AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
We presented a robust implementation that scales to large binaries as well as complex, low-level libraries that include hand-coded assembly

Control flow integrity for COTS binaries

USENIX Security, pp.337-352, (2013)

Cited by: 592|Views211
EI
Full Text
Bibtex
Weibo

Abstract

Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI have required compiler support or the presence of relocation or debug information in t...More

Code:

Data:

Introduction
  • Since its introduction by Abadi et. al. [1, 2], ControlFlow Integrity (CFI) has been recognized as an important low-level security property.
  • Most existing CFI implementations, including those in Native Client [46], Pittsfield [27], Control-flow locking [6] and many other works [22, 3, 42, 4, 36] are implemented within compiler tool chains
  • They rely on information that is available in assembly code or higher levels, but unavailable in COTS binaries.
  • With variable-length instruction sets such as those of x86, incorrect disassembly of one instruction can cause misidentification of the start of the instruction; these errors can cascade even past the end of gaps
Highlights
  • Since its introduction by Abadi et. al. [1, 2], ControlFlow Integrity (CFI) has been recognized as an important low-level security property
  • Experiment capture packets on LAN for 20 minutes open multiple files; edit; print; save open a large report; edit; convert to pdf/dvi/ps open 20 pdf files; scroll;print;zoom in/out play an mp3 file open web pages execute a complex script, compare the output open file, copy/paste, search, edit load jpg picture, crop, blur, sharpen, etc. open web pages login to a remote server open a large pdf file
  • We developed a notion of control-flow integrity that can be effectively enforced on binaries
  • We developed analysis techniques to compute possible indirect control-flow targets, and instrumentation techniques that limit indirect control-flow transfers to these targets
  • We presented a robust implementation that scales to large binaries as well as complex, low-level libraries that include hand-coded assembly
  • The lack of high-level information can degrade the precision of static analysis, our results demonstrate that the reduction is small; and overall, there is only a modest reduction in the strength of protection as compared to previous techniques that required source code, relocation information, or relied on compiler-based implementations
Results
  • The authors first evaluate functionality of the system, focusing on disassembly, and compatibility with different compilers.
  • Experiment capture packets on LAN for 20 minutes open multiple files; edit; print; save open a large report; edit; convert to pdf/dvi/ps open 20 pdf files; scroll;print;zoom in/out play an mp3 file open web pages execute a complex script, compare the output open file, copy/paste, search, edit load jpg picture, crop, blur, sharpen, etc.
  • The authors tested the SPEC CPU2006 programs (Figure 8).
  • This benchmark comes with scripts to verify outputs, simplifying functionality testing
Conclusion
  • The authors developed a notion of control-flow integrity that can be effectively enforced on binaries.
  • The authors developed analysis techniques to compute possible ICF targets, and instrumentation techniques that limit ICF transfers to these targets.
  • The resulting implementation defeats most common control-flow hijack attacks, and greatly reduces the number of possible gadgets for ROP attacks.
  • The authors' technique is modular, supporting independent transformation of shared libraries.
  • It provides very good performance
Related work
  • 8.1 ROP Attacks and Defenses

    Return Oriented Programing (ROP) [38] is a powerful code reuse attack. It has become a very popular means to carry out successful attacks in spite of DEP. Although ROP was originally thought to be applicable primarily to CISC processors such as the x86, subsequent work has demonstrated their effectiveness on RISC architectures as well [9]. ROP attacks can target user programs as well as the kernel [19]. The introduction of JOP [10, 7] eliminates the need to use return instructions to effect ICF transfers, thereby defeating defenses that rely on the use of (repeated) returns [11, 14, 32].

    Some of ROP defenses [31, 23] modify the code generation process to ensure that there are no useful gadgets in a generated binary. As they work at the level of code generation, they require source code. Rather than eliminating gadgets, some recent works [18, 43, 33] rely on fine-grained randomization that makes it difficult to find the location of useful gadgets. Instruction Location Randomization (ILR) [18] randomizes instruction locations, thereby making ROP hard. A benefit of their approach is that they can randomize return addresses, which significantly reduces the number of valid ICF targets, as return addresses constitute a majority of them. But this randomization can cause problems in large and complex binaries where a return instruction may be used for purposes other than returning from a call, e.g., PIC code data access, or to implement context-switching-like functionality.
Funding
  • ∗This work was supported in part by AFOSR grant FA9550-09-10539, NSF grant CNS-0831298, and ONR grant N000140710928
Reference
  • M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In the 12th ACM conference on Computer and communications security (CCS), 2005.
    Google ScholarLocate open access versionFindings
  • M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), (1), Nov. 2009.
    Google ScholarLocate open access versionFindings
  • P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In the 29th IEEE Symposium on Security and Privacy (Oakland), 2008.
    Google ScholarLocate open access versionFindings
  • J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee. Languageindependent sandboxing of just-in-time compilation and self-modifying code. In the 32nd ACM SIGPLAN conference on Programming language design and implementation (PLDI), 2011.
    Google ScholarLocate open access versionFindings
  • S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: an efficient approach to combat a board range of memory error exploits. In the 12th conference on USENIX Security Symposium, 2003.
    Google ScholarLocate open access versionFindings
  • T. Bletsch, X. Jiang, and V. Freeh. Mitigating codereuse attacks with control-flow locking. In the 27th Annual Computer Security Applications Conference (ACSAC), 2011.
    Google ScholarLocate open access versionFindings
  • T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jumporiented programming: a new class of code-reuse attack. In the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
    Google ScholarLocate open access versionFindings
  • D. L. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, MIT, 2004.
    Google ScholarFindings
  • E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing returnoriented programming to RISC. In the 15th ACM conference on Computer and communications security (CCS), 2008.
    Google ScholarLocate open access versionFindings
  • S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In the 17th ACM conference on Computer and communications security (CCS), 2010.
    Google ScholarLocate open access versionFindings
  • P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In the 5th International Conference on Information Systems Security (ICISS), 2009.
    Google ScholarLocate open access versionFindings
  • C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In the 7th conference on USENIX Security Symposium, 1998.
    Google ScholarLocate open access versionFindings
  • L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nrnberger, and A. reza Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In the 19th Network and Distributed System Security Symposium (NDSS), 2012.
    Google ScholarLocate open access versionFindings
  • L. Davi, Ahmad-Reza Sadeghi, and M. Winandy. ROPdefender: a detection tool to defend against return-oriented programming attacks. In the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.
    Google ScholarLocate open access versionFindings
  • U. Erlingsson, S. Valley, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: software guards for system address spaces. In the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2006.
    Google ScholarLocate open access versionFindings
  • C. Evans. Exploiting 64-bit linux like a boss. http://scarybeastsecurity.blogspot.com/2013/02/exploiting64-bit-linux-like-boss.html.
    Findings
  • M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In the 10th conference on USENIX Security Symposium, 2001.
    Google ScholarLocate open access versionFindings
  • J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where’d my gadgets go? In the 33th IEEE Symposium on Security and Privacy (Oakland), 2012.
    Google ScholarLocate open access versionFindings
  • R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In the 18th conference on USENIX security symposium, 2009.
    Google ScholarLocate open access versionFindings
  • M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh, and D. Ponomarev. Branch regulation: low-overhead protection from code reuse attacks. In the 39th Annual International Symposium on Computer Architecture (ISCA), 2012.
    Google ScholarLocate open access versionFindings
  • V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In the 11th conference on USENIX Security Symposium, 2002.
    Google ScholarLocate open access versionFindings
  • J. Li, Z. Wang, T. Bletsch, D. Srinivasan, M. Grace, and X. Jiang. Comprehensive and efficient protection of kernel control data. IEEE Transactions on Information Forensics and Security, (4), Dec. 2011.
    Google ScholarLocate open access versionFindings
  • J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with ”return-less” kernels. In the 5th European conference on Computer systems (EuroSys), 2010.
    Google ScholarLocate open access versionFindings
  • the PaX team. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt, 2001.
    Findings
  • Tool Interface Standard. Executable and linking format (ELF) specification. http://www.uclibc.org/docs/elf.pdf, 1995.
    Findings
  • UNIX International Programming Languages SIG. //www.dwarfstd.org/doc/dwarf-2.0.0.pdf, 1993.
    Findings
  • S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In the 15th conference on USENIX Security Symposium, 2006.
    Google ScholarLocate open access versionFindings
  • Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 2001.
    Google ScholarLocate open access versionFindings
  • J. Oakley and S. Bratus. Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code. Technical report, Computer Science Department, Dartmouth College, 2011.
    Google ScholarFindings
  • J. Oakley and S. Bratus. Exploiting the hard-working DWARF: trojan and exploit techniques with no native executable code. In the 5th USENIX conference on Offensive technologies (WOOT), 2011.
    Google ScholarLocate open access versionFindings
  • K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In the 26th Annual Computer Security Applications Conference (ACSAC), 2010.
    Google ScholarLocate open access versionFindings
  • V. Pappas. kBouncer: Efficient and transparent ROP mitigation. Technical report, Columbia University, 2012.
    Google ScholarFindings
  • V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In the 33th IEEE Symposium on Security and Privacy (Oakland), 2012.
    Google ScholarLocate open access versionFindings
  • A. Prakash, H. Yin, and Z. Liang. Enforcing system-wide control flow integrity for exploit detection and diagnosis. In the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIACCS), 2013.
    Google ScholarLocate open access versionFindings
  • J. Salwan. ROPGadget. http://shell-storm.org/project/ ROPgadget.
    Findings
  • D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary cpu architectures. In the 19th conference on USENIX Security Symposium, 2010.
    Google ScholarLocate open access versionFindings
  • F. J. Serna. CVE-2012-0769, the case of the perfect info leak, 2012.
    Google ScholarFindings
  • H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In the 14th ACM conference on Computer and communications security (CCS), 2007.
    Google ScholarLocate open access versionFindings
  • K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In the 34th IEEE Symposium on Security and Privacy, 2013.
    Google ScholarLocate open access versionFindings
  • R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In the 2nd European Workshop on System Security (EUROSEC), 2009.
    Google ScholarLocate open access versionFindings
  • M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In the 14th international conference on Recent Advances in Intrusion Detection (RAID), 2011.
    Google ScholarLocate open access versionFindings
  • Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In the 31th IEEE Symposium on Security and Privacy (Oakland), 2010.
    Google ScholarLocate open access versionFindings
  • R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In the 19th ACM conference on Computer and communications security (CCS), 2012.
    Google ScholarLocate open access versionFindings
  • wikipedia. Open addressing hashing. http://en.wikipedia.org/wiki/Open addressing, 2012.
    Locate open access versionFindings
  • J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: runtime intrusion prevention evaluator. In the 27th Annual Computer Security Applications Conference (ACSAC), 2011.
    Google ScholarLocate open access versionFindings
  • B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In the 30th IEEE Symposium on Security and Privacy (Oakland), 2009.
    Google ScholarLocate open access versionFindings
  • B. Zeng, G. Tan, and G. Morrisett. Combining controlflow integrity and static analysis for efficient and validated data sandboxing. In the 18th ACM conference on Computer and communications security (CCS), 2011.
    Google ScholarLocate open access versionFindings
  • C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In the 34th IEEE Symposium on Security and Privacy, 2013.
    Google ScholarLocate open access versionFindings
  • D. D. Zovi. Practical return-oriented programming. Technical report, SOURCE, 2010.
    Google ScholarFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科