ABSTRACT
Control-flow hijacking is the principal method for code-reuse techniques like Return-oriented Programming (ROP) and Jump-oriented Programming (JOP). For defending against such attacks, the community has proposed Control-flow Integrity (CFI), a technique capable of preventing exploitation by verifying that every (indirect) control-flow transfer points to a legitimate address. Enabling CFI in real systems is not straightforward, since in many cases the actual Control-flow Graph (CFG) of a program can be only approximated. Even in the case that there is perfect knowledge of the CFG, ensuring that all return instructions will return to their actual call sites, without employing a shadow stack, is questionable. On the other hand, the community has expressed concerns related to significant overheads stemming from enabling a shadow stack.
In this paper, we acknowledge the importance of a shadow stack for supporting and strengthening any CFI policy. In addition, we project that implementing a full-featured CFI-enabled Instruction Set Architecture (ISA) in actual hardware with an in-chip secure memory can be efficiently carried out and the prototype experiences negligible overheads. For supporting our case, we implement by modifying a SPARC SoC and evaluate the prototype on an FPGA board by running all SPECInt benchmarks instrumented with a fine-grained CFI policy. The evaluation shows that HCFI can effectively protect applications from code-reuse attacks, while adding less than 1% runtime overhead.
References
- The SPARC Architecture Manual, Version 8. www.sparc.com/standards/V8.pdf. Google Scholar
Digital Library
- Hardware Control Flow Integrity for an IT Ecosystem. https://github.com/iadgov/Control-Flow-Integrity/tree/master/paper, 2015.Google Scholar
- Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security (2005), ACM, pp. 340--353. Google Scholar
Digital Library
- Andersen, S., and Abella, V. Changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies, Data Execution Prevention. Microsoft TechNet Library, September 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.Google Scholar
- Aravind Prakash, Xunchao Hu, and Heng Yin. vfguard: Strict protection for virtual function calls in cots cGoogle Scholar
- binaries. In Symposium on Network and Distributed System Security (NDSS) (2015).Google Scholar
- Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., and Ioannidis, S. The devil is in the constants: Bypassing defenses in browser jit engines. In NDSS (2015), The Internet Society.Google Scholar
- Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011), ACM, pp. 30--40. Google Scholar
Digital Library
- Budiu, M., Erlingsson, U., and Abadi, M. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability (2006), ACM, pp. 42--51. Google Scholar
Digital Library
- Burkardt, J., Puglielli, P., and Center, P. S. Matmul: An interactive matrix multiplication benchmark. degrees from BITS, Pilani. He is a Fellow of the Institution of Engineers (India), Fellow of National Academy of Engineering (FNAE), Fellow of National Academy of Sciences (FNASc), Life Member ISTE(LMISTE). Professor Kothari has published/presented 640 (1995).Google Scholar
- Carlini, N., Barresi, A., Payer, M., Wagner, D., and Gross, T. R. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., Aug. 2015), USENIX Association, pp. 161--176. Google Scholar
Digital Library
- Carlini, N., and Wagner, D. Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 385--399. Google Scholar
Digital Library
- Chao Zhang, Chengyu Songz, Kevin Zhijie Chen, Zhaofeng Cheny, and Dawn Song. Vtint: Protecting virtual function tables' integrity. In Symposium on Network and Distributed System Security (NDSS) (2015).Google Scholar
- Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. Ropecker: A generic and practical approach for defending against ROP attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2013 (2014).Google Scholar
- Dang, T. H., Maniatis, P., and Wagner, D. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security, ASIACCS (2015), vol. 15. Google Scholar
Digital Library
- Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., and Jin, Y. Hafix: hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (2015), ACM, p. 74. Google Scholar
Digital Library
- Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 401--416. Google Scholar
Digital Library
- EEMBC. Coremark Benchmark. https://www.eembc.org/coremark/.Google Scholar
- Gaisler Research. Leon3 synthesizable processor. http://www.gaisler.com.Google Scholar
- Gawlik, R., and Holz, T. Towards automated integrity protection of cGoogle Scholar
- virtual function tables in binary programs. In Proceedings of the 30th Annual Computer Security Applications Conference (New York, NY, USA, 2014), ACSAC '14, ACM, pp. 396--405.Google Scholar
- Göktaş, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Security and Privacy (SP), 2014 IEEE Symposium on (2014), IEEE, pp. 575--589. Google Scholar
Digital Library
- Göktać s, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 417--432. Google Scholar
Digital Library
- Haller, I., Göktaş, E., Athanasopoulos, E., Portokalidis, G., and Bos, H. Shrinkwrap: Vtable protection without loose ends. In ACSAC (2015), ACM, pp. 341--350. Google Scholar
Digital Library
- Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. Ilr: Where'd my gadgets go? In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 571--585. Google Scholar
Digital Library
- Jang, D., Tatlock, Z., and Lerner, S. Safedispatch: Securing cGoogle Scholar
- virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).Google Scholar
- Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., and Ponomarev, D. Branch regulation: Low-overhead protection from code reuse attacks. In Computer Architecture (ISCA), 2012 39th Annual International Symposium on (2012), IEEE, pp. 94--105. Google Scholar
Digital Library
- One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996), 365.Google Scholar
- Özdoganoglu, H., Vijaykumar, T., Brodley, C. E., Kuperman, B., Jalote, A., et al. Smashguard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on 55, 10 (2006), 1271--1285. Google Scholar
Digital Library
- Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 601--615. Google Scholar
Digital Library
- Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) (Washington, D.C., 2013), USENIX, pp. 447--462. Google Scholar
Digital Library
- PaX Team. Address Space Layout Randomization (ASLR), 2003. http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC) 15, 1 (2012), 2. Google Scholar
Digital Library
- Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in cGoogle Scholar
- applications. In 36th IEEE Symposium on Security and Privacy (Oakland) (May 2015).Google Scholar
- Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., and Holz, T. Evaluating the effectiveness of current anti-rop defenses. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17--19, 2014. Proceedings (2014), pp. 88--108.Google Scholar
- Snow, K. Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy (May 2013). Google Scholar
Digital Library
- Standard Performance Evaluation Corporation (SPEC). SPEC CINT2000 Benchmarks. http://www.spec.org/cpu2000/CINT2000.Google Scholar
- Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in gcc and llvm. In Proceedings of the 23rd USENIX Conference on Security Symposium (Berkeley, CA, USA, 2014), SEC'14, USENIX Association, pp. 941--955. Google Scholar
Digital Library
- Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 157--168. Google Scholar
Digital Library
- Weicker, R. P. Dhrystone: a synthetic systems programming benchmark. Communications of the ACM 27, 10 (1984), 1013--1030. Google Scholar
Digital Library
- Xilinx. ISE Simulator (ISim). http://www.xilinx.com/tools/isim.htm.Google Scholar
- Xilinx. Xilinx Virtex 6 ml605 rev-e Evaluation Board. http://www.xilinx.com/support/documentation/boards_and_kits/ug534.pdf, 2012.Google Scholar
- Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on (2013), IEEE, pp. 559--573. Google Scholar
Digital Library
- Zhang, M., and Sekar, R. Control flow integrity for COTS binaries. In Usenix Security (2013), pp. 337--352. Google Scholar
Digital Library
Index Terms
HCFI





Comments