Abstract
Code-reuse attack is a concrete threat to computing systems because it can evade conventional security defenses. Control flow integrity (CFI) is proposed to repel this threat. However, former implementations of CFI suffer from two major drawbacks: complex offline processing on programs and high overheads at runtime. Therefore, it is impractical for performance-constrained devices to adopt the technology, leaving them vulnerable to exploitation.
In this article, we develop a cross-layer approach named basic-block-boundary-based control flow integrity (BBB-CFI) to minimize the overheads of both offline analysis and runtime checking. Our approach employs basic block information inside the binary code and read-only data to enforce CFI. We identify a key binary-level property called basic block boundary, and based on it we propose the code-inspired method where short code sequences can endorse a control flow transition. Our solution enables quick application launching because it does not require control flow graph construction at the offline stage. We only demand a lightweight analysis on read-only data and a small amount of code of the application. According to the experiments, our approach incurs a negligible 0.11% runtime performance overhead with a minor processor extension, whereas it achieves an order of magnitude speedup in pre-preprocessing compared to a baseline approach. Without control flow analysis or recompilation, BBB-CFI still effectively reduces 90% of the attack surface in terms of gadget numbers. Besides this, we show that the Turing-completeness in the libc is unsustainable. Our approach also demonstrates high applicability to many programs, and it is capable of protecting striped binaries.
- Scoding.de. [n.d.]. Ropper—Rop Gadget Finder and Binary Information Tool. Retrieved December 22, 2019 from https://scoding.de/ropper/.Google Scholar
- Shell-Storm. [n.d.]. ROPgadget—Gadgets Finder and Auto-Roper. Retrieved December 22, 2019 from http://shell-storm.org/project/ROPgadget/.Google Scholar
- Intel. 2016. Intel 64 and IA-32 Architectures Software Developer’s Manual. Intel.Google Scholar
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. 2005. Control-flow integrity. In Proceedings of CCS. 340--353.Google Scholar
- S. Bhatkar, D. C. DuVarney, and R. Sekar. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of USENIX Security. 105--120.Google Scholar
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. 2011. Jump-oriented programming: A new class of code-reuse attack. In Proceedings of ASIACCS. 30--40. DOI:https://doi.org/10.1145/1966913.1966919Google Scholar
- E. Buchanan, R. Roemer, H. Shacham, and S. Savage. 2008. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of CCS. 27--38. DOI:https://doi.org/10.1145/1455770.1455776Google Scholar
- N. Carlini and D. Wagner. 2014. ROP is still dangerous: Breaking modern defenses. In Proceedings of USENIX Security. 385--399.Google Scholar
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. 2010. Return-oriented programming without returns. In Proceedings of CCS. 559--572.Google Scholar
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of USENIX Security. 105--120.Google Scholar
- S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. 2015. Readactor: Practical code randomization resilient to memory disclosure. In Proceedings of IEEE S8P. 763--780. DOI:https://doi.org/10.1109/SP.2015.52Google Scholar
- S. J. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M. Franz. 2015. It’s a TRaP: Table randomization and protection against function-reuse attacks. In Proceedings of CCS. 243--255. DOI:https://doi.org/10.1145/2810103.2813682Google Scholar
- S. Das, W. Zhang, and Y. Liu. 2014. Reconfigurable dynamic trusted platform module for control flow checking. In Proceedings of ISVLSI. 166--171.Google Scholar
- S. Das, W. Zhang, and Y. Liu. 2016. A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 24, 11 (2016), 3193--3207.Google Scholar
Digital Library
- L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. 2010. Return-Oriented Programming Without Returns on ARM. Technical Report. HGI-TR-2010-002, Ruhr-University Bochum.Google Scholar
- L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin. 2015. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of DAC. 1--6.Google Scholar
- L. Davi, A.-R. Sadeghi, and M. Winandy. 2011. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of ASIACCS. 40--51.Google Scholar
- X. Ge, W. Cui, and T. Jaeger. 2017. GRIFFIN: Guarding control flows using Intel Processor Trace. In Proceedings of ASPLOS. ACM, New York, NY, 585--598. DOI:https://doi.org/10.1145/3037697.3037716Google Scholar
- P. K. Gupta. 2016. Accelerating Datacenter Workloads. Intel.Google Scholar
- M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of WWC-4. IEEE, Los Alamitos, CA, 3--14.Google Scholar
- E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. 2014. Out of control: Overcoming control-flow integrity. In Proceedings of IEEE S8P. 575--589. DOI:https://doi.org/10.1109/SP.2014.43Google Scholar
- W. He, S. Das, W. Zhang, and Y. Liu. 2017. No-jump-into-basic-block: Enforce basic block CFI on the fly for real-world binaries. In Proceedings of DAC. Article 23, 6 pages.Google Scholar
- J. L. Henning. 2006. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News 34, 4 (2006), 1--17.Google Scholar
Digital Library
- H. Hu, C. Qian, C. Yagemann, S. P. H. Chung, W. R. Harris, T. Kim, and W. Lee. 2018. Enforcing unique code target property for control-flow integrity. In Proceedings of CCS. 1470--1486. DOI:https://doi.org/10.1145/3243734.3243797Google Scholar
- Intel. 2017. Control-Flow Enforcement Technology Preview. Intel.Google Scholar
- M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh, and D. Ponomarev. 2012. Branch regulation: Low-overhead protection from code reuse attacks. In Proceedings of ISCA. 94--105.Google Scholar
- T. Kornau. 2010. Return Oriented Programming for the ARM Architecture. Master’s Thesis. Ruhr-Universitat Bochum.Google Scholar
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. 2014. Code-pointer integrity. In Proceedings of USENIX OSDI. 147--163.Google Scholar
- P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. 2014. SoK: Automated software diversity. In Proceedings of IEEE S8P. 276--291. DOI:https://doi.org/10.1109/SP.2014.25Google Scholar
- Y. Lin, X. Tang, D. Gao, and J. Fu. 2016. Control flow integrity enforcement with dynamic code optimization. In Proceedings of ISC. 366--385.Google Scholar
- Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. 2017. Transparent and efficient CFI enforcement with Intel Processor Trace. In Proceedings of IEEE HPCA. 529--540. DOI:https://doi.org/10.1109/HPCA.2017.18Google Scholar
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of SIGPLAN PLDI. 190--200.Google Scholar
- S. Nagarakatte, J. Zhao, M. M.K. Martin, and S. Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In Proceedings of ACM SIGPLAN ISMM. 31--40. DOI:https://doi.org/10.1145/1806651.1806657Google Scholar
- J. Oakley and S. Bratus. 2011. Exploiting the hard-working DWARF: Trojan and exploit techniques with no native executable code. In Proceedings of WOOT. 91--102.Google Scholar
- V. Pappas, M. Polychronakis, and A. D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of USENIX Security. 447--462.Google Scholar
- A. Putnam, A. M. Caulfield, E. S. Chung, D. Chiou, K. Constantinides, J. Demme, H. Esmaeilzadeh, et al. 2014. A reconfigurable fabric for accelerating large-scale datacenter services. In Proceedings of ISCA. 13--24.Google Scholar
Cross Ref
- P. Qiu, Y. Lyu, J. Zhang, D. Wang, and G. Qu. 2018. Control flow integrity based on lightweight encryption architecture. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 37, 7 (2018), 1358--1369. DOI:https://doi.org/10.1109/TCAD.2017.2748000Google Scholar
Cross Ref
- T. Rains, M. Miller, and D. Weston. 2015. Exploitation trends: From potential risk to actual risk. In Proceedings of the RSA Conference.Google Scholar
- G. Ramalingam. 1994. The undecidability of aliasing. ACM Transactions on Programming Languages and Systems 16, 5 (1994), 1467--1471. DOI:https://doi.org/10.1145/186025.186041Google Scholar
Digital Library
- A. Sadeghi, S. Niksefat, and M. Rostamipour. 2017. Pure-call oriented programming (PCOP): Chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques 14, 2 (2017), 1--18. DOI:https://doi.org/10.1007/s11416-017-0299-1Google Scholar
- H. Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls. In Proceedings of CCS. 552--561.Google Scholar
Digital Library
- K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of IEEE S8P. 574--588.Google Scholar
Digital Library
- C. Song, H. Moon, M. Alam, I. Yun, B. Lee, T. Kim, W. Lee, and Y. Paek. 2016. HDFI: Hardware-assisted data-flow isolation. In Proceedings of IEEE S8P. 1--17. DOI:https://doi.org/10.1109/SP.2016.9Google Scholar
- Jack Tang and Trend Micro Threat Solution Team. 2015. Exploring control flow guard in Windows 10. Trend Micro Blog.Google Scholar
- C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In Proceedings of USENIX Security. 941--955.Google Scholar
- M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. 2011. On the expressiveness of return-into-libc attacks. In Proceedings of RAID. 121--141.Google Scholar
- R. Ubal, B. Jang, P. Mistry, D. Schaa, and D. Kaeli. 2012. Multi2Sim: A simulation framework for CPU-GPU computing. In Proceedings of PACT. 335--344.Google Scholar
- V. van der Veen, E. Goktas, M. Contag, A. Pawoloski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of IEEE S8P. 934--953.Google Scholar
- J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. 2011. RIPE: Runtime intrusion prevention evaluator. In Proceedings of ACSAC. 41--50.Google Scholar
- D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. 2016. Shuffler: Fast and deployable continuous code re-randomization. In Proceedings of USENIX OSDI. 367--382.Google Scholar
- Y. Xia, Y. Liu, H. Chen, and B. Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of DSN. 1--12. DOI:https://doi.org/10.1109/DSN.2012.6263958Google Scholar
- P. Yuan, Q. Zeng, and X. Ding. 2015. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of RAID. 66--85.Google Scholar
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. 2013. Practical control flow integrity and randomization for binary executables. In Proceedings of IEEE S8P. 559--573.Google Scholar
- M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. 2014. A platform for secure static binary instrumentation. In Proceedings of VEE. ACM, New York, NY, 129--140. DOI:https://doi.org/10.1145/2576195.2576208Google Scholar
- M. Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of USENIX Security, Vol. 13.Google Scholar
Index Terms
BBB-CFI: Lightweight CFI Approach Against Code-Reuse Attacks Using Basic Block Information
Recommendations
FH-CFI: Fine-grained hardware-assisted control flow integrity for ARM-based IoT devices
AbstractCode reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP) attacks, have become a great threat to the runtime security of ARM-based Internet of Things (IoT) devices. Attackers can utilize ...
Analyzing control flow integrity with LLVM-CFI
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications ConferenceControl-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without ...
Live Path CFI Against Control Flow Hijacking Attacks
Information Security and PrivacyAbstractThrough memory vulnerabilities, control flow hijacking allows an attacker to force a running program to execute other than what the programmer has intended. Control Flow Integrity (CFI) aims to prevent the adversarial effects of these attacks. CFI ...






Comments