Abstract
Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI enforcement may have the potential for advantages in performance and flexibility over software instrumentation, current hardware-assisted defenses are either incomplete (i.e., do not enforce all control transfers) or less efficient in comparison. We find that the recent introduction of hardware features to log complete control-flow traces, such as Intel Processor Trace (PT), provides an opportunity to explore how efficient and flexible a hardware-assisted CFI enforcement system may become. While Intel PT was designed to aid in offline debugging and failure diagnosis, we explore its effectiveness for online CFI enforcement over unmodified binaries by designing a parallelized method for enforcing various types of CFI policies. We have implemented a prototype called GRIFFIN in the Linux 4.2 kernel that enables complete CFI enforcement over a variety of software, including the Firefox browser and its jitted code. Our experiments show that GRIFFIN can enforce fine-grained CFI policies with shadow stack as recommended by researchers at a performance that is comparable to software-only instrumentation techniques. In addition, we find that alternative logging approaches yield significant performance improvements for trace processing, identifying opportunities for further hardware assistance.
- ApacheBench: a complete benchmarking and regression testing suite. https://httpd.apache.org/docs/2.2/programs/ab.html.Google Scholar
- Intel control-flow enforcement technology (CET) preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.Google Scholar
- pyftpdlib. https://github.com/giampaolo/pyftpdlib.Google Scholar
- sendemail. http://caspian.dotconf.net/menu/Software/SendEmail.Google Scholar
- Intel 64 and IA-32 architectures software developer's manual. Volume 3 (3A, 3B, 3C & 3D): System Programming Guide, 2016.Google Scholar
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 340--353. ACM, 2005. Google Scholar
Digital Library
- S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, 2004.Google Scholar
- T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pages 353--362. ACM, 2011. Google Scholar
Digital Library
- N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security). USENIX Association, 2014.Google Scholar
- N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security). USENIX Association, 2015.Google Scholar
- Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Proceedings of the 21th Network and Distributed System Security Symposium (NDSS). ISOC, 2014. Google Scholar
Cross Ref
- N. Christoulakis, G. Christou, E. Athanasopoulos, and S. Ioannidis. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2016. Google Scholar
Digital Library
- M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen, M. Qunaibit, and A.-R. Sadeghi. Losing control: On the effectiveness of control-flow integrity under stack attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 952--963. ACM, 2015. Google Scholar
Digital Library
- J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P), pages 292--307. IEEE, 2014.Google Scholar
Digital Library
- G. Dabah. diStorm - Powerful Disassembler Library for x86/AMD64. https://github.com/gdabah/distorm.Google Scholar
- T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 555--566. ACM, 2015. Google Scholar
Digital Library
- L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 40--51. ACM, 2011. Google Scholar
Digital Library
- berger, and Sadeghi]mocfiL. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS). ISOC, 2012.Google Scholar
- L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 401--416. USENIX Association, 2014.Google Scholar
- L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (DAC). ACM, 2015. Google Scholar
Digital Library
- z, Otgonbaatar, Tang, Shrobe, Sidiroglou-Douskos, Rinard, and Okhravi]missingI. Evans, S. Fingeret, J. González, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P). IEEE, 2015.Google Scholar
Digital Library
- X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-grained control-flow integrity for kernel software. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2016. Google Scholar
Cross Ref
- E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P). IEEE, 2014.Google Scholar
Digital Library
- a\c s et al.(2014)Göktać, Athanasopoulos, Polychronakis, Bos, and Portokalidis]sizedoesmatterE. Göktać, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 417--432. USENIX Association, 2014.Google Scholar
- Y. Gu, Q. Zhao, Y. Zhang, and Z. Lin. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2017. Google Scholar
Digital Library
- le et al.(1992)Hölzle, Chambers, and Ungar]osrU. Hölzle, C. Chambers, and D. Ungar. Debugging optimized code with dynamic deoptimization. In Proceedings of the ACM SIGPLAN'92 Conference on Programming Language Design and Implementation (PLDI), pages 32--43. ACM, 1992.Google Scholar
Digital Library
- W. Huang, Z. Huang, D. Miyani, and D. Lie. LMP: light-weighted memory protection with hardware assistance. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC). ACM, 2016. Google Scholar
Digital Library
- R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (USENIX Security), pages 383--398. USENIX Association, 2009.Google Scholar
- B. Kasikci, B. Schubert, C. Pereira, G. Pokam, and G. Candea. Failure sketching: a technique for automated root cause diagnosis of in-production failures. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP), pages 344--360. ACM, 2015. Google Scholar
Digital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, 2014.Google Scholar
- J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with return-less kernels. In Proceedings of the 5th European Conference on Computer Systems (EuroSys), pages 195--208. ACM, 2010. Google Scholar
Digital Library
- Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. Transparent and efficient cfi enforcement with intel processor trace. In Proceedings of the 23rd IEEE Symposium on High Performance Computer Architecture (HPCA). IEEE, 2017.Google Scholar
Cross Ref
- ]mcfiB. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 2014\natexlaba.Google Scholar
- ]rockjitB. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1317--1328. ACM, 2014\natexlabb.Google Scholar
Digital Library
- B. Niu and G. Tan. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 914--926. ACM, 2015. Google Scholar
Digital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security), pages 447--462. USENIX Association, 2013.Google Scholar
- 008)]paxPaX Team. Documentation for the PaX project - overall description. https://pax.grsecurity.net/docs/pax.txt, 2008.Google Scholar
- M. Payer and T. R. Gross. Generating low-overhead dynamic binary translators. In Proceedings of the 3rd Annual Haifa Experimental Systems Conference (SYSTOR). ACM, 2010. Google Scholar
Digital Library
- M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 144--164. Springer, 2015. Google Scholar
Digital Library
- R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 2012.Google Scholar
- F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in CGoogle Scholar
- applications. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P), pages 745--762. IEEE, 2015.Google Scholar
- C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), 2014.Google Scholar
- aş, Gras, Sambuc, Slowinska, Bos, and Giuffrida]patharmorV. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 927--940. ACM, 2015.Google Scholar
- as, Contag, Pawlowski, Chen, Rawat, Bos, Holz, Athanasopoulos, and Giuffrida]typearmorV. van der Veen, E. Göktas, M. Contag, A. Pawlowski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P). IEEE, 2016.Google Scholar
- Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S&P), pages 380--395. IEEE, 2010. Google Scholar
Digital Library
- J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: Runtime intrusion prevention evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). ACM, 2011. Google Scholar
Digital Library
- Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1--12. IEEE, 2012.Google Scholar
- P. Yuan, Q. Zeng, and X. Ding. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 66--85. Springer, 2015. Google Scholar
Digital Library
- B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 29--40. ACM, 2011. Google Scholar
Digital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P), pages 559--573. IEEE, 2013.Google Scholar
- M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security). USENIX Association, 2013.Google Scholar
- M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In Proceedings of the 10th ACM SIGPLAN International Conference on Virtual Execution Environments (VEE). ACM, 2014. Google Scholar
Digital Library
Index Terms
GRIFFIN: Guarding Control Flows Using Intel Processor Trace
Recommendations
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
GRIFFIN: Guarding Control Flows Using Intel Processor Trace
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating SystemsResearchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI ...
GRIFFIN: Guarding Control Flows Using Intel Processor Trace
Asplos'17Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI ...







Comments