Advertisement

Stateful Forward-Edge CFI Enforcement with Intel MPX

  • Jun Zhang
  • Rui Hou
  • Wei Song
  • Zhiyuan Zhan
  • Boyan Zhao
  • Mingyu Chen
  • Dan Meng
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 908)

Abstract

This paper presents a stateful forward-edge CFI mechanism based on a novel use of the Intel Memory Protection Extensions (MPX) technology. To enforce stateful CFI policies, we protect against malicious modification of pointers on the dereference pathes of indirect jumps or function calls by saving these pointers into shadow memory. Intel MPX, which stores pointer’s bounds into shadow memory, offers the capability of managing the copy for these indirect dereferenced pointers. There are two challenges in applying MPX to forward-edge CFI enforcement. First, as MPX is designed to protect against every pointers that may incurs memory errors, MPX incurs unacceptable runtime overhead. Second, the MPX defense has holes when maintaining interoperability with legacy code. We address these challenges by only protecting the pointers on the dereference pathes of indirect function calls and jumps, and making a further check on the loaded pointer value. We have implemented our mechanism on the LLVM compiler and evaluated it on a commodity Intel Skylake machine with MPX support. Evaluation results show that our mechanism is effective in enforcing forward-edge CFI, while incurring acceptable performance overhead.

Keywords

Code-reuse attacks Control-flow integrity Shadow stack Shadow memory MPX LLVM 

Notes

Acknowledgments

We thank the anonymous reviewers for their valuable comments. This work was supported by the China National Science Fund for Outstanding Young Scholars under grant No. 61522212; National Key R&D Plan under grant No. 2017YFB1001602; Frontier Science Research Projects, Chinese Academy of Science, under grant No. QYZDB-SSW-JSC010; and National Natural Science Foundation of China (NSFC) under grant No. 61521092 and No. 61502459.

References

  1. 1.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM 14th Conference on Computer and Communications Security (CCS 2007), pp. 552–561 (2007)Google Scholar
  2. 2.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX 18th Security Symposium (SEC2009), pp. 383–398 (2009)Google Scholar
  3. 3.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM 6th Symposium on Information, Computer and Communications Security (ASIACCS), pp. 30–40 (2011)Google Scholar
  4. 4.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE 36th Symposium on Security and Privacy (S&P 2015), pp. 745–762 (2015)Google Scholar
  5. 5.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX 23rd Security Symposium (SEC 2014), pp. 385–399 (2014)Google Scholar
  6. 6.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: eternal war in memory. In: IEEE 34th Symposium on Security and Privacy (S&P 2013), pp. 48–62 (2013)Google Scholar
  7. 7.
    Cowan, C., et al.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX 7th Security Symposium (SEC 1998), pp. 63–78 (1998)Google Scholar
  8. 8.
    LNCS Microsoft Corporation: Data Execution Prevention. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85)
  9. 9.
    Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: IEEE 22nd Symposium on Reliable Distributed Systems (SRDS 2003), pp. 260–269 (2003)Google Scholar
  10. 10.
    Abadi, M., Budiu, M., Erlingsson, Ú, Ligatti, J.: Control-flow integrity. In: ACM 12th Computer and Communications Security (CCS 2005), pp. 340–353 (2005)Google Scholar
  11. 11.
    Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50, 16:1–16:33 (2017)Google Scholar
  12. 12.
    Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX 24th Conference on Security Symposium (SEC 2015), pp. 161–176 (2015)Google Scholar
  13. 13.
    Evans, I., et al.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 901–913 (2015)Google Scholar
  14. 14.
    Conti, M., et al.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 952–963 (2015)Google Scholar
  15. 15.
    Mashtizadeh, A. J., Bittau, A., Boneh, D., Mazières, D.: Ccfi: cryptographically enforced control flow integrity. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 941–951 (2015)Google Scholar
  16. 16.
    Zhang, J., Hou, R., Fan, J., Liu, K., Zhang, L., McKee, S.: Raguard: a hardware based mechanism for backward-edge control-flow integrity. In: ACM Computing Frontiers Conference (CF 2017), pp. 27–34 (2017)Google Scholar
  17. 17.
    Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: USENIX 22th Conference on Security (SEC 2013), pp. 337–352 (2013)Google Scholar
  18. 18.
    Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: IEEE 34th Symposium on Security and Privacy (S&P 2013), pp. 559–573 (2013)Google Scholar
  19. 19.
    Tice, C., et al.: Enforcing forward-edge control-flow integrity GCC & LLVM. In: USENIX 23rd Security Symposium (SEC 2014), pp. 941–954 (2014)Google Scholar
  20. 20.
    Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: IEEE 1st European Symposium on Security and Privacy (EuroS&P), pp. 179–194 (2016)Google Scholar
  21. 21.
    Devietti, J., Blundell, C., Martin, M.M.K., Zdancewic, S.: Hardbound: architectural support for spatial safety of the c programming language. In: ACM 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2008), pp. 103–114 (2008)Google Scholar
  22. 22.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: Softbound: highly compatible and complete spatial memory safety for C. In: ACM 30th SIGPLAN Conference on Programming Language Design and Implementation on proceedings (2009 PLDI), pp. 245–258. ACM, Dulin (2010)Google Scholar
  23. 23.
    Nagarakatte, S., Martin, M.M.K., Zdancewic, S.: Watchdoglite: hardware-accelerated compiler-based pointer checking. In: Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO 2014), pp. 175–184 (2014)Google Scholar
  24. 24.
    Intel Corporation: Intel Memory Protection Extensions Enabling Guide. https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf
  25. 25.
    Intel Corporation: Intel memory ptrotection extensions. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 1, chap. 17 (2017)Google Scholar
  26. 26.
    Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel MPX explained: an empirical study of intel MPX and software-based bounds checking approaches. In: Arxiv CoRR, vol. abs/1702.00719 (2017)Google Scholar
  27. 27.
    GCC Wiki: Intel Memory Protection Extensions (Intel MPX) support in the GCC compiler. https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler
  28. 28.
  29. 29.
    The LLVM Compiler Infrastructure. http://llvm.org/
  30. 30.
    Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: runtime intrusion prevention evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), pp. 41–50 (2011)Google Scholar
  31. 31.
    SPEC CPU2006 Benchmark. http://www.spec.org/cpu2006/
  32. 32.
    Linux kernel profiling with perf. https://perf.wiki.kernel.org/index.php/Tutorial
  33. 33.
    Clang 7 documentation: Control Flow Integrity. https://clang.llvm.org/docs/ControlFlowIntegrity.html
  34. 34.
    Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (S&P 2010), pp. 380–395 (2010)Google Scholar
  35. 35.
    Niu, B., Tan, G.: Modular control-flow Integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (OSDI 2014), pp. 577–587 (2014)Google Scholar
  36. 36.
    Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 914–926 (2015)Google Scholar
  37. 37.
    Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-20550-2_8CrossRefGoogle Scholar
  38. 38.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS 2015)Google Scholar
  39. 39.
    Elsabagh, M., Fleck, D., Stavrou, A.: Strict virtual call integrity checking for C++ binaries. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS 2015)Google Scholar
  40. 40.
    Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX 11th Conference on Operating Systems Design and Implementation (OSDI 2014), pp. 147–163 (2014)Google Scholar
  41. 41.
    Davi, L., et al.: HAFIX: hardware-assisted flow integrity eXtension. In: Proceedings of the 52nd ACM/EDAC/IEEE Design Automation Conference (DAC 2015), pp. 1–6 (2015)Google Scholar
  42. 42.
    Sullivan, D., Arias, O., Davi, L., Larsen, P., Sadeghi, A.-R., Jin, Y.: Strategy without tactics: policy-agnostic hardware-enhanced control-flow integrity. In: Proceedings of the 53rd Annual Design Automation Conference (DAC 2016), pp. 163:1–163:6 (2016)Google Scholar
  43. 43.
    Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S.: HCFI: hardware-enforced Control-Flow Integrity. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016), pp. 38–49 (2016)Google Scholar
  44. 44.
  45. 45.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013)Google Scholar
  46. 46.
    van der Veen, V., et al.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 927–940 (2015)Google Scholar
  47. 47.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 1–12 (2012)Google Scholar
  48. 48.
    Yuan, P., Zeng, Q., Ding, X.: Hardware-assisted finegrained code-reuse attack detection. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015), pp. 66–85 (2015)Google Scholar
  49. 49.
    Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with intel processor trace. In: 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA 2017), pp. 529–540 (2017)Google Scholar
  50. 50.
    Ge, X., Cui, W., Jaeger, T.: GRIFFIN: guarding control flows using intel processor trace. In: Proceedings of the 22nd International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2017), pp. 585–598 (2017)Google Scholar
  51. 51.
    Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using intel processor trace. In: Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY 2017), pp. 173–184 (2017)Google Scholar
  52. 52.
    Tuck, N., Calder, B., Varghese, G.: Hardware and binary modification support for code pointer protection from buffer overflow. In: Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2004), pp. 209–220 (2004)Google Scholar
  53. 53.
    Qualcomm Technologies Inc: Pointer Authentication on ARMv8.3. file:///E:/beifeng/code%20reuse%20attack/PointerAuthentication/whitepaper-pointer-authentication-on-armv8-3.pdfGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  • Jun Zhang
    • 1
    • 2
    • 4
  • Rui Hou
    • 3
  • Wei Song
    • 3
  • Zhiyuan Zhan
    • 3
    • 4
  • Boyan Zhao
    • 2
    • 4
  • Mingyu Chen
    • 2
    • 4
  • Dan Meng
    • 3
  1. 1.Hubei University of Arts and ScienceXiangyangChina
  2. 2.State Key Laboratory of Computer ArchitectureICT, CASBeijingChina
  3. 3.Institute of Information EngineeringCASBeijingChina
  4. 4.University of Chinese Academy of SciencesBeijingChina

Personalised recommendations