Abstract
Control-Flow Integrity (CFI) is a software-hardening technique. It inlines checks into a program so that its execution always follows a predetermined Control-Flow Graph (CFG). As a result, CFI is effective at preventing control-flow hijacking attacks. However, past fine-grained CFI implementations do not support separate compilation, which hinders its adoption.
We present Modular Control-Flow Integrity (MCFI), a new CFI technique that supports separate compilation. MCFI allows modules to be independently instrumented and linked statically or dynamically. The combined module enforces a CFG that is a combination of the individual modules' CFGs. One challenge in supporting dynamic linking in multithreaded code is how to ensure a safe transition from the old CFG to the new CFG when libraries are dynamically linked. The key technique we use is to have the CFG represented in a runtime data structure and have reads and updates of the data structure wrapped in transactions to ensure thread safety. Our evaluation on SPECCPU2006 benchmarks shows that MCFI supports separate compilation, incurs low overhead of around 5%, and enhances security.
- LLVM. http://llvm.org.Google Scholar
- Simple, non-scalable reader-preference lock. http://www.cs.rochester.edu/research/synchronization/pseudocode/rw.html.Google Scholar
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In 12th ACM Conference on Computer and Communications Security (CCS), pages 340--353, 2005. Google Scholar
Digital Library
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symposium on Security and Privacy (S&P), pages 263--277, 2008. Google Scholar
Digital Library
- J. Ansel, P. Marchenko, Ú. Erlingsson, E. Taylor, B. Chen, D. Schuff, D. Sehr, C. Biffle, and B. Yee. Language-independent sandboxing of just-in-time compilation and self-modifying code. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 355--366, 2011. Google Scholar
Digital Library
- L. Dalessandro, D. Dice, M. Scott, N. Shavit, and M. Spear. Transactional mutex locks. In Proceedings of the 16th International Euro-Par Conference on Parallel Processing: Part II, Euro-Par'10, pages 2--13, Berlin, Heidelberg, 2010. Springer-Verlag. ISBN 3-642-15290-2, 978-3-642-15290-0. Google Scholar
Digital Library
- L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nurnberger, and A. reza Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar
- D. Dechev. The ABA problem in multicore data structures with collaborating operations. In 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (Collaborate-Com), pages 158--167, 2011.Google Scholar
Cross Ref
- Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software guards for system address spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 75--88, 2006. Google Scholar
Digital Library
- E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Security & Privacy (Oakland), San Jose, CA, USA, May 2014. IEEE.Google Scholar
Digital Library
- M. P. Herlihy and J. M. Wing. Linearizability: a correctness condition for concurrent objects. ACM Transactions on Programming Languages and Systems, 12(3):463--492, July 1990. Google Scholar
Digital Library
- J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European Conference on Computer Systems, pages 195--208, 2010. Google Scholar
Digital Library
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In 15th Usenix Security Symposium, 2006. Google Scholar
Digital Library
- G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. Rocksalt: Better, faster, stronger SFI for the x86. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 395--404, 2012. Google Scholar
Digital Library
- Nergal. The advanced return-into-lib(c) exploits: Pax case study. Phrack Magazine, Volume 11, Issue 0x58, File 4 of 14, 2001.Google Scholar
- B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, pages 199--210, 2013.. Google Scholar
Digital Library
- J. Pewny and T. Holz. Control-flow restrictor: Compiler-based CFI for iOS. In ACSAC '13: Proceedings of the 2013 Annual Computer Security Applications Conference, 2013. Google Scholar
Digital Library
- D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary CPU architectures. In 19th Usenix Security Symposium, pages 1--12, 2010. Google Scholar
Digital Library
- H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In 14th ACM Conference on Computer and Communications Security (CCS), pages 552--561, 2007. Google Scholar
Digital Library
- N. Shavit and D. Touitou. Software transactional memory. In Proceedings of the fourteenth annual ACM symposium on Principles of distributed computing, PODC '95, pages 204--213, 1995. Google Scholar
Digital Library
- Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE Symposium on Security and Privacy (S&P), pages 380--395, 2010. Google Scholar
Digital Library
- B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy (S&P), May 2009. Google Scholar
Digital Library
- B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In 18th ACM Conference on Computer and Communications Security (CCS), pages 29--40, 2011. Google Scholar
Digital Library
- B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In 22nd Usenix Security Symposium, pages 369--382, 2013. Google Scholar
Digital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In IEEE Symposium on Security and Privacy (S&P), pages 559--573, 2013. Google Scholar
Digital Library
- M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In 22nd Usenix Security Symposium, pages 337--352, 2013. Google Scholar
Digital Library
- L. Zhao, G. Li, B. D. Sutter, and J. Regehr. Armor: Fully verified software fault isolation. In 11th Intl. Conf. on Embedded Software. ACM, 2011. Google Scholar
Digital Library
Index Terms
Modular control-flow integrity
Recommendations
Control-Flow Integrity: Precision, Security, and Performance
Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Per-Input Control-Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityControl-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically ...
Modular control-flow integrity
PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and ImplementationControl-Flow Integrity (CFI) is a software-hardening technique. It inlines checks into a program so that its execution always follows a predetermined Control-Flow Graph (CFG). As a result, CFI is effective at preventing control-flow hijacking attacks. ...







Comments