AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
We have described two different principled, compiler-based Control-Flow Integrity solutions for enforcing control-flow integrity for indirect jumps: vtable verification for virtual calls guarantees that the vtable being used for a virtual call is a valid vtable for the program bu...

Enforcing forward-edge control-flow integrity in GCC & LLVM

USENIX Security, pp.941-955, (2014)

Cited by: 398|Views203
EI
Full Text
Bibtex
Weibo

Abstract

Constraining dynamic control transfers is a common technique for mitigating software vulnerabilities. This defense has been widely and successfully used to protect return addresses and stack data; hence, current attacks instead typically corrupt vtable and function pointers to subvert a forward edge (an indirect jump or call) in the contr...More

Code:

Data:

0
Introduction
  • The computer security research community has developed several widely-adopted techniques that successfully protect return addresses and other critical stack data [13, 20].
  • Taking advantage of heapbased memory corruption bugs can allow an attacker to overwrite a function-pointer value, so that arbitrary machine code gets executed when that value is used in an indirect function call [6].
  • Such exploits are referred to as forward-edge attacks, as they change forward edges in the program’s control-flow graph (CFG).
  • Such exploits are becoming commonplace, especially for web browsers where the attacker can partially control executed JavaScript code [14, 23]
Highlights
  • The computer security research community has developed several widely-adopted techniques that successfully protect return addresses and other critical stack data [13, 20]
  • We present the first Control-Flow Integrity implementations that are fully integrated into production compilers without restrictions or simplifying assumptions
  • The Vtable Verification tests were run all on an HP Z620 Xeon E52690 2.9GHz machine, running Ubuntu Linux 12.04.2, and the Indirect Function-Call Checks and FSan tests were run on an HP Z620 Xeon E5550 2.67GHz machine, running the same OS
  • This paper advances the techniques of Control-Flow Integrity, moving them from research prototypes to being firmly in the domain of the practical
  • We have described two different principled, compiler-based Control-Flow Integrity solutions for enforcing control-flow integrity for indirect jumps: vtable verification for virtual calls (VTV) guarantees that the vtable being used for a virtual call is a valid vtable for the program but is semantically correct for the call site; and indirect function-call checking (IFCC) guarantees that the target of an indirect call is one of the address-taken functions in the program
  • Our mechanisms have a corresponding overhead of less than 2%, as we report in Section 7.2
  • We present FSan, an optional indirect call checking tool which verifies at runtime that the target of an indirect call has the correct function signature, based on the call site
Results
  • The authors measured the performance of the approaches both on the C++ tests from the SPEC CPU2006 benchmark suite and on the Chromium browser running Dromaeo, SunSpider, and Octane.
  • The Chromium web browser is a large, complex, realworld application, comprising over 15 million lines of C++ code in over 50,000 source files, and containing hundreds of thousands of virtual calls
  • It links in many thirdparty libraries and makes extensive use of dynamic library loading.
  • It is representative of the type of target attackers are interested in
  • For all these reasons, Chromium makes an excellent test for measuring the effects of the CFI approaches on real-world systems.
  • Both VTV and IFCC were able to successfully build fully-functional, protected versions of Chromium
Conclusion
  • This paper advances the techniques of Control-Flow Integrity, moving them from research prototypes to being firmly in the domain of the practical.
  • The authors have described two different principled, compiler-based CFI solutions for enforcing control-flow integrity for indirect jumps: vtable verification for virtual calls (VTV) guarantees that the vtable being used for a virtual call is a valid vtable for the program but is semantically correct for the call site; and indirect function-call checking (IFCC) guarantees that the target of an indirect call is one of the address-taken functions in the program.
  • 13 23rd USENIX Security Symposium 953 astar dealII namd omnet.
  • FSan (a) Relative overhead of IFCC enforcement for SPEC CPU2006 benchmarks and the Dromaeo benchmark
Tables
  • Table1: Function prefix data layout for the optional function type checker
  • Table2: Forward-edge indirect control transfer (fICT) instructions in Chromium. Their arguments may be placed in three classes: (a) a type of constant, (b) an indirect address protected by CFI, and (c) an unprotected address. Constant-argument instructions include indirect jumps in the PLT which target a read-only GOT section and indirect jump instructions implementing switch statements, as well as indirect call instructions with constant targets. † The targets for these indirect control transfer instructions are either spilled to the stack explicitly or are in calleesaved registers which are potentially spilled by intervening function calls
  • Table3: Untuned SPEC run-time numbers, at -O2. The asterisks indicate changes that are too small to be of any significance. These numbers are the minimum out of three runs (standard deviation is very close to zero)
  • Table4: Verifications per second when running SPEC CPU2006 C++ benchmarks and Chrome with VTV
  • Table5: Results of lower bound experiments for VTV
Download tables as Excel
Related work
  • Following the original 2005 work on CFI, later revised as Abadi et al [1], there have been a number of implementations that have extended or built-upon CFI: XFI by Erlingsson et al [12], BGI by Castro et al [5], HyperSafe by Wang and Jiang [31], CFI+Sandboxing by Zeng et al [32], MoCFI by Davi et al [9], CCFIR by Zhang et al [34], Strato by Zeng et al [33], bin-CFI by Zhang et al [35], MIP by Niu et al [28], and SAFEDISPATCH by Jang et al [19].

    These CFI-based mechanisms vary widely in their goals, tradeoffs and implementation details. To achieve low overhead, many enforce only coarse-grained CFI, which may be a weak defense [15].

    XFI, Strato, HyperSafe, and BGI use control-flow integrity primarily as a building block for higher-level functionality, such as enforcing software-based fault isolation (SFI), or fine-grained memory-access controls. Some, like XFI, focus on statically verifying untrusted binary modules, to establish that CFI will be correctly enforced during their execution, and thus that they can be used safely within different address spaces, such as the OS kernel.

    Many implementations of CFI are based on binary rewriting. XFI and the original work on CFI used the sound, production-quality Windows binary rewriter, Vulcan [11], as well as debug information in PDB files.
Funding
  • Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX
Reference
  • M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM Trans. Info. & System Security, 13(1):4:1–4:40, Oct. 2009.
    Google ScholarLocate open access versionFindings
  • T. Bao, J. Burket, and M. Woo. BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of USENIX Security 2014, Aug. 2014.
    Google ScholarLocate open access versionFindings
  • J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of ISSTA 2012, July 2012.
    Google ScholarLocate open access versionFindings
  • N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In Proceedings of USENIX Security 2014, Aug. 2014.
    Google ScholarLocate open access versionFindings
  • M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black. Fast byte-granularity software fault isolation. In Proceedings of SOSP 2009, Oct. 2009.
    Google ScholarLocate open access versionFindings
  • S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Returnoriented programming without returns. In Proceedings of CCS 2010, pages 559–572. ACM Press, Oct. 2010. URL https://cs.jhu.edu/~s/papers/noret_ccs2010.html.
    Locate open access versionFindings
  • C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of USENIX Security 1998, Jan. 1998.
    Google ScholarLocate open access versionFindings
  • “d0c_s4vage”. Insecticides don’t kill bugs, Patch Tuesdays do. Online: http://d0cs4vage.blogspot.com/2011/06/insecticidesdont-kill-bugs-patch.html, June 2013.
    Locate open access versionFindings
  • L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of NDSS 2012, Feb. 2012.
    Google ScholarLocate open access versionFindings
  • L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of USENIX Security 2014, Aug. 2014.
    Google ScholarLocate open access versionFindings
  • A. Edwards, A. Srivastava, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, Apr. 2001.
    Google ScholarFindings
  • Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software guards for system address 14 954 23rd USENIX Security Symposium spaces. In Proceedings of OSDI 2006, pages 75–88, Nov. 2006.
    Google ScholarLocate open access versionFindings
  • Ú. Erlingsson, Y. Younan, and F. Piessens. Low-level software security by example. In P. Stavroulakis and M. Stamp, editors, Handbook of Information and Communication Security, pages 633–658. Springer Berlin Heidelberg, 2010.
    Google ScholarLocate open access versionFindings
  • C. Evans. Exploiting 64-bit linux like a boss. Online: http://scarybeastsecurity.blogspot.com/search?q=Exploiting+64-bit+linux, 2013.
    Findings
  • E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland), May 2014.
    Google ScholarLocate open access versionFindings
  • E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of USENIX Security 2014, Aug. 2014.
    Google ScholarLocate open access versionFindings
  • Google Developers. Native client. Online: https://developers.google.com/native-client/, 2013.
    Findings
  • ISO. ISO/IEC 14882:2011 Information technology — Programming languages — C++. International Organization for Standardization, Geneva, Switzerland, Feb. 2012.
    Google ScholarLocate open access versionFindings
  • D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Proceedings of NDSS 2014. Internet Society, Feb. 2014. To appear. Online: http://ensiwiki.ensimag.fr/
    Locate open access versionFindings
  • vulnerabilities_still_matter.pdf, 2012.
    Google ScholarFindings
  • G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. Rocksalt: better, faster, stronger SFI for the x86. In Proceedings of PLDI 2012, pages 395–404, June 2012.
    Google ScholarLocate open access versionFindings
  • Mozilla Foundation. Mozilla Foundation security advisory 2013-29.
    Google ScholarFindings
  • Online: https://www.mozilla.org/security/
    Findings
  • announce/2013/mfsa2013-29.html, 2013.
    Google ScholarFindings
  • [23] MWR InfoSecurity. Pwn2Own at CanSecWest 2013. Online: https://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-atcansecwest-2013, 2013.
    Findings
  • [24] T. Mytkowicz, A. Diwan, M. Hauswirth, and P. Sweeney. Producing wrong data without doing anything obviously wrong! In Proceedings of ASPLOS 2009, Mar. 2009.
    Google ScholarLocate open access versionFindings
  • [25] NIST. CVE-2010-0249. Online: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249, 2010.
    Findings
  • [26] NIST. CVE-2010-3971. Online: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3971, 2010.
    Findings
  • [27] NIST. CVE-2011-1255. Online: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1255, 2011.
    Findings
  • [28] B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of CCS 2013, Nov. 2013.
    Google ScholarLocate open access versionFindings
  • [29] J. Pewny and T. Holz. Control-flow restrictor: Compiler-based CFI for iOS. In Proceedings of ACSAC 2013, Dec. 2013.
    Google ScholarLocate open access versionFindings
  • [30] R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Info. & System Security, 15(1), Mar. 2012.
    Google ScholarLocate open access versionFindings
  • [31] Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of IEEE Symposium on Security and Privacy (“Oakland”) 2011, May 2011.
    Google ScholarLocate open access versionFindings
  • [32] B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of CCS 2011, Oct. 2011.
    Google ScholarLocate open access versionFindings
  • [33] B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In Proceedings of USENIX Security 2013, Aug. 2013.
    Google ScholarLocate open access versionFindings
  • [34] C. Zhang, T. Wei, Z. Chen, L. Duan, S. McCamant, L. Szekeres, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), May 2013.
    Google ScholarLocate open access versionFindings
  • [35] M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of USENIX Security 2013, Aug. 2013.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科