skip to main content
research-article

Control-flow integrity principles, implementations, and applications

Published:06 November 2009Publication History
Skip Abstract Section

Abstract

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, control-flow integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple and its guarantees can be established formally, even with respect to powerful adversaries. Moreover, CFI enforcement is practical: It is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.

Skip Supplemental Material Section

Supplemental Material

References

  1. Abadi, M. 1998. Protection in programming language translations. In Proceedings of the 25th International Colloquium on Automata, Languages and Programming. Springer-Verlag, Berlin, 868--883. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. 2005. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Engineering Methods. Springer-Verlag, Berlin, 111--124. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. 2005. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, 340--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Aho, A. V., Sethi, R., and Ullman, J. D. 1985. Compilers: Principles, Techniques, Tools. Addison-Wesley, Reading, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Apple Computer. 2003. Prebinding Notes. http://developer.apple.com/releasenotes/DeveloperTools/Prebinding.html.Google ScholarGoogle Scholar
  6. Atkinson, D. C. 2002. Call graph extraction in the presence of function pointers. In Proceedings of the 2nd International Conference on Software Engineering Research and Practice. ACM, New York.Google ScholarGoogle Scholar
  7. Avijit, K., Gupta, P., and Gupta, D. 2004. TIED, LibsafePlus: Tools for runtime buffer overflow protection. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 45--56. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Basu, S. and Uppuluri, P. 2004. Proxy-annotated control flow graphs: Deterministic context-sensitive monitoring for intrusion detection. In Proceedings of the International Conference on Distributed Computing and Internet Technology (ICDCIT'04). Springer, Berlin, 353--362. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Bauer, L., Ligatti, J., and Walker, D. 2005. Composing security policies with polymer. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'05). ACM, New York, 305--314. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Bhatkar, S., Duvarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Bishop, M. and Dilger, M. 1996. Checking for race conditions in file access. Comput. Syst. 9, 2, 131--152.Google ScholarGoogle Scholar
  12. Brumley, D. and Song, D. 2004. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 57--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Budiu, M., Erlingsson, Ú., and Abadi, M. 2006. Architectural support for software-based protection. In Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID'06). ACM, New York, 42--51. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 177--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Chiueh, T. and Hsu, F. 2001. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st IEEE International Conference on Distributed Computing Systems. IEEE, Los Alamitos, CA, 409--419. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. 2001. FormatGuard: Automatic protection from print format string vulnerabilities. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Cowan, C., Beattie, S., Johansen, J., and Wagle, P. 2003. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 91--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., and Hinton, H. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 63--78. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Crandall, J. R. and Chong, F. T. 2004. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the International Symposium on Microarchitecture. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., and Necula, G. C. 2006. XFI: Software guards for system address spaces. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. USENIX, Berkeley, CA, 75--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Erlingsson, Ú. and Schneider, F. B. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop. IEEE, Los Alamitos, CA, 87--95. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Erlingsson, Ú. and Schneider, F. B. 2000. IRM enforcement of java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 246--255. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Evans, D. and Twyman, A. 1999. Policy-directed code safety. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  24. Feng, H., Kolesnikov, O., Fogla, P., Lee, W., and Gong, W. 2003. Anomaly detection using call stack information. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 62--77. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Feng, H. H., Giffin, J. T., Huang, Y., Jha, S., Lee, W., and Miller, B. P. 2004. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 194--210.Google ScholarGoogle Scholar
  26. Florio, E. 2004. Gdiplus vuln - ms04-028 - crash test jpeg. full-disclosure at lists.netsys.com. Forum message.Google ScholarGoogle Scholar
  27. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 120--128. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Frantzen, M. and Shuey, M. 2001. StackGhost: Hardware facilitated stack protection. In Proceedings of the USENIXSecurity Symposium. USENIX, Berkeley, CA, 55--66. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Giffin, J. T., Jha, S., and Miller, B. P. 2002. Detecting manipulated remote call streams. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 61--79. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Giffin, J. T., Jha, S., and Miller, B. P. 2004. Efficient context-sensitive intrusion detection. In Proceedings of the Network and Distributed System Security Symposium (NDSS'04). ISOC, Reston, VA.Google ScholarGoogle Scholar
  31. Gopalakrishna, R., Spafford, E. H., and Vitek, J. 2005. Efficient intrusion detection using automaton in-lining. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 18--31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Govindavajhala, S. and Appel, A. W. 2003. Using memory errors to attack a virtual machine. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 154--165. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Hamid, N., Shao, Z., Trifonov, V., Monnier, S., and Ni, Z. 2002. A Syntactic Approach to Foundational Proof-Carrying Code. Tech. rep. YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University.Google ScholarGoogle Scholar
  34. Hardy, N. 1988. The confused deputy. ACM Oper. Syst. Rev. 22, 4, 36--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Harris, L. C. and Miller, B. P. 2005. Practical analysis of stripped binary code. SIGARCH Comput. Archit. News 33, 5, 63--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Hennessy, J. L. and Patterson, D. A. 2006. Computer Architecture: A Quantitative Approach 4th Ed. Morgan Kaufmann Publishers, San Francisco, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Kennedy, A. 2005. Securing the .NET programming model. APPSEM II Workshop. http://research.microsoft.com/~akenn/sec/index.html.Google ScholarGoogle Scholar
  38. Kiriansky, V., Bruening, D., and Amarasinghe, S. 2002. Secure execution via program shepherding. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 191--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Kirovski, D. and Drinic, M. 2004. POPI: A novel platform for intrusion prevention. In Proceedings of the International Symposium on Microarchitecture. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  40. Lam, L. and Chiueh, T. 2004. Automatic extraction of accurate application-specific sandboxing policy. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID'04). Springer, Berlin, 1--20.Google ScholarGoogle Scholar
  41. Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 177--190. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Larson, E. and Austin, T. 2003. High coverage detection of input-related security faults. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 121--136. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Mccamant, S. and Morrisett, G. 2005. Efficient, verifiable binary sandboxing for a CISC architecture. Tech. rep. MIT-LCS-TR-988, MIT Laboratory for Computer Science. http://publications.csail.mit.edu/lcs/pubs/pdf/MIT-LCS-TR-988.pdf.Google ScholarGoogle Scholar
  44. Microsoft Corporation. 2004. Changes to Functionality in Microsoft Windows XP SP2: Memory Protection Technologies. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx.Google ScholarGoogle Scholar
  45. Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From System F to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3, 527--568. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Nebenzahl, D. and Wool, A. 2004. Install-time vaccination of Windows executables to defend against stack smashing attacks. In Proceedings of the IFIP International Information Security Conference. Springer, Berlin.Google ScholarGoogle Scholar
  47. Necula, G. 1997. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages. ACM, New York, 106--119. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Necula, G. C., McPeak, S., and Weimer, W. 2002. Cured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages. ACM, New York, 128--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Oh, N., Shirvani, P. P., and McCluskey, E. J. 2002. Control flow checking by software signatures. IEEE Trans. Reliab. 51, 2.Google ScholarGoogle ScholarCross RefCross Ref
  50. Pax Project. 2004. The PaX Project. http://pax.grsecurity.net/.Google ScholarGoogle Scholar
  51. Pincus, J. and Baker, B. 2004. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Secur. Privacy 2, 4, 20--27. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Prasad, M. and Chiueh, T. 2003. A binary rewriting defense against stack-based buffer overflow attacks. In Proceedings of the USENIX Technical Conference. USENIX, Berkeley, CA, 211--224.Google ScholarGoogle Scholar
  53. Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 257--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Reis, G. A., Chang, J., Vachharajani, N., Rangan, R., and August, D. I. 2005. SWIFT: Software implemented fault tolerance. In Proceedings of the International Symposium on Code Generation and Optimization. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Ruwase, O. and Lam, M. S. 2004. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security Symposium. ISOC, Reston, VA.Google ScholarGoogle Scholar
  56. Schneider, F. B. 2000. Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 1, 30--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Scott, K. and Davidson, J. 2002. Safe virtual execution using software dynamic translation. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC'02). IEEE, Los Alamitos, CA, 209. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 144--155. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Small, C. 1997. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems. USENIX, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Sovarel, A. N., Evans, D., and Paul, N. 2005. Where's the FEEB?: The effectiveness of instruction set randomization. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA, 145--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Srivastava, A., Edwards, A., and Vo, H. 2001. Vulcan: Binary transformation in a distributed environment. Tech. rep. MSR-TR-2001-50, Microsoft Research.Google ScholarGoogle Scholar
  63. Srivastava, A. and Eustace, A. 1994. ATOM: A system for building customized program analysis tools. Tech. rep. WRL Research Report 94/2, Digital Equipment Corporation.Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Standard Performance Evaluation Corporation. 2000. SPEC CPU2000 Benchmark Suite. http://www.spec.org/osg/cpu2000/.Google ScholarGoogle Scholar
  65. Suh, G. E., Lee, J. W., Zhang, D., and Devadas, S. 2004. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, New York, 85--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Tuck, N., Calder, B., and Varghese, G. 2004. Hardware and binary modification support for code pointer protection from buffer overflow. In Proceedings of the International Symposium on Microarchitecture. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Venkatasubramanian, R., Hayes, J. P., and Murray, B. T. 2003. Low-cost on-line fault detection using control flow assertions. In Proceedings of 9th IEEE International On-Line Testing Symposium. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  68. Wagner, D. and Dean, D. 2001. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 156--169. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. Wagner, D. and Soto, P. 2002. Mimicry attacks on host based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, 255--264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. 1993. Efficient software-based fault isolation. ACM SIGOPS Oper. Syst. Rev. 27, 5, 203--216. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium. ISOC, Reston, VA.Google ScholarGoogle Scholar
  72. Winwood, S. and Chakravarty, M. M. T. 2005. Secure untrusted binaries—provably! Tech. rep. UNSWCSE-TR-0511, School of Computer Science and Engineering, University of New South Wales, Australia.Google ScholarGoogle Scholar
  73. Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the Symposium on Reliable and Distributed Systems. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  74. Xu, J., Kalbarczyk, Z., Patel, S., and Iyer, R. 2002. Architecture support for defending against buffer overflow attacks. In Proceedings of the 2002 Workshop on Evaluating and Architecting System Dependability (EASY'02). ACM, New York.Google ScholarGoogle Scholar

Index Terms

  1. Control-flow integrity principles, implementations, and applications

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on Information and System Security
                  ACM Transactions on Information and System Security  Volume 13, Issue 1
                  October 2009
                  289 pages
                  ISSN:1094-9224
                  EISSN:1557-7406
                  DOI:10.1145/1609956
                  Issue’s Table of Contents

                  Copyright © 2009 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 6 November 2009
                  • Accepted: 1 June 2007
                  • Revised: 1 February 2007
                  • Received: 1 January 2006
                  Published in tissec Volume 13, Issue 1

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • research-article
                  • Research
                  • Refereed

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!