Abstract
Despite extensive testing and correctness certification of their functional semantics, a number of compiler optimizations have been shown to violate security guarantees implemented in source code. While prior work has shed light on how such optimizations may introduce semantic security weaknesses into programs, there remains a significant knowledge gap concerning the impacts of compiler optimizations on non-semantic properties with security implications. In particular, little is currently known about how code generation and optimization decisions made by the compiler affect the availability and utility of reusable code segments called gadgets required for implementing code reuse attack methods such as return-oriented programming.
In this paper, we bridge this gap through a study of the impacts of compiler optimization on code reuse gadget sets. We analyze and compare 1,187 variants of 20 different benchmark programs built with two production compilers (GCC and Clang) to determine how their optimization behaviors affect the code reuse gadget sets present in program variants with respect to both quantitative and qualitative metrics. Our study exposes an important and unexpected problem; compiler optimizations introduce new gadgets at a high rate and produce code containing gadget sets that are generally more useful to an attacker than those in unoptimized code. Using differential binary analysis, we identify several undesirable behaviors at the root of this phenomenon. In turn, we propose and evaluate several strategies to mitigate these behaviors. In particular, we show that post-production binary recompilation can effectively mitigate these behaviors with negligible performance impacts, resulting in optimized code with significantly smaller and less useful gadget sets.
Supplemental Material
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow Integrity: Principles, Implementations, and Applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS ’05). Association for Computing Machinery, New York, NY, USA. 340–353.Google Scholar
- M. Angelini, G. Blasilli, P. Borrello, E. Coppa, D. C. D’Elia, S. Ferracci, S. Lenti, and G. Santucci. 2018. ROPMate: Visually Assisting the Creation of ROP-based Exploits. In 2018 IEEE Symposium on Visualization for Cyber Security (VizSec). 1–8.Google Scholar
- Nicolas Belleville, Damien Couroussé, Karine Heydemann, and Henri-Pierre Charles. 2018. Automated Software Protection for the Masses Against Side-Channel Attacks. ACM Trans. Archit. Code Optim., 15, 4 (2018), Article 47, Nov., 27 pages. issn:1544-3566 https://doi.org/10.1145/3281662 Google Scholar
Digital Library
- Frédéric Besson, Alexandre Dang, and Thomas Jensen. 2018. Securing Compilation Against Memory Probing. In Proceedings of the 13th Workshop on Programming Languages and Analysis for Security (PLAS ’18). Association for Computing Machinery, New York, NY, USA. 29–40. isbn:9781450359931 https://doi.org/10.1145/3264820.3264822 Google Scholar
Digital Library
- Tyler Bletsch, Xuxian Jiang, and Vince Freeh. 2011. Mitigating Code-Reuse Attacks with Control-Flow Locking. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC ’11). Association for Computing Machinery, New York, NY, USA. 353–362. isbn:9781450306720 https://doi.org/10.1145/2076732.2076783 Google Scholar
Digital Library
- Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-Oriented Programming: A New Class of Code-Reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS ’11). Association for Computing Machinery, New York, NY, USA. 30–40. isbn:9781450305648 https://doi.org/10.1145/1966913.1966919 Google Scholar
Digital Library
- Michael D. Brown. 2020. GadgetSetAnalyzer. https://github.com/michaelbrownuc/GadgetSetAnalyzerGoogle Scholar
- Michael D. Brown. 2021. Compiler Optimization Data Set README. https://github.com/michaelbrownuc/compiler-opt-gadget-dataset/blob/main/README.mdGoogle Scholar
- Michael D. Brown. 2021. GSA Gadget Criteria Reference. https://github.com/michaelbrownuc/GadgetSetAnalyzer/blob/master/Criteria.mdGoogle Scholar
- Michael D. Brown. 2021. Not So Fast: Understanding and Mitigating Negative Impacts of Compiler Optimizations on Code Reuse Gadget Sets. PACMPL, Oct., https://doi.org/10.5281/zenodo.5424844 Google Scholar
Digital Library
- Michael D. Brown and Santosh Pande. 2019. Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/cset19/presentation/brownGoogle Scholar
- Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In 24th $USENIX$ Security Symposium ($USENIX$ Security 15). 161–176.Google Scholar
- Nicholas Carlini and David Wagner. 2014. $ROP$ is Still Dangerous: Breaking Modern Defenses. In 23rd $USENIX$ Security Symposium ($USENIX$ Security 14). 385–399.Google Scholar
- Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-Oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS ’10). Association for Computing Machinery, New York, NY, USA. 559–572. isbn:9781450302456 https://doi.org/10.1145/1866307.1866370 Google Scholar
Digital Library
- Ping Chen, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, and Li Xie. 2009. DROP: Detecting return-oriented programming malicious code. In International Conference on Information Systems Security. 163–177.Google Scholar
