Article

Control flow integrity for COTS binaries

Authors:

R. SekarAuthors Info & Claims

SEC'13: Proceedings of the 22nd USENIX conference on Security

Pages 337 - 352

Published: 14 August 2013 Publication History

Abstract

Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI have required compiler support or the presence of relocation or debug information in the binary. In contrast, we present a technique for applying CFI to stripped binaries on ×86/Linux. Ours is the first work to apply CFI to complex shared libraries such as glibc. Through experimental evaluation, we demonstrate that our CFI implementation is effective against control-flow hijack attacks, and eliminates the vast majority of ROP gadgets. To achieve this result, we have developed robust techniques for disassembly, static analysis, and transformation of large binaries. Our techniques have been tested on over 300MB of binaries (executables and shared libraries).

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In the 12th ACM conference on Computer and communications security (CCS), 2005.

[2]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), (1), Nov. 2009.

[3]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In the 29th IEEE Symposium on Security and Privacy (Oakland), 2008.

[4]

J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee. Language-independent sandboxing of just-in-time compilation and self-modifying code. In the 32nd ACM SIGPLAN conference on Programming language design and implementation (PLDI), 2011.

[5]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: an efficient approach to combat a board range of memory error exploits. In the 12th conference on USENIX Security Symposium, 2003.

[6]

T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In the 27th Annual Computer Security Applications Conference (ACSAC) , 2011.

[7]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.

[8]

D. L. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, MIT, 2004.

[9]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In the 15th ACM conference on Computer and communications security (CCS), 2008.

[10]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In the 17th ACM conference on Computer and communications security (CCS), 2010.

[11]

P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented programming malicious code. In the 5th International Conference on Information Systems Security (ICISS), 2009.

[12]

C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In the 7th conference on USENIX Security Symposium, 1998.

[13]

L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nrnberger, and A. reza Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In the 19th Network and Distributed System Security Symposium (NDSS), 2012.

[14]

L. Davi, Ahmad-Reza Sadeghi, and M. Winandy. ROPdefender: a detection tool to defend against return-oriented programming attacks. In the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011.

[15]

U. Erlingsson, S. Valley, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: software guards for system address spaces. In the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2006.

[16]

C. Evans. Exploiting 64-bit linux like a boss. http://scarybeastsecurity.blogspot.com/2013/02/exploiting- 64-bit-linux-like-boss.html.

[17]

M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In the 10th conference on USENIX Security Symposium, 2001.

[18]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In the 33th IEEE Symposium on Security and Privacy (Oakland), 2012.

[19]

R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In the 18th conference on USENIX security symposium, 2009.

[20]

M. Kayaalp, M. Ozsoy, N. Abu-Ghazaleh, and D. Ponomarev. Branch regulation: low-overhead protection from code reuse attacks. In the 39th Annual International Symposium on Computer Architecture (ISCA), 2012.

[21]

V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In the 11th conference on USENIX Security Symposium, 2002.

[22]

J. Li, Z. Wang, T. Bletsch, D. Srinivasan, M. Grace, and X. Jiang. Comprehensive and efficient protection of kernel control data. IEEE Transactions on Information Forensics and Security, (4), Dec. 2011.

[23]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In the 5th European conference on Computer systems (EuroSys), 2010.

[24]

the PaX team. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt, 2001.

[25]

Tool Interface Standard. Executable and linking format (ELF) specification. http://www.uclibc.org/docs/elf.pdf, 1995.

[26]

UNIX International Programming Languages SIG. DWARF debugging information format. http://www.dwarfstd.org/doc/dwarf-2.0.0.pdf, 1993.

[27]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In the 15th conference on USENIX Security Symposium, 2006.

[28]

Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 2001.

[29]

J. Oakley and S. Bratus. Exploiting the hardworking DWARF: trojan and exploit techniques with no native executable code. Technical report, Computer Science Department, Dartmouth College, 2011.

[30]

J. Oakley and S. Bratus. Exploiting the hardworking DWARF: trojan and exploit techniques with no native executable code. In the 5th USENIX conference on Offensive technologies (WOOT), 2011.

[31]

K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In the 26th Annual Computer Security Applications Conference (ACSAC), 2010.

[32]

V. Pappas. kBouncer: Efficient and transparent ROP mitigation. Technical report, Columbia University, 2012.

[33]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In the 33th IEEE Symposium on Security and Privacy (Oakland), 2012.

[34]

A. Prakash, H. Yin, and Z. Liang. Enforcing system-wide control flow integrity for exploit detection and diagnosis. In the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIACCS), 2013.

