Abstract
In particular, Abadi et al. [2, 4] suggest a label-based CFI approach, where each CFG node is marked with a unique label ID that is placed at the beginning of a BBL. In order to preserve the program’s original semantics, the label is either encoded as an offset into a x86 cache prefetch instruction or as simple data word. Inserting labels into a program binary will require moving instructions from their original position. As a consequence, CFI requires adjusting all memory offsets embedded into jump/call and data load/store instructions that are affected by the insertion of the additional prefetch instructions.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: A theory of secure control-flow. In: Proceedings of the 7th International Conference on Formal Methods and Software Engineering, ICFEM’05 (2005). URL http://dx.doi.org/10.1007/11576280_9
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity: principles, implementations, and applications. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS’05 (2005). URL http://doi.acm.org/10.1145/1102120.1102165
Abadi, M., Budiu, M., Erlingsson, Ú., Necula, G.C., Vrable, M.: XFI: Software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI’06 (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298463
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009). URL http://doi.acm.org/10.1145/1609956.1609960
Afek, J., Sharabani, A.: Dangling pointer: smashing the pointer for fun and profit (2007). URL https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Proceedings of the 29th IEEE Symposium on Security and Privacy, SP’08 (2008). URL http://dx.doi.org/10.1109/SP.2008.30
Arias, O., Davi, L., Hanreich, M., Jin, Y., Koeberl, P., Paul, D., Sadeghi, A.R., Sullivan, D.: HAFIX: hardware-assisted flow integrity extension. In: Proceedings of the 52nd Design Automation Conference, DAC’15. (2015). doi: http://doi.acm.org/10.1145/2744769.2744847
Bachaalany, E.: Inside EMET 4.0. REcon Montreal (2013). URL http://recon.cx/2013/slides/Recon2013-Elias%20Bachaalany-Inside%20EMET%204.pdf
Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC’11 (2011). URL http://doi.acm.org/10.1145/2076732.2076783
Bruening, D.L.: Efficient, transparent, and comprehensive runtime code manipulation. Ph.D. thesis, Massachusetts Institute of Technology (2004). URL http://groups.csail.mit.edu/cag/rio/derek-phd-thesis.pdf
Budiu, M., Erlingsson, U., Abadi, M.: Architectural support for software-based protection. In: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, ASID’06, pp. 42–51 (2006). URL http://doi.acm.org/10.1145/1181309.1181316
C4SS!0, h1ch4m: MPlayer Lite r33064 m3u buffer overflow exploit (DEP Bypass) (2011). URL http://www.exploit-db.com/exploits/17565/
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671250
Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI’06 (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298470
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th USENIX Security Symposium (2005). URL http://dl.acm.org/citation.cfm?id=1251398.1251410
Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). URL http://www.internetsociety.org/doc/ropecker-generic-and-practical-approach-defending-against-rop-attacks
Chiueh, T., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proceedings of the 21st International Conference on Distributed Computing Systems, ICDCS’01 (2001). URL http://dl.acm.org/citation.cfm?id=876878.879316
Chiueh, T., Prasad, M.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the 2003 USENIX Annual Technical Conference, ATC’03 (2003). URL https://www.usenix.org/legacy/event/usenix03/tech/full_papers/prasad/prasad_html/camera.html
cplusplus.com: Polymorphism. URL http://www.cplusplus.com/doc/tutorial/polymorphism/
Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP’14 (2014). URL http://dx.doi.org/10.1109/SP.2014.26
Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS’15 (2015). URL http://doi.acm.org/10.1145/2714576.2714635
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11 (2011). URL http://doi.acm.org/10.1145/1966913.1966920
Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS’12 (2012). URL http://www.internetsociety.org/mocfi-framework-mitigate-control-flow-attacks-smartphones
Davi, L., Lehmann, D., Sadeghi, A.R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671251
Davi, L., Lehmann, D., Sadeghi, A.R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. Technical Report TUD-CS-2014-0097, Technische Universität Darmstadt (2014). URL https://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/techreport-stitching-gadgets.pdf
Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University (2004). URL http://www.ru.is/faculty/ulfar/thesis.pdf
Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode’09 (2009). URL http://doi.acm.org/10.1145/1655077.1655083
Frantzen, M., Shuey, M.: StackGhost: hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium (2001). URL http://dl.acm.org/citation.cfm?id=1251327.1251332
Fratric, I.: ROPGuard: runtime prevention of return-oriented programming attacks (2012). URL http://www.ieee.hr/_download/repository/Ivan_Fratric.pdf
Gawlik, R., Holz, T.: Towards automated integrity protection of C++ virtual function tables in binary programs. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC’14 (2014). URL http://doi.acm.org/10.1145/2664243.2664249
Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of the 35th IEEE Symposium on Security and Privacy, SP’14 (2014). URL http://dx.doi.org/10.1109/SP.2014.43
Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671252
Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: Proceedings of the 2006 International Workshop on Dynamic Systems Analysis, WODA’06, pp. 65–72 (2006). URL http://doi.acm.org/10.1145/1138912.1138926
Jalayeri, S.: Bypassing EMET 3.5’s ROP mitigations (2012). URL https://repret.wordpress.com/2012/08/08/bypassing-emet-3-5s-rop-mitigations/
Jang, D., Tatlock, Z., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS’14 (2014). URL http://www.internetsociety.org/doc/safedispatch-securing-c-virtual-calls-memory-corruption-attacks
jduck: the latest Adobe exploit and session upgrading (2010). URL http://bugix-security.blogspot.de/2010/03/adobe-pdf-libtiff-working-exploitcve.html
Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: low-overhead protection from code reuse attacks. In: Proceedings of the 39th Annual International Symposium on Computer Architecture, ISCA’12 (2012). URL http://dl.acm.org/citation.cfm?id=2337159.2337171
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium (2002). URL http://dl.acm.org/citation.cfm?id=647253.720293
McCamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: Proceedings of the 15th USENIX Security Symposium (2006). URL http://dl.acm.org/citation.cfm?id=1267336.1267351
Microsoft: enhanced Mitigation Experience Toolkit. URL https://www.microsoft.com/emet
Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, CCS’13 (2013). URL http://doi.acm.org/10.1145/2508859.2516649
Niu, B., Tan, G.: Modular control-flow integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI’14 (2014). URL http://doi.acm.org/10.1145/2594291.2594295
Niu, B., Tan, G.: RockJIT: securing just-in-time compilation using modular control-flow integrity. In: Proceedings of the 21st ACM Conference on Computer and Communications Security, CCS’14 (2014). URL http://doi.acm.org/10.1145/2660267.2660281
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-Free: defeating return-oriented programming through gadget-less binaries. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC’10 (2010). URL http://doi.acm.org/10.1145/1920261.1920269
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Security Symposium (2013). URL http://dl.acm.org/citation.cfm?id=2534766.2534805
Pewny, J., Holz, T.: Compiler-based CFI for iOS. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC’13 (2013). URL http://doi.acm.org/10.1145/2523649.2523674
Prakash, A., Yin, H., Liang, Z.: Enforcing system-wide control flow integrity for exploit detection and diagnosis. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security, ASIACCS’13 (2013). URL http://doi.acm.org/10.1145/2484313.2484352
Prakash, A., Hu, X., Yin, H.: vfGuard: strict protection for virtual function calls in COTS C++ binaries. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). URL http://www.internetsociety.org/doc/vfguard-strict-protection-virtual-function-calls-cots-c-binaries
rix: Smashing C++ VPTRS. Phrack Magazine 56(8) (2000). URL http://phrack.org/issues/56/8.html
Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current anti-rop defenses. In: Research in Attacks, Intrusions and Defenses. Lecture Notes in Computer Science, Springer Intertnational Publishing, vol. 8688 (Springer, 2014). URL http://dx.doi.org/10.1007/978-3-319-11379-1_5
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, SP’15 (2015). doi:10.1109/SP.2015.51
Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., Chen, B.: Adapting software fault isolation to contemporary CPU architectures. In: Proceedings of the 19th USENIX Security Symposium (2010). URL http://dl.acm.org/citation.cfm?id=1929820.1929822
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07 (2007). URL http://doi.acm.org/10.1145/1315245.1315313
Sinnadurai, S., Zhao, Q., Fai Wong, W.: Transparent runtime shadow stack: protection against malicious return address modifications (2008). URL http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702s
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, SP’13 (2013). URL http://dx.doi.org/10.1109/SP.2013.45. Received the Best Student Paper Award
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: Proceedings of the 23rd USENIX Security Symposium (2014). URL http://dl.acm.org/citation.cfm?id=2671225.2671285
Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. SIGOPS Oper. Syst. Rev. 27(5), 203–216 (1993). URL http://doi.acm.org/10.1145/173668.168635
Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, SP’10 (2010). URL http://dx.doi.org/10.1109/SP.2010.30
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN’12 (2012). URL http://dl.acm.org/citation.cfm?id=2354410.2355130
Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native Client: a sandbox for portable, untrusted x86 native code. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP’09 (2009). URL http://dx.doi.org/10.1109/SP.2009.25
Zeng, B., Tan, G., Erlingsson, U.: Strato: a retargetable framework for low-level inlined-reference monitors. In: Proceedings of the 22nd USENIX Security Symposium (2013). URL http://dl.acm.org/citation.cfm?id=2534766.2534798
Zeng, B., Tan, G., Morrisett, G.: Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11 (2011). URL http://doi.acm.org/10.1145/2046707.2046713
Zhang, T., Zhuang, X., Pande, S., Lee, W.: Anomalous path detection with hardware support. In: Proceedings of the 2005 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, CASES’05 (2005). URL http://doi.acm.org/10.1145/1086297.1086305
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22nd USENIX Security Symposium (2013). URL http://dl.acm.org/citation.cfm?id=2534766.2534796
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity & randomization for binary executables. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, SP’13 (2013). URL http://dx.doi.org/10.1109/SP.2013.44
Zhang, C., Song, C., Chen, K.Z., Chen, Z., Song, D.: VTint: defending virtual function tables’ integrity. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). URL http://www.internetsociety.org/doc/vtint-protecting-virtual-function-tables%E2%80%99-integrity
Zovi, D.D.: Practical return-oriented programming. SOURCE Boston (2010). URL http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2015 The Author(s)
About this chapter
Cite this chapter
Davi, L., Sadeghi, AR. (2015). Building Control-Flow Integrity Defenses. In: Building Secure Defenses Against Code-Reuse Attacks. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-25546-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-25546-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25544-6
Online ISBN: 978-3-319-25546-0
eBook Packages: Computer ScienceComputer Science (R0)