skip to main content
research-article

BBB-CFI: Lightweight CFI Approach Against Code-Reuse Attacks Using Basic Block Information

Authors Info & Claims
Published:06 February 2020Publication History
Skip Abstract Section

Abstract

Code-reuse attack is a concrete threat to computing systems because it can evade conventional security defenses. Control flow integrity (CFI) is proposed to repel this threat. However, former implementations of CFI suffer from two major drawbacks: complex offline processing on programs and high overheads at runtime. Therefore, it is impractical for performance-constrained devices to adopt the technology, leaving them vulnerable to exploitation.

In this article, we develop a cross-layer approach named basic-block-boundary-based control flow integrity (BBB-CFI) to minimize the overheads of both offline analysis and runtime checking. Our approach employs basic block information inside the binary code and read-only data to enforce CFI. We identify a key binary-level property called basic block boundary, and based on it we propose the code-inspired method where short code sequences can endorse a control flow transition. Our solution enables quick application launching because it does not require control flow graph construction at the offline stage. We only demand a lightweight analysis on read-only data and a small amount of code of the application. According to the experiments, our approach incurs a negligible 0.11% runtime performance overhead with a minor processor extension, whereas it achieves an order of magnitude speedup in pre-preprocessing compared to a baseline approach. Without control flow analysis or recompilation, BBB-CFI still effectively reduces 90% of the attack surface in terms of gadget numbers. Besides this, we show that the Turing-completeness in the libc is unsustainable. Our approach also demonstrates high applicability to many programs, and it is capable of protecting striped binaries.

