Skip to main content
SpringerLink
Log in

Fine-Grained Control-Flow Integrity Through Binary Hardening

  • Conference paper
  • First Online:
Book cover Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9148))

Abstract

Applications written in low-level languages without type or memory safety are prone to memory corruption. Attackers gain code execution capabilities through memory corruption despite all currently deployed defenses. Control-Flow Integrity (CFI) is a promising security property that restricts indirect control-flow transfers to a static set of well-known locations.

We present Lockdown, a modular, fine-grained CFI policy that protects binary-only applications and libraries without requiring source-code. Lockdown adaptively discovers the control-flow graph of a running process based on the executed code. The sandbox component of Lockdown restricts interactions between different shared objects to imported and exported functions by enforcing fine-grained CFI checks using information from a trusted dynamic loader. A shadow stack enforces precise integrity for function returns. Our prototype implementation shows that Lockdown results in low performance overhead and a security analysis discusses any remaining gadgets.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The trusted domain is small both regarding code and data. An alternative implementation uses SFI and mask operations (added by the binary translator to any read/write in the application domain) to protect against information side channels [42], resulting in higher overhead.

  2. 2.

    We looked at LibreOffice 3.5 on Ubuntu Linux 12.04.4 LTS and added all the initial executable ELF segments, i.e., of the soffice.bin and all its library dependencies.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: CCS 2005 (2005)

    Google Scholar 

  2. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: SP 2008 (2008)

    Google Scholar 

  3. Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: SP 2014 (2014)

    Google Scholar 

  4. Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: ACSAC 2011 (2011)

    Google Scholar 

  5. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS 2011 (2011)

    Google Scholar 

  6. Bosman, E., Bos, H.: Framing signals - a return to portable shellcode. In: SP 2014 (2014)

    Google Scholar 

  7. Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: CGO 2003 (2003)

    Google Scholar 

  8. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: SSYM 2014 (2014)

    Google Scholar 

  9. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS 2010 (2010)

    Google Scholar 

  10. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: SSYM 2005 (2005)

    Google Scholar 

  11. Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: SP 2015 (2015)

    Google Scholar 

  12. Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: SP 2014 (2014)

    Google Scholar 

  13. Davi, L., Dmitrienko, R., Egele, M., Fischer, T., Holz, T., Hund, R., Nuernberger, S., Sadeghi, A.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS 2012 (2012)

    Google Scholar 

  14. Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: SSYM 2014 (2014)

    Google Scholar 

  15. Drepper, U.: How to write shared libraries, December 2010. http://www.akkadia.org/drepper/dsohowto.pdf

  16. Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: software guards for system address spaces. In: OSDI 2006 (2006)

    Google Scholar 

  17. Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: SP 2014 (2014)

    Google Scholar 

  18. Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes pp. 181–188 (2001)

    Google Scholar 

  19. HTTP Archive: Http archive - interesting stats - average sizes of web sites and objects (2014). http://httparchive.org/interesting.php?a=All&l=Mar%201%202014

  20. Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: a safe dialect of C. In: ATC 2002 (2002)

    Google Scholar 

  21. Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: SSYM 2002 (2002)

    Google Scholar 

  22. Kuzentsov, V., Payer, M., Szekeres, L., Candea, G., Song, D., Sekar, R.: Code pointer integrity. In: OSDI (2014)

    Google Scholar 

  23. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: SP 2014 (2014)

    Google Scholar 

  24. Le, L.: Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028) (2013)

    Google Scholar 

  25. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005 (2005)

    Google Scholar 

  26. MacManus, G., Saelo, H.: Metasploit module nginx chunked size for CVE-2013-2028 (2013). http://www.rapid7.com/db/modules/exploit/linux/http/nginx_chunked_size

  27. Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS 2015 (2015)

    Google Scholar 

  28. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: PLDI 2009 (2009)

    Google Scholar 

  29. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ISMM 2010 (2010)

    Google Scholar 

  30. Necula, G., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. (TOPLAS) 27(3), 477–526 (2005)

    Article  Google Scholar 

  31. Nergal: the advanced return-into-lib(c) exploits. Phrack 11(58), November 2007. http://phrack.com/issues.html?issue=67&id=8

  32. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI 2007 (2007)

    Google Scholar 

  33. Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: CCS 2013 (2013)

    Google Scholar 

  34. Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI 2014 (2014)

    Google Scholar 

  35. PaX-Team: PaX ASLR (Address Space Layout Randomization) (2003). http://pax.grsecurity.net/docs/aslr.txt

  36. Payer, M., Gross, T.R.: Fine-grained user-space security through virtualization. In: VEE 2011 (2011)

    Google Scholar 

  37. Payer, M., Hartmann, T., Gross, T.R.: Safe loading - a foundation for secure execution of untrusted programs. In: SP 2012 (2012)

    Google Scholar 

  38. Philippaerts, P., Younan, Y., Muylle, S., Piessens, F., Lachmund, S., Walter, T.: Code pointer masking: hardening applications against code injection attacks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 194–213. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  39. Pincus, J., Baker, B.: Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Secur. Priv. 2, 20–27 (2004)

    Article  Google Scholar 

  40. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: SP 2015 (2015)

    Google Scholar 

  41. SCO: System V Application Binary Interface, Intel386 Architecture Processor Supplement (1996). http://www.sco.com/developers/devspecs/abi386-4.pdf

  42. Seibert, J., Okhravi, H., Soederstroem, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: CCS (2014)

    Google Scholar 

  43. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS 2007 (2007)

    Google Scholar 

  44. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: SP 2013 (2013)

    Google Scholar 

  45. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: SSYM 2014 (2014)

    Google Scholar 

  46. van de Ven, A., Molnar, I.: Exec shield (2004). https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf

  47. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: SP 2010 (2010)

    Google Scholar 

  48. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of vontrol flow integrity using performance counters. In: DSN 2012 (2012)

    Google Scholar 

  49. Zeng, B., Tan, G., Erlingsson, U.: Strato: a retargetable framework for low-level inlined-reference monitors. In: SSYM 2013 (2013)

    Google Scholar 

  50. Zhang, C., Wei, T., Chen, Z., Duan, L., McCamant, S., Szekeres, L.: Protecting function pointers in binary. In: ASIACCS 2013 (2013)

    Google Scholar 

  51. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: SP 2013 (2013)

    Google Scholar 

  52. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: SSYM 2013 (2013)

    Google Scholar 

Download references

Acknowledgements

We thank Andreas Follner, Volodymyr Kuznetsov, Per Larsen, Kaveh Razavi, our shepherd Cristiano Giuffrida, and the anonymous reviewers for feedback and discussions. This research was supported, in part, by a grant from NSF.

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, USA

    Mathias Payer

  2. ETH Zurich, Zürich, Switzerland

    Antonio Barresi & Thomas R. Gross

Authors
  1. Mathias Payer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Barresi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas R. Gross
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mathias Payer .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

  2. Chalmers University of Technology, Gothenburg, Sweden

    Vincenzo Gulisano

  3. Politecnico di Milano, Milan, Italy

    Federico Maggi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Payer, M., Barresi, A., Gross, T.R. (2015). Fine-Grained Control-Flow Integrity Through Binary Hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20550-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20549-6

  • Online ISBN: 978-3-319-20550-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation