MazeRunner - Evaluating the Attack Surface of Control-Flow Integrity Policies.

Control-Flow Integrity (CFI) enforces a control-flow graph (CFG) to limit attackers' ability to manipulate runtime control flow. CFI variations, enforcing different CFGs, achieve different degrees of attack surface reduction. To compare the security strength of different CFI policies, measuring the remaining attack surface is critical but challenging. Therefore, we propose MazeRunner, a framework that quantitatively estimates the attack surface of a CFI-hardened program. Methodology-wise, it takes a program's CFG, an attack model, and a security-violation policy as input to discover risky program points by an attack-aware data dependency tracking algorithm. Risky program points and the CFG are used to compute a metric for the remaining attack surface. We evaluate MazeRunner with 3 CFG types, 3 attack models, and 4 security-violation policies against 13 realistic benchmarks, and demonstrate that the new metric achieves higher precision than traditional metrics while maintaining completeness.