skip to main content

Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget sets

Published:15 October 2021Publication History
Skip Abstract Section

Abstract

Despite extensive testing and correctness certification of their functional semantics, a number of compiler optimizations have been shown to violate security guarantees implemented in source code. While prior work has shed light on how such optimizations may introduce semantic security weaknesses into programs, there remains a significant knowledge gap concerning the impacts of compiler optimizations on non-semantic properties with security implications. In particular, little is currently known about how code generation and optimization decisions made by the compiler affect the availability and utility of reusable code segments called gadgets required for implementing code reuse attack methods such as return-oriented programming.

In this paper, we bridge this gap through a study of the impacts of compiler optimization on code reuse gadget sets. We analyze and compare 1,187 variants of 20 different benchmark programs built with two production compilers (GCC and Clang) to determine how their optimization behaviors affect the code reuse gadget sets present in program variants with respect to both quantitative and qualitative metrics. Our study exposes an important and unexpected problem; compiler optimizations introduce new gadgets at a high rate and produce code containing gadget sets that are generally more useful to an attacker than those in unoptimized code. Using differential binary analysis, we identify several undesirable behaviors at the root of this phenomenon. In turn, we propose and evaluate several strategies to mitigate these behaviors. In particular, we show that post-production binary recompilation can effectively mitigate these behaviors with negligible performance impacts, resulting in optimized code with significantly smaller and less useful gadget sets.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

Little is currently known about how code generation and optimization decisions made by the compiler affect the availability and utility of reusable code segments called gadgets required for implementing code reuse attack methods such as return-oriented programming. We bridge this gap by analyzing and comparing 1,187 variants of 20 different benchmark programs built with GCC and Clang to determine how their optimization behaviors affect the code reuse gadget sets. Our study exposes an important and unexpected problem; compiler optimizations introduce new gadgets at a high rate and produce code containing gadget sets that are generally more useful to an attacker than those in unoptimized code. Using differential binary analysis, we identify several undesirable behaviors at the root of this phenomenon. In turn, we propose and evaluate several strategies to mitigate these behaviors.

References

  1. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow Integrity: Principles, Implementations, and Applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS ’05). Association for Computing Machinery, New York, NY, USA. 340–353.Google ScholarGoogle Scholar
  2. M. Angelini, G. Blasilli, P. Borrello, E. Coppa, D. C. D’Elia, S. Ferracci, S. Lenti, and G. Santucci. 2018. ROPMate: Visually Assisting the Creation of ROP-based Exploits. In 2018 IEEE Symposium on Visualization for Cyber Security (VizSec). 1–8.Google ScholarGoogle Scholar
  3. Nicolas Belleville, Damien Couroussé, Karine Heydemann, and Henri-Pierre Charles. 2018. Automated Software Protection for the Masses Against Side-Channel Attacks. ACM Trans. Archit. Code Optim., 15, 4 (2018), Article 47, Nov., 27 pages. issn:1544-3566 https://doi.org/10.1145/3281662 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Frédéric Besson, Alexandre Dang, and Thomas Jensen. 2018. Securing Compilation Against Memory Probing. In Proceedings of the 13th Workshop on Programming Languages and Analysis for Security (PLAS ’18). Association for Computing Machinery, New York, NY, USA. 29–40. isbn:9781450359931 https://doi.org/10.1145/3264820.3264822 Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Tyler Bletsch, Xuxian Jiang, and Vince Freeh. 2011. Mitigating Code-Reuse Attacks with Control-Flow Locking. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC ’11). Association for Computing Machinery, New York, NY, USA. 353–362. isbn:9781450306720 https://doi.org/10.1145/2076732.2076783 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-Oriented Programming: A New Class of Code-Reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS ’11). Association for Computing Machinery, New York, NY, USA. 30–40. isbn:9781450305648 https://doi.org/10.1145/1966913.1966919 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Michael D. Brown. 2020. GadgetSetAnalyzer. https://github.com/michaelbrownuc/GadgetSetAnalyzerGoogle ScholarGoogle Scholar
  8. Michael D. Brown. 2021. Compiler Optimization Data Set README. https://github.com/michaelbrownuc/compiler-opt-gadget-dataset/blob/main/README.mdGoogle ScholarGoogle Scholar
  9. Michael D. Brown. 2021. GSA Gadget Criteria Reference. https://github.com/michaelbrownuc/GadgetSetAnalyzer/blob/master/Criteria.mdGoogle ScholarGoogle Scholar
  10. Michael D. Brown. 2021. Not So Fast: Understanding and Mitigating Negative Impacts of Compiler Optimizations on Code Reuse Gadget Sets. PACMPL, Oct., https://doi.org/10.5281/zenodo.5424844 Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Michael D. Brown and Santosh Pande. 2019. Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/cset19/presentation/brownGoogle ScholarGoogle Scholar
  12. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In 24th $USENIX$ Security Symposium ($USENIX$ Security 15). 161–176.Google ScholarGoogle Scholar
  13. Nicholas Carlini and David Wagner. 2014. $ROP$ is Still Dangerous: Breaking Modern Defenses. In 23rd $USENIX$ Security Symposium ($USENIX$ Security 14). 385–399.Google ScholarGoogle Scholar
  14. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-Oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS ’10). Association for Computing Machinery, New York, NY, USA. 559–572. isbn:9781450302456 https://doi.org/10.1145/1866307.1866370 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ping Chen, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, and Li Xie. 2009. DROP: Detecting return-oriented programming malicious code. In International Conference on Information Systems Security. 163–177.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Marco Negro, Christopher Liebchen, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15). Association for Computing Machinery, New York, NY, USA. 952–963. isbn:9781450338325 https://doi.org/10.1145/2810103.2813671 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA. 401–416. isbn:978-1-931971-15-7 https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/daviGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  18. Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. 2009. Dynamic Integrity Measurement and Attestation: Towards Defense against Return-Oriented Programming Attacks. In Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing (STC ’09). Association for Computing Machinery, New York, NY, USA. 49–54. isbn:9781605587882 https://doi.org/10.1145/1655108.1655117 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. 2011. ROPdefender: A Detection Tool to Defend against Return-Oriented Programming Attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS ’11). Association for Computing Machinery, New York, NY, USA. 40–51. isbn:9781450305648 https://doi.org/10.1145/1966913.1966920 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Chaoqiang Deng and Kedar S. Namjoshi. 2017. Securing the SSA Transform. In Static Analysis, Francesco Ranzato (Ed.). Springer International Publishing, Cham. 88–105. isbn:978-3-319-66706-5Google ScholarGoogle Scholar
  21. Chaoqiang Deng and Kedar S Namjoshi. 2018. Securing a compiler transformation. Formal Methods in System Design, 53, 2 (2018), 166–188.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Vijay D’Silva, Mathias Payer, and Dawn Song. 2015. The Correctness-Security Gap in Compiler Optimization. In Proceedings of the 2015 IEEE Security and Privacy Workshops (SPW ’15). IEEE Computer Society, USA. 73–87. isbn:9781479999330Google ScholarGoogle ScholarCross RefCross Ref
  23. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15). Association for Computing Machinery, New York, NY, USA. 901–913. isbn:9781450338325 https://doi.org/10.1145/2810103.2813646 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Andreas Follner, Alexandre Bartel, and Eric Bodden. 2016. Analyzing the gadgets. In International Symposium on Engineering Secure Software and Systems. 155–172.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Andreas Follner, Alexandre Bartel, Hui Peng, Yu-Chen Chang, Kyriakos Ispoglou, Mathias Payer, and Eric Bodden. 2016. PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution. In Security and Trust Management, Gilles Barthe, Evangelos Markatos, and Pierangela Samarati (Eds.). Springer International Publishing, Cham. isbn:978-3-319-46598-2Google ScholarGoogle Scholar
  26. Brian Grant, Matthai Philipose, Markus Mock, Craig Chambers, and Susan J. Eggers. 1999. An Evaluation of Staged Run-Time Optimizations in DyC. SIGPLAN Not., 34, 5 (1999), May, 293–304. issn:0362-1340 https://doi.org/10.1145/301631.301683 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. B. Hawkins, B. Demsky, and M. B. Taylor. 2016. BlackBox: Lightweight security monitoring for COTS binaries. In 2016 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). 261–272.Google ScholarGoogle Scholar
  28. Hex-Rays. 2020. IDA Pro. https://www.hex-rays.com/products/ida/Google ScholarGoogle Scholar
  29. Andrei Homescu, Michael Stewart, Per Larsen, Stefan Brunthaler, and Michael Franz. 2012. Microgadgets: size does matter in turing-complete return-oriented programming. In Proceedings of the 6th USENIX conference on Offensive Technologies. 7–7.Google ScholarGoogle Scholar
  30. Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. In Proceedings of the 39th Annual International Symposium on Computer Architecture (ISCA ’12). IEEE Computer Society, USA. 94–105. isbn:9781450316422Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. SIGARCH Comput. Archit. News, 40, 3 (2012), June, 94–105. issn:0163-5964 https://doi.org/10.1145/2366231.2337171 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization (CGO ’04). IEEE Computer Society, USA. 75. isbn:0769521029Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Han Lee, Daniel von Dincklage, Amer Diwan, and J. Eliot B. Moss. 2006. Understanding the Behavior of Compiler Optimizations. Softw. Pract. Exper., 36, 8 (2006), July, 835–844. issn:0038-0644Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Jinku Li, Zhi Wang, Xuxian Jiang, Michael Grace, and Sina Bahram. 2010. Defeating Return-Oriented Rootkits with “Return-Less” Kernels. In Proceedings of the 5th European Conference on Computer Systems (EuroSys ’10). Association for Computing Machinery, New York, NY, USA. 195–208. isbn:9781605585772 https://doi.org/10.1145/1755913.1755934 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Jay P. Lim, Vinod Ganapathy, and Santosh Nagarakatte. 2017. Compiler Optimizations with Retrofitting Transformations: Is There a Semantic Mismatch? In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security (PLAS ’17). Association for Computing Machinery, New York, NY, USA. 37–42. isbn:9781450350990 https://doi.org/10.1145/3139337.3139343 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Scott McFarling and J Hennesey. 1986. Reducing the cost of branches. ACM SIGARCH Computer Architecture News, 14, 2 (1986), 396–403.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Paul Muntean, Matthias Neumayer, Zhiqiang Lin, Gang Tan, Jens Grossklags, and Claudia Eckert. 2019. Analyzing control flow integrity with LLVM-CFI. In Proceedings of the 35th Annual Computer Security Applications Conference. 584–597.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. 2010. G-Free: Defeating Return-Oriented Programming through Gadget-Less Binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC ’10). Association for Computing Machinery, New York, NY, USA. 49–58. isbn:9781450301336 https://doi.org/10.1145/1920261.1920269 Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. PaX. 2020. Address Space Layout Randomization. https://pax.grsecurity.net/docs/aslr.txtGoogle ScholarGoogle Scholar
  40. Chris Porter, Girish Mururu, Prithayan Barua, and Santosh Pande. 2020. BlankIt Library Debloating: Getting What You Want Instead of Cutting What You Don’t. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020). Association for Computing Machinery, New York, NY, USA. 17 pages. isbn:9781450376136 https://doi.org/10.1145/3385412.3386017 Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Julien Proy, Karine Heydemann, Alexandre Berzati, and Albert Cohen. 2017. Compiler-Assisted Loop Hardening Against Fault Attacks. ACM Trans. Archit. Code Optim., 14, 4 (2017), Article 36, Dec., 25 pages. issn:1544-3566 https://doi.org/10.1145/3141234 Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating software through piece-wise compilation and loading. In 27th $USENIX$ Security Symposium ($USENIX$ Security 18). 869–886.Google ScholarGoogle Scholar
  43. AliAkbar Sadeghi, Salman Niksefat, and Maryam Rostamipour. 2018. Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques, 14, 2 (2018), 139–156.Google ScholarGoogle ScholarCross RefCross Ref
  44. Jonathan Salwan. 2020. ROPgadget - Gadgets finder and auto-roper. http://shell-storm.org/project/ROPgadget/Google ScholarGoogle Scholar
  45. Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2011. Q: Exploit Hardening Made Easy.. In USENIX Security Symposium. 25–41.Google ScholarGoogle Scholar
  46. Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the X86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ’07). Association for Computing Machinery, New York, NY, USA. 552–561. isbn:9781595937032 https://doi.org/10.1145/1315245.1315313 Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. L. Simon, D. Chisnall, and R. Anderson. 2018. What You Get is What You C: Controlling Side Effects in Mainstream C Compilers. In 2018 IEEE European Symposium on Security and Privacy (EuroS P). 1–15.Google ScholarGoogle Scholar
  48. Victor van der Veen, Dennis Andriesse, Manolis Stamatogiannakis, Xi Chen, Herbert Bos, and Cristiano Giuffrdia. 2017. The dynamics of innocent flesh on the bone: Code reuse ten years later. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1675–1689.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. David Williams-King, Hidenori Kobayashi, Kent Williams-King, Graham Patterson, Frank Spano, Yu Jian Wu, Junfeng Yang, and Vasileios P Kemerlis. 2020. Egalito: Layout-Agnostic Binary Recompilation. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 133–147.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Zhaomo Yang, Brian Johannesmeyer, Anders Trier Olesen, Sorin Lerner, and Kirill Levchenko. 2017. Dead store elimination (still) considered harmful. In 26th $USENIX$ Security Symposium ($USENIX$ Security 17). 1025–1040.Google ScholarGoogle Scholar
  51. F. Yao, J. Chen, and G. Venkataramani. 2013. JOP-alarm: Detecting jump-oriented programming-based anomalies in applications. In 2013 IEEE 31st International Conference on Computer Design (ICCD). 467–470.Google ScholarGoogle Scholar
  52. Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C.. 337–352. isbn:978-1-931971-03-4 https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/ZhangGoogle ScholarGoogle Scholar
  53. zynamics. 2020. zynamics BinDiff. https://www.zynamics.com/bindiff.htmlGoogle ScholarGoogle Scholar

Index Terms

  1. Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget sets

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!