 2002. Safe virtual execution using software dynamic translation. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC'02). IEEE, Los Alamitos, CA, 209. Google Scholar
Digital Library
- Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 144--155. Google Scholar
Digital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Small, C. 1997. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Sovarel, A. N., Evans, D., and Paul, N. 2005. Where's the FEEB?: The effectiveness of instruction set randomization. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 145--160. Google Scholar
Digital Library
- Srivastava, A., Edwards, A., and Vo, H. 2001. Vulcan: Binary transformation in a distributed environment. Tech. rep. MSR-TR-2001-50, Microsoft Research.Google Scholar
- Srivastava, A. and Eustace, A. 1994. ATOM: A system for building customized program analysis tools. Tech. rep. WRL Research Report 94/2, Digital Equipment Corporation.Google Scholar
Digital Library
- Standard Performance Evaluation Corporation. 2000. SPEC CPU2000 Benchmark Suite. http://www.spec.org/osg/cpu2000/.Google Scholar
- Suh, G. E., Lee, J. W., Zhang, D., and Devadas, S. 2004. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, New York, 85--96. Google Scholar
Digital Library
- Tuck, N., Calder, B., and Varghese, G. 2004. Hardware and binary modification support for code pointer protection from buffer overflow. In Proceedings of the International Symposium on Microarchitecture. ACM, New York. Google Scholar
Digital Library
- Venkatasubramanian, R., Hayes, J. P., and Murray, B. T. 2003. Low-cost on-line fault detection using control flow assertions. In Proceedings of 9th IEEE International On-Line Testing Symposium. IEEE, Los Alamitos, CA.Google Scholar
- Wagner, D. and Dean, D. 2001. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 156--169. Google Scholar
Digital Library
- Wagner, D. and Soto, P. 2002. Mimicry attacks on host based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, 255--264. Google Scholar
Digital Library
- Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. 1993. Efficient software-based fault isolation. ACM SIGOPS Oper. Syst. Rev. 27, 5, 203--216. Google Scholar
Digital Library
- Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium. ISOC, Reston, VA.Google Scholar
- Winwood, S. and Chakravarty, M. M. T. 2005. Secure untrusted binaries—provably! Tech. rep. UNSWCSE-TR-0511, School of Computer Science and Engineering, University of New South Wales, Australia.Google Scholar
- Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the Symposium on Reliable and Distributed Systems. IEEE, Los Alamitos, CA.Google Scholar
- Xu, J., Kalbarczyk, Z., Patel, S., and Iyer, R. 2002. Architecture support for defending against buffer overflow attacks. In Proceedings of the 2002 Workshop on Evaluating and Architecting System Dependability (EASY'02). ACM, New York.Google Scholar
Index Terms
Control-flow integrity principles, implementations, and applications
Recommendations
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Control-flow integrity
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityCurrent software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is ...
Combining control-flow integrity and static analysis for efficient and validated data sandboxing
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityIn many software attacks, inducing an illegal control-flow transfer in the target system is one common step. Control-Flow Integrity (CFI) protects a software system by enforcing a pre-determined control-flow graph. In addition to providing strong ...






Comments