10.1145/2857705.2857722acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedings
research-article
Best Paper

HCFI: Hardware-enforced Control-Flow Integrity

ABSTRACT

Control-flow hijacking is the principal method for code-reuse techniques like Return-oriented Programming (ROP) and Jump-oriented Programming (JOP). For defending against such attacks, the community has proposed Control-flow Integrity (CFI), a technique capable of preventing exploitation by verifying that every (indirect) control-flow transfer points to a legitimate address. Enabling CFI in real systems is not straightforward, since in many cases the actual Control-flow Graph (CFG) of a program can be only approximated. Even in the case that there is perfect knowledge of the CFG, ensuring that all return instructions will return to their actual call sites, without employing a shadow stack, is questionable. On the other hand, the community has expressed concerns related to significant overheads stemming from enabling a shadow stack.

In this paper, we acknowledge the importance of a shadow stack for supporting and strengthening any CFI policy. In addition, we project that implementing a full-featured CFI-enabled Instruction Set Architecture (ISA) in actual hardware with an in-chip secure memory can be efficiently carried out and the prototype experiences negligible overheads. For supporting our case, we implement by modifying a SPARC SoC and evaluate the prototype on an FPGA board by running all SPECInt benchmarks instrumented with a fine-grained CFI policy. The evaluation shows that HCFI can effectively protect applications from code-reuse attacks, while adding less than 1% runtime overhead.

References

  1. The SPARC Architecture Manual, Version 8. www.sparc.com/standards/V8.pdf. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Hardware Control Flow Integrity for an IT Ecosystem. https://github.com/iadgov/Control-Flow-Integrity/tree/master/paper, 2015.Google ScholarGoogle Scholar
  3. Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security (2005), ACM, pp. 340--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Andersen, S., and Abella, V. Changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies, Data Execution Prevention. Microsoft TechNet Library, September 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.Google ScholarGoogle Scholar
  5. Aravind Prakash, Xunchao Hu, and Heng Yin. vfguard: Strict protection for virtual function calls in cots cGoogle ScholarGoogle Scholar
  6. binaries. In Symposium on Network and Distributed System Security (NDSS) (2015).Google ScholarGoogle Scholar
  7. Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., and Ioannidis, S. The devil is in the constants: Bypassing defenses in browser jit engines. In NDSS (2015), The Internet Society.Google ScholarGoogle Scholar
  8. Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011), ACM, pp. 30--40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Budiu, M., Erlingsson, U., and Abadi, M. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability (2006), ACM, pp. 42--51. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Burkardt, J., Puglielli, P., and Center, P. S. Matmul: An interactive matrix multiplication benchmark. degrees from BITS, Pilani. He is a Fellow of the Institution of Engineers (India), Fellow of National Academy of Engineering (FNAE), Fellow of National Academy of Sciences (FNASc), Life Member ISTE(LMISTE). Professor Kothari has published/presented 640 (1995).Google ScholarGoogle Scholar
  11. Carlini, N., Barresi, A., Payer, M., Wagner, D., and Gross, T. R. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., Aug. 2015), USENIX Association, pp. 161--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Carlini, N., and Wagner, D. Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 385--399. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Chao Zhang, Chengyu Songz, Kevin Zhijie Chen, Zhaofeng Cheny, and Dawn Song. Vtint: Protecting virtual function tables' integrity. In Symposium on Network and Distributed System Security (NDSS) (2015).Google ScholarGoogle Scholar
  14. Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. Ropecker: A generic and practical approach for defending against ROP attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2013 (2014).Google ScholarGoogle Scholar
  15. Dang, T. H., Maniatis, P., and Wagner, D. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security, ASIACCS (2015), vol. 15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., and Jin, Y. Hafix: hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (2015), ACM, p. 74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 401--416. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. EEMBC. Coremark Benchmark. https://www.eembc.org/coremark/.Google ScholarGoogle Scholar
  19. Gaisler Research. Leon3 synthesizable processor. http://www.gaisler.com.Google ScholarGoogle Scholar
  20. Gawlik, R., and Holz, T. Towards automated integrity protection of cGoogle ScholarGoogle Scholar
  21. virtual function tables in binary programs. In Proceedings of the 30th Annual Computer Security Applications Conference (New York, NY, USA, 2014), ACSAC '14, ACM, pp. 396--405.Google ScholarGoogle Scholar
  22. Göktaş, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Security and Privacy (SP), 2014 IEEE Symposium on (2014), IEEE, pp. 575--589. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Göktać s, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 417--432. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Haller, I., Göktaş, E., Athanasopoulos, E., Portokalidis, G., and Bos, H. Shrinkwrap: Vtable protection without loose ends. In ACSAC (2015), ACM, pp. 341--350. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. Ilr: Where'd my gadgets go? In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 571--585. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Jang, D., Tatlock, Z., and Lerner, S. Safedispatch: Securing cGoogle ScholarGoogle Scholar
  27. virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).Google ScholarGoogle Scholar
  28. Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., and Ponomarev, D. Branch regulation: Low-overhead protection from code reuse attacks. In Computer Architecture (ISCA), 2012 39th Annual International Symposium on (2012), IEEE, pp. 94--105. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996), 365.Google ScholarGoogle Scholar
  30. Özdoganoglu, H., Vijaykumar, T., Brodley, C. E., Kuperman, B., Jalote, A., et al. Smashguard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on 55, 10 (2006), 1271--1285. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 601--615. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) (Washington, D.C., 2013), USENIX, pp. 447--462. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. PaX Team. Address Space Layout Randomization (ASLR), 2003. http://pax.grsecurity.net/docs/aslr.txt.Google ScholarGoogle Scholar
  34. Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC) 15, 1 (2012), 2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in cGoogle ScholarGoogle Scholar
  36. applications. In 36th IEEE Symposium on Security and Privacy (Oakland) (May 2015).Google ScholarGoogle Scholar
  37. Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., and Holz, T. Evaluating the effectiveness of current anti-rop defenses. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17--19, 2014. Proceedings (2014), pp. 88--108.Google ScholarGoogle Scholar
  38. Snow, K. Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy (May 2013). Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Standard Performance Evaluation Corporation (SPEC). SPEC CINT2000 Benchmarks. http://www.spec.org/cpu2000/CINT2000.Google ScholarGoogle Scholar
  40. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in gcc and llvm. In Proceedings of the 23rd USENIX Conference on Security Symposium (Berkeley, CA, USA, 2014), SEC'14, USENIX Association, pp. 941--955. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 157--168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Weicker, R. P. Dhrystone: a synthetic systems programming benchmark. Communications of the ACM 27, 10 (1984), 1013--1030. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Xilinx. ISE Simulator (ISim). http://www.xilinx.com/tools/isim.htm.Google ScholarGoogle Scholar
  44. Xilinx. Xilinx Virtex 6 ml605 rev-e Evaluation Board. http://www.xilinx.com/support/documentation/boards_and_kits/ug534.pdf, 2012.Google ScholarGoogle Scholar
  45. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on (2013), IEEE, pp. 559--573. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Zhang, M., and Sekar, R. Control flow integrity for COTS binaries. In Usenix Security (2013), pp. 337--352. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. HCFI

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!