AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
We have described two different principled, compiler-based Control-Flow Integrity solutions for enforcing control-flow integrity for indirect jumps: vtable verification for virtual calls guarantees that the vtable being used for a virtual call is a valid vtable for the program bu...
Enforcing forward-edge control-flow integrity in GCC & LLVM
USENIX Security, pp.941-955, (2014)
Constraining dynamic control transfers is a common technique for mitigating software vulnerabilities. This defense has been widely and successfully used to protect return addresses and stack data; hence, current attacks instead typically corrupt vtable and function pointers to subvert a forward edge (an indirect jump or call) in the contr...More
PPT (Upload PPT)
- The computer security research community has developed several widely-adopted techniques that successfully protect return addresses and other critical stack data [13, 20].
- Taking advantage of heapbased memory corruption bugs can allow an attacker to overwrite a function-pointer value, so that arbitrary machine code gets executed when that value is used in an indirect function call .
- Such exploits are referred to as forward-edge attacks, as they change forward edges in the program’s control-flow graph (CFG).
- The computer security research community has developed several widely-adopted techniques that successfully protect return addresses and other critical stack data [13, 20]
- We present the first Control-Flow Integrity implementations that are fully integrated into production compilers without restrictions or simplifying assumptions
- The Vtable Verification tests were run all on an HP Z620 Xeon E52690 2.9GHz machine, running Ubuntu Linux 12.04.2, and the Indirect Function-Call Checks and FSan tests were run on an HP Z620 Xeon E5550 2.67GHz machine, running the same OS
- This paper advances the techniques of Control-Flow Integrity, moving them from research prototypes to being firmly in the domain of the practical
- We have described two different principled, compiler-based Control-Flow Integrity solutions for enforcing control-flow integrity for indirect jumps: vtable verification for virtual calls (VTV) guarantees that the vtable being used for a virtual call is a valid vtable for the program but is semantically correct for the call site; and indirect function-call checking (IFCC) guarantees that the target of an indirect call is one of the address-taken functions in the program
- Our mechanisms have a corresponding overhead of less than 2%, as we report in Section 7.2
- We present FSan, an optional indirect call checking tool which verifies at runtime that the target of an indirect call has the correct function signature, based on the call site
- The authors measured the performance of the approaches both on the C++ tests from the SPEC CPU2006 benchmark suite and on the Chromium browser running Dromaeo, SunSpider, and Octane.
- The Chromium web browser is a large, complex, realworld application, comprising over 15 million lines of C++ code in over 50,000 source files, and containing hundreds of thousands of virtual calls
- It links in many thirdparty libraries and makes extensive use of dynamic library loading.
- It is representative of the type of target attackers are interested in
- For all these reasons, Chromium makes an excellent test for measuring the effects of the CFI approaches on real-world systems.
- Both VTV and IFCC were able to successfully build fully-functional, protected versions of Chromium
- This paper advances the techniques of Control-Flow Integrity, moving them from research prototypes to being firmly in the domain of the practical.
- The authors have described two different principled, compiler-based CFI solutions for enforcing control-flow integrity for indirect jumps: vtable verification for virtual calls (VTV) guarantees that the vtable being used for a virtual call is a valid vtable for the program but is semantically correct for the call site; and indirect function-call checking (IFCC) guarantees that the target of an indirect call is one of the address-taken functions in the program.
- 13 23rd USENIX Security Symposium 953 astar dealII namd omnet.
- FSan (a) Relative overhead of IFCC enforcement for SPEC CPU2006 benchmarks and the Dromaeo benchmark
- Table1: Function prefix data layout for the optional function type checker
- Table2: Forward-edge indirect control transfer (fICT) instructions in Chromium. Their arguments may be placed in three classes: (a) a type of constant, (b) an indirect address protected by CFI, and (c) an unprotected address. Constant-argument instructions include indirect jumps in the PLT which target a read-only GOT section and indirect jump instructions implementing switch statements, as well as indirect call instructions with constant targets. † The targets for these indirect control transfer instructions are either spilled to the stack explicitly or are in calleesaved registers which are potentially spilled by intervening function calls
- Table3: Untuned SPEC run-time numbers, at -O2. The asterisks indicate changes that are too small to be of any significance. These numbers are the minimum out of three runs (standard deviation is very close to zero)
- Table4: Verifications per second when running SPEC CPU2006 C++ benchmarks and Chrome with VTV
- Table5: Results of lower bound experiments for VTV
- Following the original 2005 work on CFI, later revised as Abadi et al , there have been a number of implementations that have extended or built-upon CFI: XFI by Erlingsson et al , BGI by Castro et al , HyperSafe by Wang and Jiang , CFI+Sandboxing by Zeng et al , MoCFI by Davi et al , CCFIR by Zhang et al , Strato by Zeng et al , bin-CFI by Zhang et al , MIP by Niu et al , and SAFEDISPATCH by Jang et al .
These CFI-based mechanisms vary widely in their goals, tradeoffs and implementation details. To achieve low overhead, many enforce only coarse-grained CFI, which may be a weak defense .
XFI, Strato, HyperSafe, and BGI use control-flow integrity primarily as a building block for higher-level functionality, such as enforcing software-based fault isolation (SFI), or fine-grained memory-access controls. Some, like XFI, focus on statically verifying untrusted binary modules, to establish that CFI will be correctly enforced during their execution, and thus that they can be used safely within different address spaces, such as the OS kernel.
Many implementations of CFI are based on binary rewriting. XFI and the original work on CFI used the sound, production-quality Windows binary rewriter, Vulcan , as well as debug information in PDB files.
- Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Trans. Info. & System Security, 13(1):4:1–4:40, Oct. 2009.
- T. Bao, J. Burket, and M. Woo. BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of USENIX Security 2014, Aug. 2014.
- J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of ISSTA 2012, July 2012.
- N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In Proceedings of USENIX Security 2014, Aug. 2014.
- M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black. Fast byte-granularity software fault isolation. In Proceedings of SOSP 2009, Oct. 2009.
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Returnoriented programming without returns. In Proceedings of CCS 2010, pages 559–572. ACM Press, Oct. 2010. URL https://cs.jhu.edu/~s/papers/noret_ccs2010.html.
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of USENIX Security 1998, Jan. 1998.
- “d0c_s4vage”. Insecticides don’t kill bugs, Patch Tuesdays do. Online: http://d0cs4vage.blogspot.com/2011/06/insecticidesdont-kill-bugs-patch.html, June 2013.
- L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of NDSS 2012, Feb. 2012.
- L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of USENIX Security 2014, Aug. 2014.
- A. Edwards, A. Srivastava, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, Apr. 2001.
- Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software guards for system address 14 954 23rd USENIX Security Symposium spaces. In Proceedings of OSDI 2006, pages 75–88, Nov. 2006.
- Ú. Erlingsson, Y. Younan, and F. Piessens. Low-level software security by example. In P. Stavroulakis and M. Stamp, editors, Handbook of Information and Communication Security, pages 633–658. Springer Berlin Heidelberg, 2010.
- C. Evans. Exploiting 64-bit linux like a boss. Online: http://scarybeastsecurity.blogspot.com/search?q=Exploiting+64-bit+linux, 2013.
- E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland), May 2014.
- E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of USENIX Security 2014, Aug. 2014.
- Google Developers. Native client. Online: https://developers.google.com/native-client/, 2013.
- ISO. ISO/IEC 14882:2011 Information technology — Programming languages — C++. International Organization for Standardization, Geneva, Switzerland, Feb. 2012.
- D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Proceedings of NDSS 2014. Internet Society, Feb. 2014. To appear. Online: http://ensiwiki.ensimag.fr/
- vulnerabilities_still_matter.pdf, 2012.
- G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. Rocksalt: better, faster, stronger SFI for the x86. In Proceedings of PLDI 2012, pages 395–404, June 2012.
- Mozilla Foundation. Mozilla Foundation security advisory 2013-29.
- Online: https://www.mozilla.org/security/
- announce/2013/mfsa2013-29.html, 2013.
-  MWR InfoSecurity. Pwn2Own at CanSecWest 2013. Online: https://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-atcansecwest-2013, 2013.
-  T. Mytkowicz, A. Diwan, M. Hauswirth, and P. Sweeney. Producing wrong data without doing anything obviously wrong! In Proceedings of ASPLOS 2009, Mar. 2009.
-  NIST. CVE-2010-0249. Online: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249, 2010.
-  NIST. CVE-2010-3971. Online: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3971, 2010.
-  NIST. CVE-2011-1255. Online: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1255, 2011.
-  B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of CCS 2013, Nov. 2013.
-  J. Pewny and T. Holz. Control-flow restrictor: Compiler-based CFI for iOS. In Proceedings of ACSAC 2013, Dec. 2013.
-  R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Info. & System Security, 15(1), Mar. 2012.
-  Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of IEEE Symposium on Security and Privacy (“Oakland”) 2011, May 2011.
-  B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of CCS 2011, Oct. 2011.
-  B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In Proceedings of USENIX Security 2013, Aug. 2013.
-  C. Zhang, T. Wei, Z. Chen, L. Duan, S. McCamant, L. Szekeres, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), May 2013.
-  M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of USENIX Security 2013, Aug. 2013.