[35]

J. Salwan. ROPGadget. http://shell-storm.org/project/ ROPgadget.

[36]

D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary cpu architectures. In the 19th conference on USENIX Security Symposium, 2010.

[37]

F. J. Serna. CVE-2012-0769, the case of the perfect info leak, 2012.

[38]

H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the ×86). In the 14th ACM conference on Computer and communications security (CCS), 2007.

[39]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In the 34th IEEE Symposium on Security and Privacy, 2013.

[40]

R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In the 2nd European Workshop on System Security (EUROSEC), 2009.

[41]

M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In the 14th international conference on Recent Advances in Intrusion Detection (RAID), 2011.

[42]

Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In the 31st IEEE Symposium on Security and Privacy (Oakland), 2010.

[43]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy ×86 binary code. In the 19th ACM conference on Computer and communications security (CCS), 2012.

[44]

wikipedia. Open addressing hashing. http://en.wikipedia. org/wiki/Open_addressing, 2012.

[45]

J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: runtime intrusion prevention evaluator. In the 27th Annual Computer Security Applications Conference (ACSAC), 2011.

[46]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted ×86 native code. In the 30th IEEE Symposium on Security and Privacy (Oakland), 2009.

[47]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In the 18th ACM conference on Computer and communications security (CCS), 2011.

[48]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In the 34th IEEE Symposium on Security and Privacy, 2013.

[49]

D. D. Zovi. Practical return-oriented programming. Technical report, SOURCE, 2010.

Cited By

Han SKim SShin WKim BRyou JBalzarotti DXu W(2024)Page-oriented programmingProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698912(199-216)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698912
Becker LHollick MClassen JDoupé AMilburn A(2024)SoKProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696947(189-209)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696947
Peng AFang DGuan LKouwe ELi YWang WSun LZhang Y(2024)Bitmap-Based Security Monitoring for Deeply Embedded SystemsACM Transactions on Software Engineering and Methodology10.1145/367246033:7(1-31)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3672460
Show More Cited By

Control flow integrity for COTS binaries
1. Security and privacy
  1. Systems security
2. Software and its engineering
  1. Software notations and tools

Recommendations

Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Despite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control --- the ability to execute arbitrary low-...
Control-Flow Integrity: Precision, Security, and Performance

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Control-flow integrity
CCS '05: Proceedings of the 12th ACM conference on Computer and communications security

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'13: Proceedings of the 22nd USENIX conference on Security

August 2013

702 pages

ISBN:9781931971034

Program Chair:
Sam King
University of Illinois and Adrenaline Mobility

Sponsors

Akamai: Akamai
Google Inc.
IBMR: IBM Research
NSF
Microsoft Reasearch: Microsoft Reasearch

Publisher

USENIX Association

United States

Publication History

Published: 14 August 2013

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

136
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Han SKim SShin WKim BRyou JBalzarotti DXu W(2024)Page-oriented programmingProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698912(199-216)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698912
Becker LHollick MClassen JDoupé AMilburn A(2024)SoKProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696947(189-209)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696947
Peng AFang DGuan LKouwe ELi YWang WSun LZhang Y(2024)Bitmap-Based Security Monitoring for Deeply Embedded SystemsACM Transactions on Software Engineering and Methodology10.1145/367246033:7(1-31)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3672460
Kim HKim SLee JJee KCha SCalandrino JTroncoso C(2023)Reassembly is hardProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620320(1469-1486)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620320
Priyadarshan SNguyen HChouhan RSekar RCalandrino JTroncoso C(2023)SAFERProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620319(1451-1468)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620319
Fan XLong SHuang CYang CLi FBartolini ARietveld KSchuman CMoreira J(2023)Accelerating Type Confusion Detection by Identifying Harmless Type CastingsProceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592205(91-100)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592205
Lin YGao DLo DJoshi AFernandez MVerma R(2022)ReSILProceedings of the Twelfth ACM Conference on Data and Application Security and Privacy10.1145/3508398.3511502(107-118)Online publication date: 14-Apr-2022
https://dl.acm.org/doi/10.1145/3508398.3511502
Jelesnianski CYom JMin CJang Y(2022)Securely Sharing Randomized Code That FliesDigital Threats: Research and Practice10.1145/34745583:3(1-25)Online publication date: 15-Mar-2022
https://dl.acm.org/doi/10.1145/3474558
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Yagemann CNoureddine MHassan WChung SBates ALee WKim YKim JVigna GShi E(2021)Validating the Integrity of Audit Logs Against Execution Repartitioning AttacksProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484551(3337-3351)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484551
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents