Advertisement

Abstract

Attackers have evolved classic code-injection attacks, such as those caused by buffer overflows to sophisticated Turing-complete code-reuse attacks. Control-Flow Integrity (CFI) is a defence mechanism to eliminate control-flow hijacking attacks caused by common memory errors. CFI relies on static analysis for the creation of a program’s control-flow graph (CFG), then at runtime CFI ensures that the program follows the legitimate path. Thereby, when an attacker tries to execute malicious shellcode, CFI detects an unintended path and aborts execution. CFI heavily relies on static analysis for the accurate generation of the control-flow graph, and its security depends on how strictly the CFG is generated and enforced.

This paper reviews the CFI schemes proposed over the last ten years and assesses their security guarantees against advanced exploitation techniques.

Keywords

Control-Flow Integrity Code-reuse attacks Operating system security 

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations and applications. In: CCS (2005)Google Scholar
  2. 2.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Security & Privacy (2008)Google Scholar
  3. 3.
    AMD: AMD64 Architecture Programmer’s Manual: System Programming, vol.2 (2013). http://developer.amd.com/wordpress/media/2012/10/24593_APM_v21.pdf
  4. 4.
    Andersen, S., Abella, V.: Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies (2004)Google Scholar
  5. 5.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: CCS (2011)Google Scholar
  6. 6.
    Bosman, E., Bos, H.: Framing signals-a return to portable shellcode. In: Security & Privacy (2014)Google Scholar
  7. 7.
    Bounov, D., Kıcı, R.G., Lerner, S.: Protecting C++ dynamic dispatch through vtable interleaving. In: NDSS (2016)Google Scholar
  8. 8.
    Burow, N., Carr, S.A., Brunthaler, S., Payer, M., Nash, J., Larsen, P., Franz, M.: Control-flow integrity: precision, security, and performance. arXiv preprint arXiv:1602.04056 (2016)
  9. 9.
    Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security (2015)Google Scholar
  10. 10.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security (2014)Google Scholar
  11. 11.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: OSDI (2006)Google Scholar
  12. 12.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS (2010)Google Scholar
  13. 13.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security (2005)Google Scholar
  14. 14.
    Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H., R.: ROPecker: a generic and practical approach for defending against ROP attack. In: NDSS (2014)Google Scholar
  15. 15.
    Conti, M., Crane, S., Davi, L., Franz, M., Larsen, P., Negro, M., Liebchen, C., Qunaibit, M., Sadeghi, A.R.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: CCS (2015)Google Scholar
  16. 16.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security (1998)Google Scholar
  17. 17.
    Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Security & Privacy (2014)Google Scholar
  18. 18.
    Criswell, J., Lenharth, A., Dhurjati, D., Adve, V.: Secure virtual architecture: a safe execution environment for commodity operating systems. In: ACM SIGOPS Operating Systems Review (2007)Google Scholar
  19. 19.
    Dang, T.H.Y., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ASIACCS (2015)Google Scholar
  20. 20.
    Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)Google Scholar
  21. 21.
    Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Security (2014)Google Scholar
  22. 22.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security (2012)Google Scholar
  23. 23.
    Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Security & Privacy (2014)Google Scholar
  24. 24.
    Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: USENIX Security (2014)Google Scholar
  25. 25.
    Hardekopf, B., Lin, C.: Semi-sparse flow-sensitive pointer analysis. In: ACM SIGPLAN Notices (2009)Google Scholar
  26. 26.
    Hind, M.: Pointer analysis: haven’t we solved this problem yet?. In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (2001)Google Scholar
  27. 27.
    Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: USENIX Security (2015)Google Scholar
  28. 28.
    Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: Security & Privacy (2016)Google Scholar
  29. 29.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Security & Privacy (2013)Google Scholar
  30. 30.
    Intel: Intel 64 and IA-32 Architectures Software Developer’s Manual: Basic Architecture, vol. 1 (2016). https://www-ssl.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html
  31. 31.
    Intel: Intel 64 and IA-32 Architectures Software Developer’s Manual: System Programming Guide, vol. 3B, Part 2 (2016). https://www-ssl.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-3b-part-2-manual.html
  32. 32.
    Jang, D., Tatlock, Z., Lerner, S.: SafeDispatch: securing C++ virtual calls from memory corruption attacks. In: NDSS (2014)Google Scholar
  33. 33.
    Kemerlis, V.P., Portokalidis, G., Keromytis, A.D.: kGuard: lightweight kernel protection against return-to-user attacks. In: USENIX Security (2012)Google Scholar
  34. 34.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P., et al.: Secure execution via program shepherding. In: USENIX Security (2002)Google Scholar
  35. 35.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS (2015)Google Scholar
  36. 36.
    Nergal: The advanced return-into-lib(c) exploits: pax case study. Phrack Mag. 58(4), 54 (2001)Google Scholar
  37. 37.
    Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI (2014)Google Scholar
  38. 38.
    Niu, B., Tan, G.: Rockjit: securing just-in-time compilation using modular control-flow integrity. In: CCS (2014)Google Scholar
  39. 39.
    Niu, B., Tan, G.: Per-input control-flow integrity. In: CCS (2015)Google Scholar
  40. 40.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: USENIX Security (2013)Google Scholar
  41. 41.
    Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: CCS (2007)Google Scholar
  42. 42.
    Prakash, A., Hu, X., Yin, H.: vfGuard: Strict protection for virtual function calls in COTS C++ binaries. In: NDSS (2015)Google Scholar
  43. 43.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: Security & Privacy (2015)Google Scholar
  44. 44.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS (2007)Google Scholar
  45. 45.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Security & Privacy (2013)Google Scholar
  46. 46.
    Song, C., Lee, B., Lu, K., Harris, W., Kim, T., Lee, W.: Enforcing Kernel security invariants with data flow integrity. In: NDSS (2016)Google Scholar
  47. 47.
    Team, P.: Address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt
  48. 48.
    Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security (2014)Google Scholar
  49. 49.
    van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: CCS (2015)Google Scholar
  50. 50.
    van der Veen, V., Göktas, E., Contag, M., Pawlowski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E., Giuffrida, C.: A Tough call: mitigating advanced code-reuse attacks at the binary level. In: Security & Privacy (2016)Google Scholar
  51. 51.
    Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Security & Privacy (2010)Google Scholar
  52. 52.
    Wilson, R.P., Lam, S., M.: Efficient context-sensitive pointer analysis for C programs. In: PLDI (1995)Google Scholar
  53. 53.
    Zhang, C., Carr, S.A., Li, T., Ding, Y., Song, C., Payer, M., Song, D.: VTrust: regaining trust on virtual calls. In: NDSS (2016)Google Scholar
  54. 54.
    Zhang, C., Song, C., Chen, K.Z., Chen, Z., Song, D.: VTint: protecting virtual function tables’ integrity. In: NDSS (2015)Google Scholar
  55. 55.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Security & Privacy (2013)Google Scholar
  56. 56.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (http://creativecommons.org/licenses/by-nc/2.5/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.DeustoTechUniversity of DeustoBilbaoSpain

Personalised recommendations