References

  1. Scoding.de. [n.d.]. Ropper—Rop Gadget Finder and Binary Information Tool. Retrieved December 22, 2019 from https://scoding.de/ropper/.Google ScholarGoogle Scholar
  2. Shell-Storm. [n.d.]. ROPgadget—Gadgets Finder and Auto-Roper. Retrieved December 22, 2019 from http://shell-storm.org/project/ROPgadget/.Google ScholarGoogle Scholar
  3. Intel. 2016. Intel 64 and IA-32 Architectures Software Developer’s Manual. Intel.Google ScholarGoogle Scholar
  4. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. 2005. Control-flow integrity. In Proceedings of CCS. 340--353.Google ScholarGoogle Scholar
  5. S. Bhatkar, D. C. DuVarney, and R. Sekar. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of USENIX Security. 105--120.Google ScholarGoogle Scholar
  6. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. 2011. Jump-oriented programming: A new class of code-reuse attack. In Proceedings of ASIACCS. 30--40. DOI:https://doi.org/10.1145/1966913.1966919Google ScholarGoogle Scholar
  7. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. 2008. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of CCS. 27--38. DOI:https://doi.org/10.1145/1455770.1455776Google ScholarGoogle Scholar
  8. N. Carlini and D. Wagner. 2014. ROP is still dangerous: Breaking modern defenses. In Proceedings of USENIX Security. 385--399.Google ScholarGoogle Scholar
  9. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. 2010. Return-oriented programming without returns. In Proceedings of CCS. 559--572.Google ScholarGoogle Scholar
  10. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of USENIX Security. 105--120.Google ScholarGoogle Scholar
  11. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. 2015. Readactor: Practical code randomization resilient to memory disclosure. In Proceedings of IEEE S8P. 763--780. DOI:https://doi.org/10.1109/SP.2015.52Google ScholarGoogle Scholar
  12. S. J. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M. Franz. 2015. It’s a TRaP: Table randomization and protection against function-reuse attacks. In Proceedings of CCS. 243--255. DOI:https://doi.org/10.1145/2810103.2813682Google ScholarGoogle Scholar
  13. S. Das, W. Zhang, and Y. Liu. 2014. Reconfigurable dynamic trusted platform module for control flow checking. In Proceedings of ISVLSI. 166--171.Google ScholarGoogle Scholar
  14. S. Das, W. Zhang, and Y. Liu. 2016. A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 24, 11 (2016), 3193--3207.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. 2010. Return-Oriented Programming Without Returns on ARM. Technical Report. HGI-TR-2010-002, Ruhr-University Bochum.Google ScholarGoogle Scholar
  16. L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin. 2015. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of DAC. 1--6.Google ScholarGoogle Scholar
  17. L. Davi, A.-R. Sadeghi, and M. Winandy. 2011. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of ASIACCS. 40--51.Google ScholarGoogle Scholar
  18. X. Ge, W. Cui, and T. Jaeger. 2017. GRIFFIN: Guarding control flows using Intel Processor Trace. In Proceedings of ASPLOS. ACM, New York, NY, 585--598. DOI:https://doi.org/10.1145/3037697.3037716Google ScholarGoogle Scholar
  19. P. K. Gupta. 2016. Accelerating Datacenter Workloads. Intel.Google ScholarGoogle Scholar
  20. M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of WWC-4. IEEE, Los Alamitos, CA, 3--14.Google ScholarGoogle Scholar
  21. E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. 2014. Out of control: Overcoming control-flow integrity. In Proceedings of IEEE S8P. 575--589. DOI:https://doi.org/10.1109/SP.2014.43Google ScholarGoogle Scholar
  22. W. He, S. Das, W. Zhang, and Y. Liu. 2017. No-jump-into-basic-block: Enforce basic block CFI on the fly for real-world binaries. In Proceedings of DAC. Article 23, 6 pages.Google ScholarGoogle Scholar
  23. J. L. Henning. 2006. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News 34, 4 (2006), 1--17.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. H. Hu, C. Qian, C. Yagemann, S. P. H. Chung, W. R. Harris, T. Kim, and W. Lee. 2018. Enforcing unique code target property for control-flow integrity. In Proceedings of CCS. 1470--1486. DOI:https://doi.org/10.1145/3243734.3243797Google ScholarGoogle Scholar
  25. Intel. 2017. Control-Flow Enforcement Technology Preview. Intel.Google ScholarGoogle Scholar
  26. M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh, and D. Ponomarev. 2012. Branch regulation: Low-overhead protection from code reuse attacks. In Proceedings of ISCA. 94--105.Google ScholarGoogle Scholar
  27. T. Kornau. 2010. Return Oriented Programming for the ARM Architecture. Master’s Thesis. Ruhr-Universitat Bochum.Google ScholarGoogle Scholar
  28. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. 2014. Code-pointer integrity. In Proceedings of USENIX OSDI. 147--163.Google ScholarGoogle Scholar
  29. P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. 2014. SoK: Automated software diversity. In Proceedings of IEEE S8P. 276--291. DOI:https://doi.org/10.1109/SP.2014.25Google ScholarGoogle Scholar
  30. Y. Lin, X. Tang, D. Gao, and J. Fu. 2016. Control flow integrity enforcement with dynamic code optimization. In Proceedings of ISC. 366--385.Google ScholarGoogle Scholar
  31. Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. 2017. Transparent and efficient CFI enforcement with Intel Processor Trace. In Proceedings of IEEE HPCA. 529--540. DOI:https://doi.org/10.1109/HPCA.2017.18Google ScholarGoogle Scholar
  32. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of SIGPLAN PLDI. 190--200.Google ScholarGoogle Scholar
  33. S. Nagarakatte, J. Zhao, M. M.K. Martin, and S. Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In Proceedings of ACM SIGPLAN ISMM. 31--40. DOI:https://doi.org/10.1145/1806651.1806657Google ScholarGoogle Scholar
  34. J. Oakley and S. Bratus. 2011. Exploiting the hard-working DWARF: Trojan and exploit techniques with no native executable code. In Proceedings of WOOT. 91--102.Google ScholarGoogle Scholar
  35. V. Pappas, M. Polychronakis, and A. D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of USENIX Security. 447--462.Google ScholarGoogle Scholar
  36. A. Putnam, A. M. Caulfield, E. S. Chung, D. Chiou, K. Constantinides, J. Demme, H. Esmaeilzadeh, et al. 2014. A reconfigurable fabric for accelerating large-scale datacenter services. In Proceedings of ISCA. 13--24.Google ScholarGoogle ScholarCross RefCross Ref
  37. P. Qiu, Y. Lyu, J. Zhang, D. Wang, and G. Qu. 2018. Control flow integrity based on lightweight encryption architecture. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 37, 7 (2018), 1358--1369. DOI:https://doi.org/10.1109/TCAD.2017.2748000Google ScholarGoogle ScholarCross RefCross Ref
  38. T. Rains, M. Miller, and D. Weston. 2015. Exploitation trends: From potential risk to actual risk. In Proceedings of the RSA Conference.Google ScholarGoogle Scholar
  39. G. Ramalingam. 1994. The undecidability of aliasing. ACM Transactions on Programming Languages and Systems 16, 5 (1994), 1467--1471. DOI:https://doi.org/10.1145/186025.186041Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. A. Sadeghi, S. Niksefat, and M. Rostamipour. 2017. Pure-call oriented programming (PCOP): Chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques 14, 2 (2017), 1--18. DOI:https://doi.org/10.1007/s11416-017-0299-1Google ScholarGoogle Scholar
  41. H. Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls. In Proceedings of CCS. 552--561.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of IEEE S8P. 574--588.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. C. Song, H. Moon, M. Alam, I. Yun, B. Lee, T. Kim, W. Lee, and Y. Paek. 2016. HDFI: Hardware-assisted data-flow isolation. In Proceedings of IEEE S8P. 1--17. DOI:https://doi.org/10.1109/SP.2016.9Google ScholarGoogle Scholar
  44. Jack Tang and Trend Micro Threat Solution Team. 2015. Exploring control flow guard in Windows 10. Trend Micro Blog.Google ScholarGoogle Scholar
  45. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In Proceedings of USENIX Security. 941--955.Google ScholarGoogle Scholar
  46. M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. 2011. On the expressiveness of return-into-libc attacks. In Proceedings of RAID. 121--141.Google ScholarGoogle Scholar
  47. R. Ubal, B. Jang, P. Mistry, D. Schaa, and D. Kaeli. 2012. Multi2Sim: A simulation framework for CPU-GPU computing. In Proceedings of PACT. 335--344.Google ScholarGoogle Scholar
  48. V. van der Veen, E. Goktas, M. Contag, A. Pawoloski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of IEEE S8P. 934--953.Google ScholarGoogle Scholar
  49. J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. 2011. RIPE: Runtime intrusion prevention evaluator. In Proceedings of ACSAC. 41--50.Google ScholarGoogle Scholar
  50. D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. 2016. Shuffler: Fast and deployable continuous code re-randomization. In Proceedings of USENIX OSDI. 367--382.Google ScholarGoogle Scholar
  51. Y. Xia, Y. Liu, H. Chen, and B. Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of DSN. 1--12. DOI:https://doi.org/10.1109/DSN.2012.6263958Google ScholarGoogle Scholar
  52. P. Yuan, Q. Zeng, and X. Ding. 2015. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of RAID. 66--85.Google ScholarGoogle Scholar
  53. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. 2013. Practical control flow integrity and randomization for binary executables. In Proceedings of IEEE S8P. 559--573.Google ScholarGoogle Scholar
  54. M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. 2014. A platform for secure static binary instrumentation. In Proceedings of VEE. ACM, New York, NY, 129--140. DOI:https://doi.org/10.1145/2576195.2576208Google ScholarGoogle Scholar
  55. M. Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of USENIX Security, Vol. 13.Google ScholarGoogle Scholar

Index Terms

  1. BBB-CFI: Lightweight CFI Approach Against Code-Reuse Attacks Using Basic Block Information

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!