Abstract
Applications written in low-level languages without type or memory safety are prone to memory corruption. Attackers gain code execution capabilities through memory corruption despite all currently deployed defenses. Control-Flow Integrity (CFI) is a promising security property that restricts indirect control-flow transfers to a static set of well-known locations.
We present Lockdown, a modular, fine-grained CFI policy that protects binary-only applications and libraries without requiring source-code. Lockdown adaptively discovers the control-flow graph of a running process based on the executed code. The sandbox component of Lockdown restricts interactions between different shared objects to imported and exported functions by enforcing fine-grained CFI checks using information from a trusted dynamic loader. A shadow stack enforces precise integrity for function returns. Our prototype implementation shows that Lockdown results in low performance overhead and a security analysis discusses any remaining gadgets.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The trusted domain is small both regarding code and data. An alternative implementation uses SFI and mask operations (added by the binary translator to any read/write in the application domain) to protect against information side channels [42], resulting in higher overhead.
- 2.
We looked at LibreOffice 3.5 on Ubuntu Linux 12.04.4 LTS and added all the initial executable ELF segments, i.e., of the soffice.bin and all its library dependencies.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: CCS 2005 (2005)
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: SP 2008 (2008)
Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: SP 2014 (2014)
Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: ACSAC 2011 (2011)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS 2011 (2011)
Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: SP 2014 (2014)
Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: CGO 2003 (2003)
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: SSYM 2014 (2014)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS 2010 (2010)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: SSYM 2005 (2005)
Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: SP 2015 (2015)
Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: SP 2014 (2014)
Davi, L., Dmitrienko, R., Egele, M., Fischer, T., Holz, T., Hund, R., Nuernberger, S., Sadeghi, A.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS 2012 (2012)
Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: SSYM 2014 (2014)
Drepper, U.: How to write shared libraries, December 2010. http://www.akkadia.org/drepper/dsohowto.pdf
Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: software guards for system address spaces. In: OSDI 2006 (2006)
Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: SP 2014 (2014)
Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes pp. 181–188 (2001)
HTTP Archive: Http archive - interesting stats - average sizes of web sites and objects (2014). http://httparchive.org/interesting.php?a=All&l=Mar%201%202014
Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: a safe dialect of C. In: ATC 2002 (2002)
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: SSYM 2002 (2002)
Kuzentsov, V., Payer, M., Szekeres, L., Candea, G., Song, D., Sekar, R.: Code pointer integrity. In: OSDI (2014)
Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: SP 2014 (2014)
Le, L.: Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028) (2013)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005 (2005)
MacManus, G., Saelo, H.: Metasploit module nginx chunked size for CVE-2013-2028 (2013). http://www.rapid7.com/db/modules/exploit/linux/http/nginx_chunked_size
Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS 2015 (2015)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: PLDI 2009 (2009)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ISMM 2010 (2010)
Necula, G., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. (TOPLAS) 27(3), 477–526 (2005)
Nergal: the advanced return-into-lib(c) exploits. Phrack 11(58), November 2007. http://phrack.com/issues.html?issue=67&id=8
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI 2007 (2007)
Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: CCS 2013 (2013)
Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI 2014 (2014)
PaX-Team: PaX ASLR (Address Space Layout Randomization) (2003). http://pax.grsecurity.net/docs/aslr.txt
Payer, M., Gross, T.R.: Fine-grained user-space security through virtualization. In: VEE 2011 (2011)
Payer, M., Hartmann, T., Gross, T.R.: Safe loading - a foundation for secure execution of untrusted programs. In: SP 2012 (2012)
Philippaerts, P., Younan, Y., Muylle, S., Piessens, F., Lachmund, S., Walter, T.: Code pointer masking: hardening applications against code injection attacks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 194–213. Springer, Heidelberg (2011)
Pincus, J., Baker, B.: Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Secur. Priv. 2, 20–27 (2004)
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: SP 2015 (2015)
SCO: System V Application Binary Interface, Intel386 Architecture Processor Supplement (1996). http://www.sco.com/developers/devspecs/abi386-4.pdf
Seibert, J., Okhravi, H., Soederstroem, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: CCS (2014)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS 2007 (2007)
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: SP 2013 (2013)
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: SSYM 2014 (2014)
van de Ven, A., Molnar, I.: Exec shield (2004). https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: SP 2010 (2010)
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of vontrol flow integrity using performance counters. In: DSN 2012 (2012)
Zeng, B., Tan, G., Erlingsson, U.: Strato: a retargetable framework for low-level inlined-reference monitors. In: SSYM 2013 (2013)
Zhang, C., Wei, T., Chen, Z., Duan, L., McCamant, S., Szekeres, L.: Protecting function pointers in binary. In: ASIACCS 2013 (2013)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: SP 2013 (2013)
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: SSYM 2013 (2013)
Acknowledgements
We thank Andreas Follner, Volodymyr Kuznetsov, Per Larsen, Kaveh Razavi, our shepherd Cristiano Giuffrida, and the anonymous reviewers for feedback and discussions. This research was supported, in part, by a grant from NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Payer, M., Barresi, A., Gross, T.R. (2015). Fine-Grained Control-Flow Integrity Through Binary Hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-20550-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20549-6
Online ISBN: 978-3-319-20550-2
eBook Packages: Computer ScienceComputer Science (R0)