Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

Usenix Security Symposium, pp.161-176, (2015)

Cited by: 408|Views523
EI
Full Text
Bibtex
Weibo

Abstract

Control-Flow Integrity (CFI) is a defense which prevents control-flow hijacking attacks. While recent research has shown that coarse-grained CFI does not stop attacks, fine-grained CFI is believed to be secure. We argue that assessing the effectiveness of practical CFI implementations is non-trivial and that common evaluation metrics fail...More

Code:

Data:

0
Introduction
  • One way to exploit a memory corruption bug involves hijacking control flow to execute attacker-supplied or already-existing code in an application’s address space.
  • These methods leverage the memory corruption bug to change the target of an indirect branch instruction.
Highlights
  • Attacking software systems by exploiting memorycorruption vulnerabilities is one of the most common attack methods today according to the list of Common Vulnerabilities and Exposures
  • Each has limitations: stack canaries protect only against contiguous overwrites of the stack, Data Execution Prevention protects against code injection but not against code reuse, and ASLR does not protect against information leakage
  • We see in Table 1 that our minimal program linked against its libraries achieves high Average Indirect target Reduction and gadget reduction numbers for our coarse-grained Control-Flow Integrity policy
  • We found it is possible to write arbitrary values to arbitrary locations, even when nginx is protected by fully-precise static Control-Flow Integrity with a shadow stack, by modifying internal data structures to perform a control-flow bending attack
  • Control-flow integrity has historically been considered a strong defense against control-flow hijacking attacks and Return Oriented Programming attacks, if implemented to its fullest extent
  • Our results indicate that this is not entirely the case, and that control-flow bending allows attackers to perform meaningful attacks even against systems protected by fullyprecise static Control-Flow Integrity
Results
  • The authors see in Table 1 that the minimal program linked against its libraries achieves high AIR and gadget reduction numbers for the coarse-grained CFI policy.
  • Void vulnFunc() { char buf[1024]; read(STDIN , buf , 2048); int main { setbuf; printf("echo > "); memLeak (); printf("\nread > "); vulnFunc (); printf ("\ ndone .\ n" ); return 0; No CFI CFI AIR Gadget red.
  • The authors found five gadgets that allow them to implement all attacker goals as defined in Section 3.
  • Two gadgets can be used to load a set of general purpose registers from the attacker-controlled stack and return.
  • One gadget implements an arbitrary memory write (“writewhat-where”) and returns.
  • By routing control-flow through the first four gadgets and to the call gadget, the attacker can call any function
Conclusion
  • Control-flow integrity has historically been considered a strong defense against control-flow hijacking attacks and ROP attacks, if implemented to its fullest extent.
  • CFI with a shadow stack does still provide value as a defense, if implemented correctly.
  • It can significantly raise the bar for writing exploits by forcing attackers to tailor their attacks to a particular application; it limits an attacker to issue only system calls available to the application; and it can make specific vulnerabilities unexploitable under some circumstances
Tables
  • Table1: Basic metrics for the minimal vulnerable program under no CFI and our coarse-grained CFI policy
  • Table2: The results of our evaluation of the 6 binaries. The 2nd and 6th columns indicate whether the vulnerability we examined allows an attacker to control memory. The other columns indicate which attack goals would be achievable, assuming the attacker controls memory. A “no” indicates that we were not able to achieve that attack goal; anything else indicates it is achievable, and indicates the attack technique we used to achieve the goal. A “?” indicates we were not able to reproduce the exploit
Download tables as Excel
Related work
  • Control-flow integrity. Control-flow integrity was originally proposed by Abadi et al [1, 15] a decade ago. Classical CFI instruments indirect branch target locations with equivalence-class numbers (encoded as a label in a side-effect free instruction) that are checked at branch locations before taking the branch. Many other CFI schemes have been proposed since then.

    The most coarse-grained policies (e.g., Native Client [40] or PittSFIeld [20]) align valid targets to the beginning of chunks. At branches, these CFI schemes ensure that control-flow is not transferred to unaligned addresses. Fine-grained approaches use static analysis of source code to construct more accurate CFGs (e.g., WIT [2] and HyperSafe [39]). Recent work by Niu et al [27] added support for separate compilation and dynamic loading. Binary-only CFI implementations are generally more coarse-grained: MoCFI [13] and BinCFI [44] use static binary rewriting to instrument indirect branches with additional CFI checks.
Funding
  • This work was supported by NSF grant CNS-1513783, by the AFOSR under MURI award FA9550-12-1-0040, and by Intel through the ISTC for Secure Computing
Reference
  • ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. Control-flow integrity. In CCS’05 (2005).
    Google ScholarLocate open access versionFindings
  • AKRITIDIS, P., CADAR, C., RAICIU, C., COSTA, M., AND CASTRO, M. Preventing memory error exploits with WIT. In IEEE S&P’08 (2008).
    Google ScholarLocate open access versionFindings
  • BLETSCH, T., JIANG, X., AND FREEH, V. Mitigating codereuse attacks with control-flow locking. In ACSAC’11 (2011).
    Google ScholarLocate open access versionFindings
  • BLETSCH, T., JIANG, X., FREEH, V. W., AND LIANG, Z. Jump-oriented programming: a new class of code-reuse attack. In ASIACCS’11 (2011).
    Google ScholarLocate open access versionFindings
  • CARLINI, N., AND WAGNER, D. ROP is still dangerous: Breaking modern defenses. In USENIX Security’14 (2014).
    Google ScholarLocate open access versionFindings
  • CASTRO, M., COSTA, M., AND HARRIS, T. Securing software by enforcing data-flow integrity. In OSDI ’06 (2006).
    Google ScholarLocate open access versionFindings
  • CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A.R., SHACHAM, H., AND WINANDY, M. Return-oriented programming without returns. In CCS’10 (2010), pp. 559–572.
    Google ScholarLocate open access versionFindings
  • CHEN, S., XU, J., SEZER, E. C., GAURIAR, P., AND IYER, R. K. Non-control-data attacks are realistic threats. In USENIX Security’05 (2005).
    Google ScholarLocate open access versionFindings
  • CHENG, Y., ZHOU, Z., YU, M., DING, X., AND DENG, R. H. ROPecker: A generic and practical approach for defending against ROP attacks. In NDSS’14 (2014).
    Google ScholarLocate open access versionFindings
  • COWAN, C., PU, C., MAIER, D., HINTONY, H., WALPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., AND ZHANG, Q. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security’98 (1998).
    Google ScholarLocate open access versionFindings
  • COX, M. CVE-2006-3747: Apache web server off-by-one buffer overflow vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747, 2006.
    Findings
  • CRISWELL, J., DAUTENHAHN, N., AND ADVE, V. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE S&P’14 (2014).
    Google ScholarLocate open access versionFindings
  • DAVI, L., DMITRIENKO, R., EGELE, M., FISCHER, T., HOLZ, T., HUND, R., NUERNBERGER, S., AND SADEGHI, A. MoCFI: A framework to mitigate control-flow attacks on smartphones. In NDSS’12 (2012).
    Google ScholarLocate open access versionFindings
  • DAVI, L., SADEGHI, A.-R., LEHMANN, D., AND MONROSE, F. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security’14 (2014).
    Google ScholarLocate open access versionFindings
  • ERLINGSSON, U., ABADI, M., VRABLE, M., BUDIU, M., AND NECULA, G. C. XFI: Software guards for system address spaces. In OSDI’06 (2006).
    Google ScholarLocate open access versionFindings
  • GOKTAS, E., ATHANASOPOULOS, E., BOS, H., AND PORTOKALIDIS, G. Out of control: Overcoming control-flow integrity. In IEEE S&P’14 (2014).
    Google ScholarLocate open access versionFindings
  • JIM, T., MORRISETT, J. G., GROSSMAN, D., HICKS, M. W., CHENEY, J., AND WANG, Y. Cyclone: A safe dialect of C. In ATC’02 (2002).
    Google ScholarLocate open access versionFindings
  • KUZNETSOV, V., PAYER, M., SZEKERES, L., CANDEA, G., SEKAR, R., AND SONG, D. Code-pointer integrity. In OSDI’14 (2014).
    Google ScholarLocate open access versionFindings
  • MACMANUS, G. CVE-2013-2028: Nginx http server chunked encoding buffer overflow.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028, 2013.
    Locate open access versionFindings
  • MCCAMANT, S., AND MORRISETT, G. Evaluating SFI for a CISC architecture. In USENIX Security’06 (2006).
    Google ScholarLocate open access versionFindings
  • MEHTA, N., RIKU, ANTTI, AND MATTI. The Heartbleed bug. http://heartbleed.com/, 2014.
    Findings
  • NAGARAKATTE, S., ZHAO, J., MARTIN, M. M., AND ZDANCEWIC, S. SoftBound: Highly compatible and complete spatial memory safety for C. In PLDI’09 (2009).
    Google ScholarLocate open access versionFindings
  • NAGARAKATTE, S., ZHAO, J., MARTIN, M. M., AND ZDANCEWIC, S. CETS: Compiler enforced temporal safety for C. In ISMM’10 (2010).
    Google ScholarFindings
  • NECULA, G., CONDIT, J., HARREN, M., MCPEAK, S., AND WEIMER, W. CCured: Type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (TOPLAS) 27, 3 (2005), 477–526.
    Google ScholarLocate open access versionFindings
  • NERGAL. The advanced return-into-lib(c) exploits. Phrack 11, 58 (Nov. 2007), http://phrack.com/issues.html?issue=67&id=8.
    Locate open access versionFindings
  • NISSL, R. CVE-2009-1886: Formatstring vulnerability in smbclient. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1886, 2009.
    Findings
  • NIU, B., AND TAN, G. Modular control-flow integrity. In PLDI’14 (2014).
    Google ScholarLocate open access versionFindings
  • PAPPAS, V., POLYCHRONAKIS, M., AND KEROMYTIS, A. D. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security (2013), pp. 447–462.
    Google ScholarLocate open access versionFindings
  • PAX-TEAM. PaX ASLR (Address Space Layout Randomization). http://pax.grsecurity.net/docs/aslr.txt, 2003.
    Findings
  • PAYER, M., BARRESI, A., AND GROSS, T. R. Fine-grained control-flow integrity through binary hardening. In DIMVA’15.
    Google ScholarLocate open access versionFindings
  • PHILIPPAERTS, P., YOUNAN, Y., MUYLLE, S., PIESSENS, F., LACHMUND, S., AND WALTER, T. Code pointer masking: Hardening applications against code injection attacks. In DIMVA’11 (2011).
    Google ScholarLocate open access versionFindings
  • PINCUS, J., AND BAKER, B. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2 (2004), 20–27.
    Google ScholarLocate open access versionFindings
  • ROPPER. Ropper – rop gadget finder and binary information tool. https://scoding.de/ropper/, 2014.
    Findings
  • SALWAN, J. ROPgadget – Gadgets finder and auto-roper. http://shell-storm.org/project/ROPgadget/, 2011.
    Findings
  • SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. Q: Exploit hardening made easy. In USENIX Security’11 (2011).
    Google ScholarLocate open access versionFindings
  • SHACHAM, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS’07.
    Google ScholarLocate open access versionFindings
  • SZEKERES, L., PAYER, M., WEI, T., AND SONG, D. SoK: Eternal war in memory. In IEEE S&P’13 (2013).
    Google ScholarLocate open access versionFindings
  • VAN DE VEN, A., AND MOLNAR, I. Exec shield. https://www.redhat.com/f/pdf/rhel/WHP0006US_ Execshield.pdf, 2004.
    Findings
  • WANG, Z., AND JIANG, X. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE S&P’10 (2010).
    Google ScholarLocate open access versionFindings
  • YEE, B., SEHR, D., DARDYK, G., CHEN, J. B., MUTH, R., ORMANDY, T., OKASAKA, S., NARULA, N., AND FULLAGAR, N. Native client: A sandbox for portable, untrusted x86 native code. In IEEE S&P’09 (2009).
    Google ScholarLocate open access versionFindings
  • ZENG, B., TAN, G., AND ERLINGSSON, U. Strato: A retargetable framework for low-level inlined-reference monitors. In USENIX Security’13 (2013).
    Google ScholarLocate open access versionFindings
  • ZHANG, C., WEI, T., CHEN, Z., DUAN, L., MCCAMANT, S., AND SZEKERES, L. Protecting function pointers in binary. In ASIACCS’13 (2013).
    Google ScholarLocate open access versionFindings
  • ZHANG, C., WEI, T., CHEN, Z., DUAN, L., SZEKERES, L., MCCAMANT, S., SONG, D., AND ZOU, W. Practical control flow integrity and randomization for binary executables. In IEEE S&P’13 (2013).
    Google ScholarLocate open access versionFindings
  • ZHANG, M., AND SEKAR, R. Control flow integrity for COTS binaries. In USENIX Security’13 (2013).
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科