research-article

HCFI: Hardware-enforced Control-Flow Integrity

Authors:

Nick Christoulakis,

George Christou,

Elias Athanasopoulos,

Sotiris IoannidisAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 38 - 49

https://doi.org/10.1145/2857705.2857722

Published: 09 March 2016 Publication History

Abstract

Control-flow hijacking is the principal method for code-reuse techniques like Return-oriented Programming (ROP) and Jump-oriented Programming (JOP). For defending against such attacks, the community has proposed Control-flow Integrity (CFI), a technique capable of preventing exploitation by verifying that every (indirect) control-flow transfer points to a legitimate address. Enabling CFI in real systems is not straightforward, since in many cases the actual Control-flow Graph (CFG) of a program can be only approximated. Even in the case that there is perfect knowledge of the CFG, ensuring that all return instructions will return to their actual call sites, without employing a shadow stack, is questionable. On the other hand, the community has expressed concerns related to significant overheads stemming from enabling a shadow stack.

In this paper, we acknowledge the importance of a shadow stack for supporting and strengthening any CFI policy. In addition, we project that implementing a full-featured CFI-enabled Instruction Set Architecture (ISA) in actual hardware with an in-chip secure memory can be efficiently carried out and the prototype experiences negligible overheads. For supporting our case, we implement by modifying a SPARC SoC and evaluate the prototype on an FPGA board by running all SPECInt benchmarks instrumented with a fine-grained CFI policy. The evaluation shows that HCFI can effectively protect applications from code-reuse attacks, while adding less than 1% runtime overhead.

References

[1]

The SPARC Architecture Manual, Version 8. www.sparc.com/standards/V8.pdf.

Digital Library

[2]

Hardware Control Flow Integrity for an IT Ecosystem. https://github.com/iadgov/Control-Flow-Integrity/tree/master/paper, 2015.

[3]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security (2005), ACM, pp. 340--353.

Digital Library

[4]

Andersen, S., and Abella, V. Changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies, Data Execution Prevention. Microsoft TechNet Library, September 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.

[5]

Aravind Prakash, Xunchao Hu, and Heng Yin. vfguard: Strict protection for virtual function calls in cots c

[6]

binaries. In Symposium on Network and Distributed System Security (NDSS) (2015).

[7]

Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., and Ioannidis, S. The devil is in the constants: Bypassing defenses in browser jit engines. In NDSS (2015), The Internet Society.

[8]

Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011), ACM, pp. 30--40.

Digital Library

[9]

Budiu, M., Erlingsson, U., and Abadi, M. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability (2006), ACM, pp. 42--51.

Digital Library

[10]

Burkardt, J., Puglielli, P., and Center, P. S. Matmul: An interactive matrix multiplication benchmark. degrees from BITS, Pilani. He is a Fellow of the Institution of Engineers (India), Fellow of National Academy of Engineering (FNAE), Fellow of National Academy of Sciences (FNASc), Life Member ISTE(LMISTE). Professor Kothari has published/presented 640 (1995).

[11]

Carlini, N., Barresi, A., Payer, M., Wagner, D., and Gross, T. R. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., Aug. 2015), USENIX Association, pp. 161--176.

Digital Library

[12]

Carlini, N., and Wagner, D. Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 385--399.

Digital Library

[13]

Chao Zhang, Chengyu Songz, Kevin Zhijie Chen, Zhaofeng Cheny, and Dawn Song. Vtint: Protecting virtual function tables' integrity. In Symposium on Network and Distributed System Security (NDSS) (2015).

[14]

Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. Ropecker: A generic and practical approach for defending against ROP attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2013 (2014).

[15]

Dang, T. H., Maniatis, P., and Wagner, D. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security, ASIACCS (2015), vol. 15.

Digital Library

[16]

Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., and Jin, Y. Hafix: hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (2015), ACM, p. 74.

Digital Library

[17]

Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 401--416.

Digital Library

[18]

EEMBC. Coremark Benchmark. https://www.eembc.org/coremark/.

[19]

Gaisler Research. Leon3 synthesizable processor. http://www.gaisler.com.

[20]

Gawlik, R., and Holz, T. Towards automated integrity protection of c

[21]

virtual function tables in binary programs. In Proceedings of the 30th Annual Computer Security Applications Conference (New York, NY, USA, 2014), ACSAC '14, ACM, pp. 396--405.

[22]

Göktaş, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Security and Privacy (SP), 2014 IEEE Symposium on (2014), IEEE, pp. 575--589.

Digital Library

[23]

Göktać s, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 417--432.

Digital Library

[24]

Haller, I., Göktaş, E., Athanasopoulos, E., Portokalidis, G., and Bos, H. Shrinkwrap: Vtable protection without loose ends. In ACSAC (2015), ACM, pp. 341--350.

Digital Library

[25]

Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. Ilr: Where'd my gadgets go? In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 571--585.

Digital Library

[26]

Jang, D., Tatlock, Z., and Lerner, S. Safedispatch: Securing c

[27]

virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).

[28]

Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., and Ponomarev, D. Branch regulation: Low-overhead protection from code reuse attacks. In Computer Architecture (ISCA), 2012 39th Annual International Symposium on (2012), IEEE, pp. 94--105.

Digital Library

[29]

One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996), 365.

[30]

Özdoganoglu, H., Vijaykumar, T., Brodley, C. E., Kuperman, B., Jalote, A., et al. Smashguard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on 55, 10 (2006), 1271--1285.

Digital Library

[31]

Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 601--615.

Digital Library

[32]

Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) (Washington, D.C., 2013), USENIX, pp. 447--462.

Digital Library

[33]

PaX Team. Address Space Layout Randomization (ASLR), 2003. http://pax.grsecurity.net/docs/aslr.txt.

[34]

Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC) 15, 1 (2012), 2.

Digital Library

[35]

Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c

[36]

applications. In 36th IEEE Symposium on Security and Privacy (Oakland) (May 2015).

[37]

Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., and Holz, T. Evaluating the effectiveness of current anti-rop defenses. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17--19, 2014. Proceedings (2014), pp. 88--108.

[38]

Snow, K. Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy (May 2013).

Digital Library

[39]

Standard Performance Evaluation Corporation (SPEC). SPEC CINT2000 Benchmarks. http://www.spec.org/cpu2000/CINT2000.

[40]

Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in gcc and llvm. In Proceedings of the 23rd USENIX Conference on Security Symposium (Berkeley, CA, USA, 2014), SEC'14, USENIX Association, pp. 941--955.

Digital Library

[41]

Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 157--168.

Digital Library

[42]

Weicker, R. P. Dhrystone: a synthetic systems programming benchmark. Communications of the ACM 27, 10 (1984), 1013--1030.

Digital Library

[43]

Xilinx. ISE Simulator (ISim). http://www.xilinx.com/tools/isim.htm.

[44]

Xilinx. Xilinx Virtex 6 ml605 rev-e Evaluation Board. http://www.xilinx.com/support/documentation/boards_and_kits/ug534.pdf, 2012.

[45]

Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on (2013), IEEE, pp. 559--573.

Digital Library

[46]

Zhang, M., and Sekar, R. Control flow integrity for COTS binaries. In Usenix Security (2013), pp. 337--352.

Digital Library

Cited By

Wang WFeng LShi ZZhuo CChen J(2024)Hardware-Assisted Control-Flow Integrity Enhancement for IoT Devices2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546789(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546789
She CLi JChen LShi G(2024)SCFIComputers and Security10.1016/j.cose.2024.103800140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103800
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Show More Cited By

Index Terms

HCFI: Hardware-enforced Control-Flow Integrity
1. Hardware
  1. Robustness
    1. Fault tolerance
2. Security and privacy
  1. Security in hardware
    1. Embedded systems security
    2. Hardware security implementation
      1. Hardware-based security protocols
  2. Software and application security
    1. Software security engineering

Recommendations

Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Control flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of ...
Protecting against address space layout randomisation (ASLR) compromises and return-to-libc attacks using network intrusion detection systems

Writable XOR executable (W X) and address space layout randomisation (ASLR) have elevated the understanding necessary to perpetrate buffer overflow exploits[1]. However, they have not proved to be a panacea[1---3], and so other mechanisms, such as stack ...
Let's shock our IoT's heart: ARMv7-M under (fault) attacks
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

A fault attack is a well-known technique where the behaviour of a chip is voluntarily disturbed by hardware means in order to undermine the security of the information handled by the target. In this paper, we explore how Electromagnetic fault injection (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

79
Total Citations
View Citations
644
Total Downloads

Downloads (Last 12 months)82
Downloads (Last 6 weeks)16

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang WFeng LShi ZZhuo CChen J(2024)Hardware-Assisted Control-Flow Integrity Enhancement for IoT Devices2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546789(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546789
She CLi JChen LShi G(2024)SCFIComputers and Security10.1016/j.cose.2024.103800140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103800
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Wang XFeng LWang Z(2023)ProMiSE: A High-Performance Programmable Hardware Monitor for High Security Enforcement of Software ExecutionIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2023.327158342:11(3599-3612)Online publication date: Nov-2023
https://doi.org/10.1109/TCAD.2023.3271583
Gollapudi RYuksek GDemicco DCole MKothari GKulkarni RZhang XGhose KPrakash AUmrigar Z(2023)Control Flow and Pointer Integrity Enforcement in a Secure Tagged Architecture2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179416(2974-2989)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179416
Roodsari MSheikhshoaei FMaunero NPrinetto PNavabi Z(2023)LiFi-CFI: Light-weight Fine-grained Hardware CFI Protection for RISC-V2023 IEEE International Conference on Design, Test and Technology of Integrated Systems (DTTIS)10.1109/DTTIS59576.2023.10348176(1-6)Online publication date: 1-Nov-2023
https://doi.org/10.1109/DTTIS59576.2023.10348176
Shan HSullivan DArias O(2023)When Memory Mappings Attack: On the (Mis)use of the ARM Cortex-M FPB Unit2023 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)10.1109/AsianHOST59942.2023.10409308(1-6)Online publication date: 13-Dec-2023
https://doi.org/10.1109/AsianHOST59942.2023.10409308
Li SWang WLi WZhang D(2023)Hardware-Based Software Control Flow Integrity: Review on the State-of-the-Art Implementation TechnologyIEEE Access10.1109/ACCESS.2023.333704311(133255-133280)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3337043
Geden MRasmussen K(2023)Hardware‐assisted remote attestation design for critical embedded systemsIET Information Security10.1049/ise2.1211317:3(518-533)Online publication date: 14-Mar-2023
https://dl.acm.org/doi/10.1049/ise2.12113
Geden MRasmussen K(2023)RegGuardComputers and Security10.1016/j.cose.2023.103213129:COnline publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103213
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents