research-article

Public Access

GRIFFIN: Guarding Control Flows Using Intel Processor Trace

Authors:

Trent JaegerAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 45, Issue 1

Pages 585 - 598

https://doi.org/10.1145/3093337.3037716

Published: 04 April 2017 Publication History

Abstract

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI enforcement may have the potential for advantages in performance and flexibility over software instrumentation, current hardware-assisted defenses are either incomplete (i.e., do not enforce all control transfers) or less efficient in comparison. We find that the recent introduction of hardware features to log complete control-flow traces, such as Intel Processor Trace (PT), provides an opportunity to explore how efficient and flexible a hardware-assisted CFI enforcement system may become. While Intel PT was designed to aid in offline debugging and failure diagnosis, we explore its effectiveness for online CFI enforcement over unmodified binaries by designing a parallelized method for enforcing various types of CFI policies. We have implemented a prototype called GRIFFIN in the Linux 4.2 kernel that enables complete CFI enforcement over a variety of software, including the Firefox browser and its jitted code. Our experiments show that GRIFFIN can enforce fine-grained CFI policies with shadow stack as recommended by researchers at a performance that is comparable to software-only instrumentation techniques. In addition, we find that alternative logging approaches yield significant performance improvements for trace processing, identifying opportunities for further hardware assistance.

References

[1]

ApacheBench: a complete benchmarking and regression testing suite. https://httpd.apache.org/docs/2.2/programs/ab.html.

[2]

Intel control-flow enforcement technology (CET) preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.

[3]

pyftpdlib. https://github.com/giampaolo/pyftpdlib.

[4]

sendemail. http://caspian.dotconf.net/menu/Software/SendEmail.

[5]

Intel 64 and IA-32 architectures software developer's manual. Volume 3 (3A, 3B, 3C & 3D): System Programming Guide, 2016.

[6]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 340--353. ACM, 2005.

Digital Library

[7]

S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, 2004.

[8]

T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pages 353--362. ACM, 2011.

Digital Library

[9]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security). USENIX Association, 2014.

[10]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security). USENIX Association, 2015.

[11]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Proceedings of the 21th Network and Distributed System Security Symposium (NDSS). ISOC, 2014.

[12]

N. Christoulakis, G. Christou, E. Athanasopoulos, and S. Ioannidis. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2016.

Digital Library

[13]

M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen, M. Qunaibit, and A.-R. Sadeghi. Losing control: On the effectiveness of control-flow integrity under stack attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 952--963. ACM, 2015.

Digital Library

[14]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P), pages 292--307. IEEE, 2014.

Digital Library

[15]

G. Dabah. diStorm - Powerful Disassembler Library for x86/AMD64. https://github.com/gdabah/distorm.

[16]

T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 555--566. ACM, 2015.

Digital Library

[17]

L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 40--51. ACM, 2011.

Digital Library

[18]

berger, and Sadeghi]mocfiL. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS). ISOC, 2012.

[19]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 401--416. USENIX Association, 2014.

[20]

L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (DAC). ACM, 2015.

Digital Library

[21]

z, Otgonbaatar, Tang, Shrobe, Sidiroglou-Douskos, Rinard, and Okhravi]missingI. Evans, S. Fingeret, J. González, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P). IEEE, 2015.

Digital Library

[22]

X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-grained control-flow integrity for kernel software. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2016.

[23]

E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P). IEEE, 2014.

Digital Library

[24]

a\c s et al.(2014)Göktać, Athanasopoulos, Polychronakis, Bos, and Portokalidis]sizedoesmatterE. Göktać, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 417--432. USENIX Association, 2014.

[25]

Y. Gu, Q. Zhao, Y. Zhang, and Z. Lin. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2017.

Digital Library

[26]

le et al.(1992)Hölzle, Chambers, and Ungar]osrU. Hölzle, C. Chambers, and D. Ungar. Debugging optimized code with dynamic deoptimization. In Proceedings of the ACM SIGPLAN'92 Conference on Programming Language Design and Implementation (PLDI), pages 32--43. ACM, 1992.

Digital Library

[27]

W. Huang, Z. Huang, D. Miyani, and D. Lie. LMP: light-weighted memory protection with hardware assistance. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC). ACM, 2016.

Digital Library

[28]

R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (USENIX Security), pages 383--398. USENIX Association, 2009.

[29]

B. Kasikci, B. Schubert, C. Pereira, G. Pokam, and G. Candea. Failure sketching: a technique for automated root cause diagnosis of in-production failures. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP), pages 344--360. ACM, 2015.

Digital Library

[30]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, 2014.

[31]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with return-less kernels. In Proceedings of the 5th European Conference on Computer Systems (EuroSys), pages 195--208. ACM, 2010.

Digital Library

[32]

Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. Transparent and efficient cfi enforcement with intel processor trace. In Proceedings of the 23rd IEEE Symposium on High Performance Computer Architecture (HPCA). IEEE, 2017.

[33]

]mcfiB. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 2014\natexlaba.

[34]

]rockjitB. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1317--1328. ACM, 2014\natexlabb.

Digital Library

[35]

B. Niu and G. Tan. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 914--926. ACM, 2015.

Digital Library

[36]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security), pages 447--462. USENIX Association, 2013.

[37]

008)]paxPaX Team. Documentation for the PaX project - overall description. https://pax.grsecurity.net/docs/pax.txt, 2008.

[38]

M. Payer and T. R. Gross. Generating low-overhead dynamic binary translators. In Proceedings of the 3rd Annual Haifa Experimental Systems Conference (SYSTOR). ACM, 2010.

Digital Library

[39]

M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 144--164. Springer, 2015.

Digital Library

[40]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 2012.

[41]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C

[42]

applications. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P), pages 745--762. IEEE, 2015.

[43]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), 2014.

[44]

aş, Gras, Sambuc, Slowinska, Bos, and Giuffrida]patharmorV. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 927--940. ACM, 2015.

[45]

as, Contag, Pawlowski, Chen, Rawat, Bos, Holz, Athanasopoulos, and Giuffrida]typearmorV. van der Veen, E. Göktas, M. Contag, A. Pawlowski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P). IEEE, 2016.

[46]

Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S&P), pages 380--395. IEEE, 2010.

Digital Library

[47]

J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: Runtime intrusion prevention evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). ACM, 2011.

Digital Library

[48]

Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1--12. IEEE, 2012.

[49]

P. Yuan, Q. Zeng, and X. Ding. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 66--85. Springer, 2015.

Digital Library

[50]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 29--40. ACM, 2011.

Digital Library

[51]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P), pages 559--573. IEEE, 2013.

[52]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security). USENIX Association, 2013.

[53]

M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In Proceedings of the 10th ACM SIGPLAN International Conference on Virtual Execution Environments (VEE). ACM, 2014.

Digital Library

Cited By

Chen YGao BCao H(2022)Teaching Intelligence System Based on the Cloud Platform of the Internet of Things and Its Application in Physical EducationWireless Communications & Mobile Computing10.1155/2022/75235292022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/7523529
Liu WLiu XLi ZLiu BYu RWang L(2022)Retrofitting LBR Profiling to Enhance Virtual Machine IntrospectionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.318340917(2311-2323)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3183409
Feng LHuang JHuang JHu J(2021)Toward Taming the Overhead Monster for Data-flow IntegrityACM Transactions on Design Automation of Electronic Systems10.1145/349017627:3(1-24)Online publication date: 17-Nov-2021
https://dl.acm.org/doi/10.1145/3490176
Show More Cited By

Index Terms

GRIFFIN: Guarding Control Flows Using Intel Processor Trace
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

GRIFFIN: Guarding Control Flows Using Intel Processor Trace
ASPLOS '17

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI ...
GRIFFIN: Guarding Control Flows Using Intel Processor Trace
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI ...
Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks
TrustED '14: Proceedings of the 4th International Workshop on Trustworthy Embedded Devices

Code reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 45, Issue 1

Asplos'17

March 2017

812 pages

ISSN:0163-5964

DOI:10.1145/3093337

Editor:
Babak Falsafi
Interim

Issue’s Table of Contents

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems
April 2017
856 pages
ISBN:9781450344654
DOI:10.1145/3037697
General Chairs:
Yunji Chen
Institute of Computing Technology, CAS, China
,
Olivier Temam
Google, USA
,
Program Chair:
John Carter
IBM, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2017

Published in SIGARCH Volume 45, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

87
Total Citations
View Citations
2,213
Total Downloads

Downloads (Last 12 months)357
Downloads (Last 6 weeks)60

Reflects downloads up to 14 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen YGao BCao H(2022)Teaching Intelligence System Based on the Cloud Platform of the Internet of Things and Its Application in Physical EducationWireless Communications & Mobile Computing10.1155/2022/75235292022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/7523529
Liu WLiu XLi ZLiu BYu RWang L(2022)Retrofitting LBR Profiling to Enhance Virtual Machine IntrospectionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.318340917(2311-2323)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3183409
Feng LHuang JHuang JHu J(2021)Toward Taming the Overhead Monster for Data-flow IntegrityACM Transactions on Design Automation of Electronic Systems10.1145/349017627:3(1-24)Online publication date: 17-Nov-2021
https://dl.acm.org/doi/10.1145/3490176
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Feng LHuang JHu JReddy A(2021)FastCFI: Real-time Control-Flow Integrity Using FPGA without Code InstrumentationACM Transactions on Design Automation of Electronic Systems10.1145/345847126:5(1-39)Online publication date: 5-Jun-2021
https://dl.acm.org/doi/10.1145/3458471
Chen DLim WBakhshalipour MGibbons PHoe JParno BSherwood TBerger EKozyrakis C(2021)HerQules: securing programs via hardware-enforced message queuesProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446736(773-788)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446736
Wang XHuang FChen H(2019)DTrace: fine-grained and efficient data integrity checking with hardware instruction tracingCybersecurity10.1186/s42400-018-0018-32:1Online publication date: 14-Jan-2019
https://doi.org/10.1186/s42400-018-0018-3
Ismail MJelesnianski CJang YMin CXiong WTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651342
Park YChoi SChoi UJin HNor NPark Y(2024)A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracingScientific Reports10.1038/s41598-024-65374-w14:1Online publication date: 26-Jun-2024
https://doi.org/10.1038/s41598-024-65374-w
Fan XLong SHuang CYang CLi FBartolini ARietveld KSchuman CMoreira J(2023)Accelerating Type Confusion Detection by Identifying Harmless Type CastingsProceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592205(91-100)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592205
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents