research-article

Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks

Authors:

Christopher Liebchen,

Mohaned Qunaibit,

Ahmad-Reza SadeghiAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 952 - 963

https://doi.org/10.1145/2810103.2813671

Published: 12 October 2015 Publication History

Abstract

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations. In this paper we show how to exploit heap-based vulnerabilities to control the stack contents including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduce stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1)~against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2)~against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.

References

[1]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2005.

Digital Library

[2]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Methods and Software Engineering, ICFEM'05, 2005.

Digital Library

[3]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13, 2009.

Digital Library

[4]

Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 2000.

[5]

M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2014.

Digital Library

[6]

M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In 23rd USENIX Security Symposium, USENIX Sec, 2014.

Digital Library

[7]

S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In 12th USENIX Security Symposium, USENIX Sec, 2003.

Digital Library

[8]

A. Bittau, A. Belay, A. J. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In 35th IEEE Symposium on Security and Privacy, S&P, 2014.

Digital Library

[9]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium, USENIX Sec, 2015.

Digital Library

[10]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium, USENIX Sec, 2014.

Digital Library

[11]

X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida. Stackarmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In Symposium on Network and Distributed System Security (NDSS), NDSS, 2015.

[12]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS, 2014.

[13]

C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 8st USENIX Security Symposium, USENIX Sec, 1998.

Digital Library

[14]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In 36th IEEE Symposium on Security and Privacy, S&P, 2015.

Digital Library

[15]

S. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. D. Sutter, and M. Franz. It's a TRAP: Table randomization and protection against function reuse attacks. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2015.

Digital Library

[16]

T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS, 2015.

Digital Library

[17]

L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.

[18]

L. Davi, A. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium, USENIX Sec, 2014.

Digital Library

[19]

L. V. Davi, A. Dmitrienko, S. Nürnberger, and A. Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In 8th ACM Symposium on Information, Computer and Communications Smiecurity, ASIACCS, 2013.

Digital Library

[20]

I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point: On the effectiveness of code pointer integrity. In 36th IEEE Symposium on Security and Privacy, S&P, 2015.

Digital Library

[21]

I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2015.

Digital Library

[22]

G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In 25th Annual Computer Security Applications Conference, ACSAC, 2009.

Digital Library

[23]

J. Gionta, W. Enck, and P. Ning. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In 5th ACM Conference on Data and Application Security and Privacy, CODASPY, 2015.

Digital Library

[24]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In 21st USENIX Security Symposium, USENIX Sec, 2012.

Digital Library

[25]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 35th IEEE Symposium on Security and Privacy, S&P, 2014.

Digital Library

[26]

E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium, USENIX Sec, 2014.

Digital Library

[27]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: where'd my gadgets go? In 33rd IEEE Symposium on Security and Privacy, S&P, 2012.

Digital Library

[28]

A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz. Profile-guided automatic software diversity. In IEEE/ACM International Symposium on Code Generation and Optimization, CGO, 2013.

Digital Library

[29]

R. Hund, C. Willems, and T. Holz. Practical timing side channel attacks against kernel space aslr. In 34th IEEE Symposium on Security and Privacy, S&P, 2013.

Digital Library

[30]

Intel. Intel 64 and IA-32 architectures software developer's manual, combined volumes 3A, 3B, and 3C: System programming guide. http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-system-programming-manual-325384.pdf, 2013.

[31]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In 22nd Annual Computer Security Applications Conference, ACSAC, 2006.

Digital Library

[32]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI, 2014.

Digital Library

[33]

P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, S&P, 2014.

Digital Library

[34]

C. Lattner, A. Lenharth, and V. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI, 2007.

Digital Library

[35]

Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.

[36]

Microsoft. Control flow guard. https://msdn.microsoft.com/en-us/library/Dn919635.aspx, 2015.

[37]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In 33rd IEEE Symposium on Security and Privacy, S&P, 2012.

Digital Library

[38]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In 22nd USENIX Security Symposium, USENIX Sec, 2013.

Digital Library

[39]

M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In 12th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA, 2015.

Digital Library

[40]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C

[41]

applications. In 36th IEEE Symposium on Security and Privacy, S&P, 2015.

[42]

F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In 17th International Symposium on Research in Attacks, Intrusions and Defenses, RAID, 2014.

[43]

D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary cpu architectures. In 19th USENIX Conference on Security, USENIX Sec, 2010.

Digital Library

[44]

J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2014.

Digital Library

[45]

H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2007.

Digital Library

[46]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 34th IEEE Symposium on Security and Privacy, S&P, 2013.

Digital Library

[47]

A. Sotirov. Heap Feng Shui in JavaScript. In Black Hat Europe, BH US, 2007.

[48]

R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In 2nd European Workshop on System Security, EUROSEC, 2009.

Digital Library

[49]

The Clang Team. Clang 3.8 documentation SafeStack. http://clang.llvm.org/docs/SafeStack.html, 2015.

[50]

C. Tice. Improving function pointer security for virtual method dispatches. In GNU Tools Cauldron Workshop, 2012.

[51]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in GCC & LLVM. In 23rd USENIX Security Symposium, USENIX Sec, 2014.

Digital Library

[52]

VUPEN Security. Advanced exploitation of internet explorer heap overflow (pwn2own 2012 exploit). http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012--1876.php, 2012.

[53]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In 14th ACM Symposium on Operating Systems Principles, SOSP, 1993.

Digital Library

[54]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In ACM SIGSAC Conference on Computer and Communications Security, CCS, 2012.

Digital Library

[55]

Web Hypertext Application Technology Working Group (WHATWG). Chapter 10 - Web workers, 2015.

[56]

Z. Yunhai. Bypass control flow guard comprehensively. In Black Hat, BH US, 2015.

[57]

B. Zeng, G. Tan, and U. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In 22nd USENIX Security Symposium, USENIX Sec, 2013.

Digital Library

[58]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In 34th IEEE Symposium on Security and Privacy, S&P, 2013.

Digital Library

[59]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In 22nd USENIX Security Symposium, USENIX Sec, 2013.

Digital Library

Cited By

Becker LHollick MClassen JDoupé AMilburn A(2024)SoKProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696947(189-209)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696947
Jang HKim TShin YLuo BLiao XXu JKirda ELie D(2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690189
Xiang HCheng ZLi JMa JLu KLuo BLiao XXu JKirda ELie D(2024)Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin AwarenessProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670308(4524-4538)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670308
Show More Cited By

Index Terms

Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Hurdle: Securing Jump Instructions Against Code Reuse Attacks
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Code-reuse attacks represent the state-of-the-art in exploiting memory safety vulnerabilities. Control-flow integrity techniques offer a promising direction for preventing code-reuse attacks, but these attacks are resilient against imprecise and ...
Execution at RISC: Stealth JOP Attacks on RISC-V Applications
Computer Security. ESORICS 2023 International Workshops
Abstract
RISC-V is a recently developed open instruction set architecture gaining a lot of attention. To improve the security of these systems and design efficient countermeasures, a better understanding of vulnerabilities to novel and future attacks is ...
Towards Transparent Control-Flow Integrity in Safety-Critical Systems
Information Security
Abstract
Protecting safety-critical Cyber-Physical Systems (CPS) against security threats is becoming a growing necessity. Due to the high level of network integration, CPS pose new targets to remote code-reuse attacks, such as Return-Oriented Programming (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

113
Total Citations
View Citations
1,455
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)10

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Becker LHollick MClassen JDoupé AMilburn A(2024)SoKProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696947(189-209)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696947
Jang HKim TShin YLuo BLiao XXu JKirda ELie D(2024)SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple SiliconProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690189(64-78)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690189
Xiang HCheng ZLi JMa JLu KLuo BLiao XXu JKirda ELie D(2024)Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin AwarenessProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670308(4524-4538)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670308
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Ma PJi ZYao PWang SRen KRoychoudhury APaiva AAbreu RStorey M(2024)Enabling Runtime Verification of Causal Discovery Algorithms with Automated Conditional Independence ReasoningProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623348(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623348
Richter IZhou JCriswell J(2024)DeTRAP: RISC-V Return Address Protection With Debug Triggers2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00021(166-177)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00021
Hashemi MForte DGanji F(2024)Time Is Money, Friend! Timing Side-Channel Attack Against Garbled Circuit ConstructionsApplied Cryptography and Network Security10.1007/978-3-031-54776-8_13(325-354)Online publication date: 29-Feb-2024
https://doi.org/10.1007/978-3-031-54776-8_13
Xu JLu KDu ZDing ZLi LWu QPayer MMao BCalandrino JTroncoso C(2023)Silent bugs matterProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620442(3655-3672)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620442
Kedia PPurandare RAgarwal URishabh Just RFraser G(2023)CGuard: Scalable and Precise Object Bounds Protection for CProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598137(1307-1318)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598137
Unterguggenberger MSchrammel DLamster LNasahl PMangard SMeng WJensen CCremers CKirda E(2023)Cryptographically Enforced Memory SafetyProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623138(889-903)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623138
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten