research-article

Practical Context-Sensitive CFI

Authors:

Victor van der Veen,

Dennis Andriesse,

Asia Slowinska,

Cristiano GiuffridaAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 927 - 940

https://doi.org/10.1145/2810103.2813673

Published: 12 October 2015 Publication History

Abstract

Current Control-Flow Integrity (CFI) implementations track control edges individually, insensitive to the context of preceding edges. Recent work demonstrates that this leaves sufficient leeway for powerful ROP attacks. Context-sensitive CFI, which can provide enhanced security, is widely considered impractical for real-world adoption. Our work shows that Context-sensitive CFI (CCFI) for both the backward and forward edge can be implemented efficiently on commodity hardware. We present PathArmor, a binary-level CCFI implementation which tracks paths to sensitive program states, and defines the set of valid control edges within the state context to yield higher precision than existing CFI implementations. Even with simple context-sensitive policies, PathArmor yields significantly stronger CFI invariants than context-insensitive CFI, with similar performance.

References

[1]

Apache benchmark. http://httpd.apache.org/docs/2.0/programs/ab.html.

[2]

LLVM DSA - Reproduce the Result in PLDI 07 Paper. http://lists.cs.uiuc.edu/pipermail/llvmdev/2015-May/085390.html.

[3]

OpenSSH portable regression tests. http://www.dtucker.net/openssh/regress.

[4]

pyftpdlib. https://code.google.com/p/pyftpdlib.

[5]

SendEmail. http://caspian.dotconf.net/menu/Software/SendEmail.

[6]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In ACM CCS, 2005.

Digital Library

[7]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. A theory of secure control-flow. In ICFEM, 2005.

Digital Library

[8]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. ACM TISSEC, 13(1), 2009.

Digital Library

[9]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE S&P, 2008.

Digital Library

[10]

A. R. Bernat and B. P. Miller. Anywhere, any-time binary instrumentation. In PASTE, 2011.

Digital Library

[11]

S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX SEC, 2005.

Digital Library

[12]

T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In ACSAC, 2011.

Digital Library

[13]

E. Bosman and H. Bos. Framing signals--A return to portable shellcode. In IEEE S&P, 2014.

Digital Library

[14]

B. Buck and J. K. Hollingsworth. An API for runtime code patching. IJHPCA, 14(4), 2000.

Digital Library

[15]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In USENIX SEC, 2015.

Digital Library

[16]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX SEC, 2014.

Digital Library

[17]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM CCS, 2010.

Digital Library

[18]

X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida. StackArmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In NDSS, 2015.

[19]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In NDSS, 2014.

[20]

T.-C. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDCS, 2001.

Digital Library

[21]

M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to protect return addresses from attack. In ASSAV, 2004.

[22]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE S&P, 2014.

Digital Library

[23]

T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In ASIACCS, 2015.

Digital Library

[24]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX SEC, 2014.

Digital Library

[25]

U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006.

Digital Library

[26]

I. Fratric. Runtime prevention of return-oriented programming attacks, 2012. Technical report.

[27]

E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.

[28]

E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX SEC, 2014.

[29]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In USENIX SEC, 2002.

Digital Library

[30]

S. Krishnamoorthy, M. Hsiao, and L. Lingappan. Tackling the path explosion problem in symbolic execution-driven test generation for programs. In IEEE ATS, 2010.

Digital Library

[31]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In OSDI, 2014.

Digital Library

[32]

C. Lattner, A. Lenharth, and V. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In PLDI, pages 278--289, 2007.

Digital Library

[33]

B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In ACM CCS, 2013.

Digital Library

[34]

B. Niu and G. Tan. Modular control-flow integrity. In PLDI, 2014.

Digital Library

[35]

B. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In ACM CCS, 2014.

Digital Library

[36]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX SEC, 2013.

Digital Library

[37]

M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In DIMVA, 2015.

Digital Library

[38]

M. Prasad and T. cker Chiueh. A binary rewriting defense against stack-based buffer overflow attacks. In USENIX ATC, 2003.

[39]

B. G. Roth and E. H. Spafford. Implicit buffer overflow protection using memory segregation. In ARES, 2011.

Digital Library

[40]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming. In IEEE S&P, 2015.

[41]

F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In RAID, 2014.

[42]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM CCS, 2007.

Digital Library

[43]

S. Sinnadurai, Q. Zhao, and W.-F. Wong. Transparent runtime shadow stack: Protection against malicious return address modifications, 2004. Technical report.

[44]

A. Slowinska, T. Stancescu, and H. Bos. Howard: a dynamic excavator for reverse engineering data structures. In NDSS, 2011.

[45]

K. Z. Snow, L. Davi, A. Dmitrienko, C. Liebchen, F. Monrose, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE S&P, May 2013.

Digital Library

[46]

M. L. Soffa, K. R. Walcott, and J. Mars. Exploiting hardware advances for software testing and debugging (nier track). In ICSE, 2011.

Digital Library

[47]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Úlfar Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC and LLVM. In USENIX SEC, 2014.

Digital Library

[48]

D. Wagner and D. Dean. Intrusion detection via static analysis. In IEEE S&P, 2001.

Digital Library

[49]

Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE S&P, 2010.

Digital Library

[50]

Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In IEEE DSN, 2012.

[51]

Y. Younan, D. Pozza, F. Piessens, and W. Joosen. Extended protection against stack smashing attacks without performance loss. In ACSAC, 2006.

Digital Library

[52]

B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In USENIX SEC, 2013.

Digital Library

[53]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control-flow integrity and randomization for binary executables. In IEEE S&P, 2013.

Digital Library

[54]

M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In VEE, 2014.

Digital Library

[55]

M. Zhang and R. Sekar. Control flow integrity forhphantomxxxxCOTS binaries. In USENIX SEC, 2013.

Digital Library

Cited By

Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
Ismail MJelesnianski CJang YMin CXiong WTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651342
Wang YMack CTan XZhang NZhao ZBaruah SWard B(2024)InsectACIDE: Debugger-Based Holistic Asynchronous CFI for Embedded System2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00036(360-372)Online publication date: 13-May-2024
https://doi.org/10.1109/RTAS61025.2024.00036
Show More Cited By

Index Terms

Practical Context-Sensitive CFI
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Per-Input Control-Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Control-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically ...
BCI-CFI: A context-sensitive control-flow integrity method based on branch correlation integrity
Abstract Context
As part of the arms race, one emerging attack methodology has been control-hijacking attacks, e.g., return-oriented programming (ROP). Control-flow integrity (CFI) is a generic and effective defense against most control-hijacking attacks. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

134
Total Citations
View Citations
1,449
Total Downloads

Downloads (Last 12 months)177
Downloads (Last 6 weeks)13

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
Ismail MJelesnianski CJang YMin CXiong WTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651342
Wang YMack CTan XZhang NZhao ZBaruah SWard B(2024)InsectACIDE: Debugger-Based Holistic Asynchronous CFI for Embedded System2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00036(360-372)Online publication date: 13-May-2024
https://doi.org/10.1109/RTAS61025.2024.00036
She CLi JChen LShi G(2024)SCFIComputers and Security10.1016/j.cose.2024.103800140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103800
Priyadarshan SNguyen HChouhan RSekar RCalandrino JTroncoso C(2023)SAFERProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620319(1451-1468)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620319
Krishnan RZhou DKim WKannan SKashyap SMin CNaor DGoel A(2023)TENETProceedings of the 21st USENIX Conference on File and Storage Technologies10.5555/3585938.3585954(247-264)Online publication date: 21-Feb-2023
https://dl.acm.org/doi/10.5555/3585938.3585954
Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Rommel FDietrich CZiegler AOstapyshyn ILohmann DEgger BLee D(2023)Thread-Level Attack-Surface ReductionProceedings of the 24th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems10.1145/3589610.3596281(64-75)Online publication date: 13-Jun-2023
https://dl.acm.org/doi/10.1145/3589610.3596281
Fan XLong SHuang CYang CLi FBartolini ARietveld KSchuman CMoreira J(2023)Accelerating Type Confusion Detection by Identifying Harmless Type CastingsProceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592205(91-100)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592205
Jelesnianski CIsmail MJang YWilliams DMin CAamodt TJerger NSwift M(2023)Protect the System Call, Protect (Most of) the World with BASTIONProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582066(528-541)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582066
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents