skip to main content
research-article

Modular control-flow integrity

Published:09 June 2014Publication History
Skip Abstract Section

Abstract

Control-Flow Integrity (CFI) is a software-hardening technique. It inlines checks into a program so that its execution always follows a predetermined Control-Flow Graph (CFG). As a result, CFI is effective at preventing control-flow hijacking attacks. However, past fine-grained CFI implementations do not support separate compilation, which hinders its adoption.

We present Modular Control-Flow Integrity (MCFI), a new CFI technique that supports separate compilation. MCFI allows modules to be independently instrumented and linked statically or dynamically. The combined module enforces a CFG that is a combination of the individual modules' CFGs. One challenge in supporting dynamic linking in multithreaded code is how to ensure a safe transition from the old CFG to the new CFG when libraries are dynamically linked. The key technique we use is to have the CFG represented in a runtime data structure and have reads and updates of the data structure wrapped in transactions to ensure thread safety. Our evaluation on SPECCPU2006 benchmarks shows that MCFI supports separate compilation, incurs low overhead of around 5%, and enhances security.

References

  1. LLVM. http://llvm.org.Google ScholarGoogle Scholar
  2. Simple, non-scalable reader-preference lock. http://www.cs.rochester.edu/research/synchronization/pseudocode/rw.html.Google ScholarGoogle Scholar
  3. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In 12th ACM Conference on Computer and Communications Security (CCS), pages 340--353, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symposium on Security and Privacy (S&P), pages 263--277, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. J. Ansel, P. Marchenko, Ú. Erlingsson, E. Taylor, B. Chen, D. Schuff, D. Sehr, C. Biffle, and B. Yee. Language-independent sandboxing of just-in-time compilation and self-modifying code. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 355--366, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. L. Dalessandro, D. Dice, M. Scott, N. Shavit, and M. Spear. Transactional mutex locks. In Proceedings of the 16th International Euro-Par Conference on Parallel Processing: Part II, Euro-Par'10, pages 2--13, Berlin, Heidelberg, 2010. Springer-Verlag. ISBN 3-642-15290-2, 978-3-642-15290-0. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nurnberger, and A. reza Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Network and Distributed System Security Symposium (NDSS), 2012.Google ScholarGoogle Scholar
  8. D. Dechev. The ABA problem in multicore data structures with collaborating operations. In 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (Collaborate-Com), pages 158--167, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  9. Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software guards for system address spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 75--88, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Security & Privacy (Oakland), San Jose, CA, USA, May 2014. IEEE.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. M. P. Herlihy and J. M. Wing. Linearizability: a correctness condition for concurrent objects. ACM Transactions on Programming Languages and Systems, 12(3):463--492, July 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European Conference on Computer Systems, pages 195--208, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In 15th Usenix Security Symposium, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. Rocksalt: Better, faster, stronger SFI for the x86. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 395--404, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Nergal. The advanced return-into-lib(c) exploits: Pax case study. Phrack Magazine, Volume 11, Issue 0x58, File 4 of 14, 2001.Google ScholarGoogle Scholar
  16. B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, pages 199--210, 2013.. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. J. Pewny and T. Holz. Control-flow restrictor: Compiler-based CFI for iOS. In ACSAC '13: Proceedings of the 2013 Annual Computer Security Applications Conference, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary CPU architectures. In 19th Usenix Security Symposium, pages 1--12, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In 14th ACM Conference on Computer and Communications Security (CCS), pages 552--561, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. N. Shavit and D. Touitou. Software transactional memory. In Proceedings of the fourteenth annual ACM symposium on Principles of distributed computing, PODC '95, pages 204--213, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE Symposium on Security and Privacy (S&P), pages 380--395, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy (S&P), May 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In 18th ACM Conference on Computer and Communications Security (CCS), pages 29--40, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In 22nd Usenix Security Symposium, pages 369--382, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In IEEE Symposium on Security and Privacy (S&P), pages 559--573, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In 22nd Usenix Security Symposium, pages 337--352, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. L. Zhao, G. Li, B. D. Sutter, and J. Regehr. Armor: Fully verified software fault isolation. In 11th Intl. Conf. on Embedded Software. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Modular control-flow integrity

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 49, Issue 6
      PLDI '14
      June 2014
      598 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2666356
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation
        June 2014
        619 pages
        ISBN:9781450327848
        DOI:10.1145/2594291

      Copyright © 2014 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 9 June 2014

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!