Digital Library
- Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Marco Negro, Christopher Liebchen, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15). Association for Computing Machinery, New York, NY, USA. 952–963. isbn:9781450338325 https://doi.org/10.1145/2810103.2813671 Google Scholar
Digital Library
- Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA. 401–416. isbn:978-1-931971-15-7 https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/daviGoogle Scholar
Digital Library
- Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. 2009. Dynamic Integrity Measurement and Attestation: Towards Defense against Return-Oriented Programming Attacks. In Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing (STC ’09). Association for Computing Machinery, New York, NY, USA. 49–54. isbn:9781605587882 https://doi.org/10.1145/1655108.1655117 Google Scholar
Digital Library
- Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. 2011. ROPdefender: A Detection Tool to Defend against Return-Oriented Programming Attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS ’11). Association for Computing Machinery, New York, NY, USA. 40–51. isbn:9781450305648 https://doi.org/10.1145/1966913.1966920 Google Scholar
Digital Library
- Chaoqiang Deng and Kedar S. Namjoshi. 2017. Securing the SSA Transform. In Static Analysis, Francesco Ranzato (Ed.). Springer International Publishing, Cham. 88–105. isbn:978-3-319-66706-5Google Scholar
- Chaoqiang Deng and Kedar S Namjoshi. 2018. Securing a compiler transformation. Formal Methods in System Design, 53, 2 (2018), 166–188.Google Scholar
Digital Library
- Vijay D’Silva, Mathias Payer, and Dawn Song. 2015. The Correctness-Security Gap in Compiler Optimization. In Proceedings of the 2015 IEEE Security and Privacy Workshops (SPW ’15). IEEE Computer Society, USA. 73–87. isbn:9781479999330Google Scholar
Cross Ref
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15). Association for Computing Machinery, New York, NY, USA. 901–913. isbn:9781450338325 https://doi.org/10.1145/2810103.2813646 Google Scholar
Digital Library
- Andreas Follner, Alexandre Bartel, and Eric Bodden. 2016. Analyzing the gadgets. In International Symposium on Engineering Secure Software and Systems. 155–172.Google Scholar
Digital Library
- Andreas Follner, Alexandre Bartel, Hui Peng, Yu-Chen Chang, Kyriakos Ispoglou, Mathias Payer, and Eric Bodden. 2016. PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution. In Security and Trust Management, Gilles Barthe, Evangelos Markatos, and Pierangela Samarati (Eds.). Springer International Publishing, Cham. isbn:978-3-319-46598-2Google Scholar
- Brian Grant, Matthai Philipose, Markus Mock, Craig Chambers, and Susan J. Eggers. 1999. An Evaluation of Staged Run-Time Optimizations in DyC. SIGPLAN Not., 34, 5 (1999), May, 293–304. issn:0362-1340 https://doi.org/10.1145/301631.301683 Google Scholar
Digital Library
- B. Hawkins, B. Demsky, and M. B. Taylor. 2016. BlackBox: Lightweight security monitoring for COTS binaries. In 2016 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). 261–272.Google Scholar
- Hex-Rays. 2020. IDA Pro. https://www.hex-rays.com/products/ida/Google Scholar
- Andrei Homescu, Michael Stewart, Per Larsen, Stefan Brunthaler, and Michael Franz. 2012. Microgadgets: size does matter in turing-complete return-oriented programming. In Proceedings of the 6th USENIX conference on Offensive Technologies. 7–7.Google Scholar
- Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. In Proceedings of the 39th Annual International Symposium on Computer Architecture (ISCA ’12). IEEE Computer Society, USA. 94–105. isbn:9781450316422Google Scholar
Digital Library
- Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Branch Regulation: Low-Overhead Protection from Code Reuse Attacks. SIGARCH Comput. Archit. News, 40, 3 (2012), June, 94–105. issn:0163-5964 https://doi.org/10.1145/2366231.2337171 Google Scholar
Digital Library
- Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization (CGO ’04). IEEE Computer Society, USA. 75. isbn:0769521029Google Scholar
Digital Library
- Han Lee, Daniel von Dincklage, Amer Diwan, and J. Eliot B. Moss. 2006. Understanding the Behavior of Compiler Optimizations. Softw. Pract. Exper., 36, 8 (2006), July, 835–844. issn:0038-0644Google Scholar
Digital Library
- Jinku Li, Zhi Wang, Xuxian Jiang, Michael Grace, and Sina Bahram. 2010. Defeating Return-Oriented Rootkits with “Return-Less” Kernels. In Proceedings of the 5th European Conference on Computer Systems (EuroSys ’10). Association for Computing Machinery, New York, NY, USA. 195–208. isbn:9781605585772 https://doi.org/10.1145/1755913.1755934 Google Scholar
Digital Library
- Jay P. Lim, Vinod Ganapathy, and Santosh Nagarakatte. 2017. Compiler Optimizations with Retrofitting Transformations: Is There a Semantic Mismatch? In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security (PLAS ’17). Association for Computing Machinery, New York, NY, USA. 37–42. isbn:9781450350990 https://doi.org/10.1145/3139337.3139343 Google Scholar
Digital Library
- Scott McFarling and J Hennesey. 1986. Reducing the cost of branches. ACM SIGARCH Computer Architecture News, 14, 2 (1986), 396–403.Google Scholar
Digital Library
- Paul Muntean, Matthias Neumayer, Zhiqiang Lin, Gang Tan, Jens Grossklags, and Claudia Eckert. 2019. Analyzing control flow integrity with LLVM-CFI. In Proceedings of the 35th Annual Computer Security Applications Conference. 584–597.Google Scholar
Digital Library
- Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. 2010. G-Free: Defeating Return-Oriented Programming through Gadget-Less Binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC ’10). Association for Computing Machinery, New York, NY, USA. 49–58. isbn:9781450301336 https://doi.org/10.1145/1920261.1920269 Google Scholar
Digital Library
- PaX. 2020. Address Space Layout Randomization. https://pax.grsecurity.net/docs/aslr.txtGoogle Scholar
- Chris Porter, Girish Mururu, Prithayan Barua, and Santosh Pande. 2020. BlankIt Library Debloating: Getting What You Want Instead of Cutting What You Don’t. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020). Association for Computing Machinery, New York, NY, USA. 17 pages. isbn:9781450376136 https://doi.org/10.1145/3385412.3386017 Google Scholar
Digital Library
- Julien Proy, Karine Heydemann, Alexandre Berzati, and Albert Cohen. 2017. Compiler-Assisted Loop Hardening Against Fault Attacks. ACM Trans. Archit. Code Optim., 14, 4 (2017), Article 36, Dec., 25 pages. issn:1544-3566 https://doi.org/10.1145/3141234 Google Scholar
Digital Library
- Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating software through piece-wise compilation and loading. In 27th $USENIX$ Security Symposium ($USENIX$ Security 18). 869–886.Google Scholar
- AliAkbar Sadeghi, Salman Niksefat, and Maryam Rostamipour. 2018. Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques, 14, 2 (2018), 139–156.Google Scholar
Cross Ref
- Jonathan Salwan. 2020. ROPgadget - Gadgets finder and auto-roper. http://shell-storm.org/project/ROPgadget/Google Scholar
- Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2011. Q: Exploit Hardening Made Easy.. In USENIX Security Symposium. 25–41.Google Scholar
- Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the X86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ’07). Association for Computing Machinery, New York, NY, USA. 552–561. isbn:9781595937032 https://doi.org/10.1145/1315245.1315313 Google Scholar
Digital Library
- L. Simon, D. Chisnall, and R. Anderson. 2018. What You Get is What You C: Controlling Side Effects in Mainstream C Compilers. In 2018 IEEE European Symposium on Security and Privacy (EuroS P). 1–15.Google Scholar
- Victor van der Veen, Dennis Andriesse, Manolis Stamatogiannakis, Xi Chen, Herbert Bos, and Cristiano Giuffrdia. 2017. The dynamics of innocent flesh on the bone: Code reuse ten years later. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1675–1689.Google Scholar
Digital Library
- David Williams-King, Hidenori Kobayashi, Kent Williams-King, Graham Patterson, Frank Spano, Yu Jian Wu, Junfeng Yang, and Vasileios P Kemerlis. 2020. Egalito: Layout-Agnostic Binary Recompilation. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 133–147.Google Scholar
Digital Library
- Zhaomo Yang, Brian Johannesmeyer, Anders Trier Olesen, Sorin Lerner, and Kirill Levchenko. 2017. Dead store elimination (still) considered harmful. In 26th $USENIX$ Security Symposium ($USENIX$ Security 17). 1025–1040.Google Scholar
- F. Yao, J. Chen, and G. Venkataramani. 2013. JOP-alarm: Detecting jump-oriented programming-based anomalies in applications. In 2013 IEEE 31st International Conference on Computer Design (ICCD). 467–470.Google Scholar
- Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C.. 337–352. isbn:978-1-931971-03-4 https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/ZhangGoogle Scholar
- zynamics. 2020. zynamics BinDiff. https://www.zynamics.com/bindiff.htmlGoogle Scholar
Index Terms
Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget sets
Recommendations
Code Reuse Attacks in PHP: Automated POP Chain Generation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityMemory corruption vulnerabilities that lead to control-flow hijacking attacks are a common problem for binary executables and such attacks are known for more than two decades. Over the last few years, especially code reuse attacks attracted a lot of ...
A Generic Technique for Automatically Finding Defense-Aware Code Reuse Attacks
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityCode reuse attacks have been the subject of a substantial amount of research during the past decade. This research largely resulted from early work on Return-Oriented Programming (ROP), which showed that the then newly proposed Non-Executable Memory (NX)...
Marlin: Mitigating Code Reuse Attacks Using Code Randomization
Code-reuse attacks, such as return-oriented programming (ROP), are a class of buffer overflow attacks that repurpose existing executable code towards malicious purposes. These attacks bypass defenses against code injection attacks by chaining together ...






Comments