AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
We presented a robust implementation that scales to large binaries as well as complex, low-level libraries that include hand-coded assembly
Control flow integrity for COTS binaries
USENIX Security, pp.337-352, (2013)
Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI have required compiler support or the presence of relocation or debug information in t...More
PPT (Upload PPT)
- Since its introduction by Abadi et. al. [1, 2], ControlFlow Integrity (CFI) has been recognized as an important low-level security property.
- Most existing CFI implementations, including those in Native Client , Pittsfield , Control-flow locking  and many other works [22, 3, 42, 4, 36] are implemented within compiler tool chains
- They rely on information that is available in assembly code or higher levels, but unavailable in COTS binaries.
- With variable-length instruction sets such as those of x86, incorrect disassembly of one instruction can cause misidentification of the start of the instruction; these errors can cascade even past the end of gaps
- Since its introduction by Abadi et. al. [1, 2], ControlFlow Integrity (CFI) has been recognized as an important low-level security property
- Experiment capture packets on LAN for 20 minutes open multiple files; edit; print; save open a large report; edit; convert to pdf/dvi/ps open 20 pdf files; scroll;print;zoom in/out play an mp3 file open web pages execute a complex script, compare the output open file, copy/paste, search, edit load jpg picture, crop, blur, sharpen, etc. open web pages login to a remote server open a large pdf file
- We developed a notion of control-flow integrity that can be effectively enforced on binaries
- We developed analysis techniques to compute possible indirect control-flow targets, and instrumentation techniques that limit indirect control-flow transfers to these targets
- We presented a robust implementation that scales to large binaries as well as complex, low-level libraries that include hand-coded assembly
- The lack of high-level information can degrade the precision of static analysis, our results demonstrate that the reduction is small; and overall, there is only a modest reduction in the strength of protection as compared to previous techniques that required source code, relocation information, or relied on compiler-based implementations
- The authors first evaluate functionality of the system, focusing on disassembly, and compatibility with different compilers.
- Experiment capture packets on LAN for 20 minutes open multiple files; edit; print; save open a large report; edit; convert to pdf/dvi/ps open 20 pdf files; scroll;print;zoom in/out play an mp3 file open web pages execute a complex script, compare the output open file, copy/paste, search, edit load jpg picture, crop, blur, sharpen, etc.
- The authors tested the SPEC CPU2006 programs (Figure 8).
- This benchmark comes with scripts to verify outputs, simplifying functionality testing
- The authors developed a notion of control-flow integrity that can be effectively enforced on binaries.
- The authors developed analysis techniques to compute possible ICF targets, and instrumentation techniques that limit ICF transfers to these targets.
- The resulting implementation defeats most common control-flow hijack attacks, and greatly reduces the number of possible gadgets for ROP attacks.
- The authors' technique is modular, supporting independent transformation of shared libraries.
- It provides very good performance
- 8.1 ROP Attacks and Defenses
Return Oriented Programing (ROP)  is a powerful code reuse attack. It has become a very popular means to carry out successful attacks in spite of DEP. Although ROP was originally thought to be applicable primarily to CISC processors such as the x86, subsequent work has demonstrated their effectiveness on RISC architectures as well . ROP attacks can target user programs as well as the kernel . The introduction of JOP [10, 7] eliminates the need to use return instructions to effect ICF transfers, thereby defeating defenses that rely on the use of (repeated) returns [11, 14, 32].
Some of ROP defenses [31, 23] modify the code generation process to ensure that there are no useful gadgets in a generated binary. As they work at the level of code generation, they require source code. Rather than eliminating gadgets, some recent works [18, 43, 33] rely on fine-grained randomization that makes it difficult to find the location of useful gadgets. Instruction Location Randomization (ILR)  randomizes instruction locations, thereby making ROP hard. A benefit of their approach is that they can randomize return addresses, which significantly reduces the number of valid ICF targets, as return addresses constitute a majority of them. But this randomization can cause problems in large and complex binaries where a return instruction may be used for purposes other than returning from a call, e.g., PIC code data access, or to implement context-switching-like functionality.
- ∗This work was supported in part by AFOSR grant FA9550-09-10539, NSF grant CNS-0831298, and ONR grant N000140710928
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In the 12th ACM conference on Computer and communications security (CCS), 2005.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), (1), Nov. 2009.
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In the 29th IEEE Symposium on Security and Privacy (Oakland), 2008.
- J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee. Languageindependent sandboxing of just-in-time compilation and self-modifying code. In the 32nd ACM SIGPLAN conference on Programming language design and implementation (PLDI), 2011.
- S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: an efficient approach to combat a board range of memory error exploits. In the 12th conference on USENIX Security Symposium, 2003.
- T. Bletsch, X. Jiang, and V. Freeh. Mitigating codereuse attacks with control-flow locking. In the 27th Annual Computer Security Applications Conference (ACSAC), 2011.
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jumporiented programming: a new class of code-reuse attack. In the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
- D. L. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, MIT, 2004.
- E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing returnoriented programming to RISC. In the 15th ACM conference on Computer and communications security (CCS), 2008.
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In the 17th ACM conference on Computer and communications security (CCS), 2010.
- P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In the 5th International Conference on Information Systems Security (ICISS), 2009.
- C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In the 7th conference on USENIX Security Symposium, 1998.
- L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nrnberger, and A. reza Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In the 19th Network and Distributed System Security Symposium (NDSS), 2012.
- L. Davi, Ahmad-Reza Sadeghi, and M. Winandy. ROPdefender: a detection tool to defend against return-oriented programming attacks. In the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
- U. Erlingsson, S. Valley, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: software guards for system address spaces. In the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2006.
- C. Evans. Exploiting 64-bit linux like a boss. http://scarybeastsecurity.blogspot.com/2013/02/exploiting64-bit-linux-like-boss.html.
- M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In the 10th conference on USENIX Security Symposium, 2001.
- J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where’d my gadgets go? In the 33th IEEE Symposium on Security and Privacy (Oakland), 2012.
- R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In the 18th conference on USENIX security symposium, 2009.
- M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh, and D. Ponomarev. Branch regulation: low-overhead protection from code reuse attacks. In the 39th Annual International Symposium on Computer Architecture (ISCA), 2012.
- V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In the 11th conference on USENIX Security Symposium, 2002.
- J. Li, Z. Wang, T. Bletsch, D. Srinivasan, M. Grace, and X. Jiang. Comprehensive and efficient protection of kernel control data. IEEE Transactions on Information Forensics and Security, (4), Dec. 2011.
- J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with ”return-less” kernels. In the 5th European conference on Computer systems (EuroSys), 2010.
- the PaX team. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt, 2001.
- Tool Interface Standard. Executable and linking format (ELF) specification. http://www.uclibc.org/docs/elf.pdf, 1995.
- UNIX International Programming Languages SIG. //www.dwarfstd.org/doc/dwarf-2.0.0.pdf, 1993.
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In the 15th conference on USENIX Security Symposium, 2006.
- Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 2001.
- J. Oakley and S. Bratus. Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code. Technical report, Computer Science Department, Dartmouth College, 2011.
- J. Oakley and S. Bratus. Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code. In the 5th USENIX conference on Offensive technologies (WOOT), 2011.
- K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In the 26th Annual Computer Security Applications Conference (ACSAC), 2010.
- V. Pappas. kBouncer: Efficient and transparent ROP mitigation. Technical report, Columbia University, 2012.
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In the 33th IEEE Symposium on Security and Privacy (Oakland), 2012.
- A. Prakash, H. Yin, and Z. Liang. Enforcing system-wide control flow integrity for exploit detection and diagnosis. In the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIACCS), 2013.
- J. Salwan. ROPGadget. http://shell-storm.org/project/ ROPgadget.
- D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary cpu architectures. In the 19th conference on USENIX Security Symposium, 2010.
- F. J. Serna. CVE-2012-0769, the case of the perfect info leak, 2012.
- H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In the 14th ACM conference on Computer and communications security (CCS), 2007.
- K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In the 34th IEEE Symposium on Security and Privacy, 2013.
- R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In the 2nd European Workshop on System Security (EUROSEC), 2009.
- M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In the 14th international conference on Recent Advances in Intrusion Detection (RAID), 2011.
- Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In the 31th IEEE Symposium on Security and Privacy (Oakland), 2010.
- R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In the 19th ACM conference on Computer and communications security (CCS), 2012.
- wikipedia. Open addressing hashing. http://en.wikipedia.org/wiki/Open addressing, 2012.
- J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: runtime intrusion prevention evaluator. In the 27th Annual Computer Security Applications Conference (ACSAC), 2011.
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In the 30th IEEE Symposium on Security and Privacy (Oakland), 2009.
- B. Zeng, G. Tan, and G. Morrisett. Combining controlflow integrity and static analysis for efficient and validated data sandboxing. In the 18th ACM conference on Computer and communications security (CCS), 2011.
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In the 34th IEEE Symposium on Security and Privacy, 2013.
- D. D. Zovi. Practical return-oriented programming. Technical report, SOURCE, 2010.