skip to main content
research-article
Public Access

GRIFFIN: Guarding Control Flows Using Intel Processor Trace

Published:04 April 2017Publication History
Skip Abstract Section

Abstract

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI enforcement may have the potential for advantages in performance and flexibility over software instrumentation, current hardware-assisted defenses are either incomplete (i.e., do not enforce all control transfers) or less efficient in comparison. We find that the recent introduction of hardware features to log complete control-flow traces, such as Intel Processor Trace (PT), provides an opportunity to explore how efficient and flexible a hardware-assisted CFI enforcement system may become. While Intel PT was designed to aid in offline debugging and failure diagnosis, we explore its effectiveness for online CFI enforcement over unmodified binaries by designing a parallelized method for enforcing various types of CFI policies. We have implemented a prototype called GRIFFIN in the Linux 4.2 kernel that enables complete CFI enforcement over a variety of software, including the Firefox browser and its jitted code. Our experiments show that GRIFFIN can enforce fine-grained CFI policies with shadow stack as recommended by researchers at a performance that is comparable to software-only instrumentation techniques. In addition, we find that alternative logging approaches yield significant performance improvements for trace processing, identifying opportunities for further hardware assistance.

References

  1. ApacheBench: a complete benchmarking and regression testing suite. https://httpd.apache.org/docs/2.2/programs/ab.html.Google ScholarGoogle Scholar
  2. Intel control-flow enforcement technology (CET) preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.Google ScholarGoogle Scholar
  3. pyftpdlib. https://github.com/giampaolo/pyftpdlib.Google ScholarGoogle Scholar
  4. sendemail. http://caspian.dotconf.net/menu/Software/SendEmail.Google ScholarGoogle Scholar
  5. Intel 64 and IA-32 architectures software developer's manual. Volume 3 (3A, 3B, 3C & 3D): System Programming Guide, 2016.Google ScholarGoogle Scholar
  6. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 340--353. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, 2004.Google ScholarGoogle Scholar
  8. T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pages 353--362. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security). USENIX Association, 2014.Google ScholarGoogle Scholar
  10. N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security). USENIX Association, 2015.Google ScholarGoogle Scholar
  11. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Proceedings of the 21th Network and Distributed System Security Symposium (NDSS). ISOC, 2014. Google ScholarGoogle ScholarCross RefCross Ref
  12. N. Christoulakis, G. Christou, E. Athanasopoulos, and S. Ioannidis. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen, M. Qunaibit, and A.-R. Sadeghi. Losing control: On the effectiveness of control-flow integrity under stack attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 952--963. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P), pages 292--307. IEEE, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. G. Dabah. diStorm - Powerful Disassembler Library for x86/AMD64. https://github.com/gdabah/distorm.Google ScholarGoogle Scholar
  16. T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 555--566. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 40--51. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. berger, and Sadeghi]mocfiL. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS). ISOC, 2012.Google ScholarGoogle Scholar
  19. L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 401--416. USENIX Association, 2014.Google ScholarGoogle Scholar
  20. L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (DAC). ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. z, Otgonbaatar, Tang, Shrobe, Sidiroglou-Douskos, Rinard, and Okhravi]missingI. Evans, S. Fingeret, J. González, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P). IEEE, 2015.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-grained control-flow integrity for kernel software. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2016. Google ScholarGoogle ScholarCross RefCross Ref
  23. E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P). IEEE, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. a\c s et al.(2014)Göktać, Athanasopoulos, Polychronakis, Bos, and Portokalidis]sizedoesmatterE. Göktać, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 417--432. USENIX Association, 2014.Google ScholarGoogle Scholar
  25. Y. Gu, Q. Zhao, Y. Zhang, and Z. Lin. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2017. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. le et al.(1992)Hölzle, Chambers, and Ungar]osrU. Hölzle, C. Chambers, and D. Ungar. Debugging optimized code with dynamic deoptimization. In Proceedings of the ACM SIGPLAN'92 Conference on Programming Language Design and Implementation (PLDI), pages 32--43. ACM, 1992.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. W. Huang, Z. Huang, D. Miyani, and D. Lie. LMP: light-weighted memory protection with hardware assistance. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC). ACM, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (USENIX Security), pages 383--398. USENIX Association, 2009.Google ScholarGoogle Scholar
  29. B. Kasikci, B. Schubert, C. Pereira, G. Pokam, and G. Candea. Failure sketching: a technique for automated root cause diagnosis of in-production failures. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP), pages 344--360. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, 2014.Google ScholarGoogle Scholar
  31. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with return-less kernels. In Proceedings of the 5th European Conference on Computer Systems (EuroSys), pages 195--208. ACM, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. Transparent and efficient cfi enforcement with intel processor trace. In Proceedings of the 23rd IEEE Symposium on High Performance Computer Architecture (HPCA). IEEE, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  33. ]mcfiB. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 2014\natexlaba.Google ScholarGoogle Scholar
  34. ]rockjitB. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1317--1328. ACM, 2014\natexlabb.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. B. Niu and G. Tan. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 914--926. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security), pages 447--462. USENIX Association, 2013.Google ScholarGoogle Scholar
  37. 008)]paxPaX Team. Documentation for the PaX project - overall description. https://pax.grsecurity.net/docs/pax.txt, 2008.Google ScholarGoogle Scholar
  38. M. Payer and T. R. Gross. Generating low-overhead dynamic binary translators. In Proceedings of the 3rd Annual Haifa Experimental Systems Conference (SYSTOR). ACM, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 144--164. Springer, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 2012.Google ScholarGoogle Scholar
  41. F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in CGoogle ScholarGoogle Scholar
  42. applications. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P), pages 745--762. IEEE, 2015.Google ScholarGoogle Scholar
  43. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), 2014.Google ScholarGoogle Scholar
  44. aş, Gras, Sambuc, Slowinska, Bos, and Giuffrida]patharmorV. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 927--940. ACM, 2015.Google ScholarGoogle Scholar
  45. as, Contag, Pawlowski, Chen, Rawat, Bos, Holz, Athanasopoulos, and Giuffrida]typearmorV. van der Veen, E. Göktas, M. Contag, A. Pawlowski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P). IEEE, 2016.Google ScholarGoogle Scholar
  46. Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S&P), pages 380--395. IEEE, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: Runtime intrusion prevention evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1--12. IEEE, 2012.Google ScholarGoogle Scholar
  49. P. Yuan, Q. Zeng, and X. Ding. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 66--85. Springer, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 29--40. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P), pages 559--573. IEEE, 2013.Google ScholarGoogle Scholar
  52. M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security). USENIX Association, 2013.Google ScholarGoogle Scholar
  53. M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In Proceedings of the 10th ACM SIGPLAN International Conference on Virtual Execution Environments (VEE). ACM, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. GRIFFIN: Guarding Control Flows Using Intel Processor Trace

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 52, Issue 4
      ASPLOS '17
      April 2017
      811 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/3093336
      Issue’s Table of Contents
      • cover image ACM Conferences
        ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems
        April 2017
        856 pages
        ISBN:9781450344654
        DOI:10.1145/3037697

      Copyright © 2017 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 4 April 2017

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!