research-article

Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity

Authors:

Vedvyas Shanbhogue,

Ravi SahitaAuthors Info & Claims

HASP '19: Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy

Article No.: 8, Pages 1 - 11

https://doi.org/10.1145/3337167.3337175

Published: 23 June 2019 Publication History

Abstract

Intel has developed Control-flow Enforcement Technology (CET) [27] that provides CPU instruction set architecture (ISA) capabilities to defend against Return-oriented Programming (ROP) and call/jmp-oriented programming (COP/JOP) style control-flow subversion attacks. This attack methodology uses code sequences in authorized modules with at least one instruction in the sequence being a control transfer instruction that depends on attacker-controlled data either in the return stack or in a register/memory for the target address. Attackers stitch these sequences together by diverting the control flow instruction (e.g. RET, CALL, JMP) from its original target address to a new target (via modification in the data stack or in the register or memory used by these instructions). This paper describes CET security objectives, threat model and various architectural design choices to ensure that the design meets the security objectives. We conclude the paper with performance data and related work in this domain.

References

[1]

Intel® 64 and IA-32 Architectures Software Developer Manuals. https://software.intel.com/en-us/articles/intel-sdm

[2]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. 2012. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC).

Digital Library

[3]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. 2011. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security.

Digital Library

[4]

N. Carlini and D. Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In 23rd USENIX Security Symposium (USENIX Security 14).

Digital Library

[5]

Systems and security services analysis office. 2015. Hardware Control Flow Integrity (CFI) for an IT ecosystem. https://github.com/iadgov/Control-Flow-Integrity/tree/master/paper.

[6]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security.

Digital Library

[7]

Control Flow Guard. https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

[8]

T. H. Dang, P. Maniatis, and D. Wagner. 2015. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security, ASIACCS '15.

Digital Library

[9]

M. Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In USENIX Security.

Digital Library

[10]

Intel® 64 and IA-32 Architectures Optimization Reference Manual. https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf.

[11]

A. Oikonomopoulos, C. Giuffrida, E. Athanasopoulos, and H. Bos. 2016. Poking holes into information hiding. In USENIX SEC.

[12]

L. Davi, P. Koeberl, and A.-R. Sadeghi. 2014. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In Annual Design Automation Conference - Special Session: Trusted Mobile Embedded Computing, DAC '14.

Digital Library

[13]

M. Theodorides and D. Wagner. 2017. Breaking Active-Set Backward-Edge CFI. Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST '17)

[14]

R. B. Lee, D. K. Karig, J. P. McGregor, and Z. Shi. 2003. Enlisting Hardware Architecture to Thwart Malicious Code Injection, Proceedings of the International Conference on Security in Pervasive Computing, Boppard, Germany.

[15]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. 2015. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications, in IEEE Symposium on Security and Privacy (S&P).

Digital Library

[16]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. 2005. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security.

Digital Library

[17]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike. 2014. Enforcing forward-edge control-flow integrity in GCC & LLVM. In USENIX conference on Security.

Digital Library

[18]

S. Checkoway and H. Shacham. 2010. Escape from return-oriented programming: Return-oriented programming without returns (on the x86). Technical Report CS2010-0954, UC San Diego.

Digital Library

[19]

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. 2010. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[20]

PaX Team. 2015. RAP: RIP ROP https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf

[21]

Salwan, J. Ropgadget https://github.com/JonathanSalwan/ROPgadget

[22]

Victor van der Veen, Enes Goktas, Moritz Contag, Andre Pawlowski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A Tough call: Mitigating Advanced Code-Reuse Attacks At The Binary Level. In 2016 IEEE Symposium on Security and Privacy.

[23]

Pointer Authentication on ARMv8.3. https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf

[24]

Mashtizadeh, A. J., Bittau, A., Mazieres, D., and Boneh, D. 2014. Cryptographically enforced control flow integrity. In arXiv:1408.1451{cs.CR}.

[25]

Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-pointer integrity. In Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation (OSDI'14).

Digital Library

[26]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom. 2019. In Proceedings of the 40th IEEE Symposium on Security and Privacy.

[27]

Intel® Control-flow Enforcement Technology Preview document. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

Cited By

Kasten FZieris PHorsch J(2024)Integrating Static Analyses for High-Precision Control-Flow IntegrityProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678920(419-434)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678920
Gerhorst LHerzog HWägemann POtt MKapitza RHönig T(2024)VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel ExtensionsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678907(644-659)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678907
Li YZhao G(2024)Anti-ROP Based on a Shadow Stack for Critical Embedded SystemsProceedings of the 3rd International Conference on Computer, Artificial Intelligence and Control Engineering10.1145/3672758.3672897(839-846)Online publication date: 26-Jan-2024
https://dl.acm.org/doi/10.1145/3672758.3672897
Show More Cited By

Index Terms

Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Security in hardware
    1. Hardware security implementation

Recommendations

Control-Flow Integrity: Precision, Security, and Performance

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Return-oriented programming (ROP) relies on in-memory code sequences ending in return instructions to chain together arbitrary malware. ROP is one of the most dangerous security exploits because, if wittingly crafted, it can be used to wreak havoc on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

HASP '19: Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy

June 2019

73 pages

ISBN:9781450372268

DOI:10.1145/3337167

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

HASP '19

HASP '19: Workshop on Hardware and Architectural Support for Security and Privacy

June 23, 2019

AZ, Phoenix, USA

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
1,527
Total Downloads

Downloads (Last 12 months)190
Downloads (Last 6 weeks)23

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kasten FZieris PHorsch J(2024)Integrating Static Analyses for High-Precision Control-Flow IntegrityProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678920(419-434)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678920
Gerhorst LHerzog HWägemann POtt MKapitza RHönig T(2024)VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel ExtensionsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678907(644-659)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678907
Li YZhao G(2024)Anti-ROP Based on a Shadow Stack for Critical Embedded SystemsProceedings of the 3rd International Conference on Computer, Artificial Intelligence and Control Engineering10.1145/3672758.3672897(839-846)Online publication date: 26-Jan-2024
https://dl.acm.org/doi/10.1145/3672758.3672897
Cheng POzga WValdez EAhmed SGu ZJamjoom HFranke HBottomley J(2024)Intel TDX Demystified: A Top-Down ApproachACM Computing Surveys10.1145/365259756:9(1-33)Online publication date: 25-Apr-2024
https://doi.org/10.1145/3652597
Mosier NNemati HMitchell JTrippel C(2024)Serberus: Protecting Cryptographic Code from Spectres at Compile-Time2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00048(4200-4219)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00048
Kim TRudo DZhao KZhao ZSkarlatos D(2024)Perspective: A Principled Framework for Pliable and Secure Speculation in Operating Systems2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00059(739-755)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00059
Moghadam VSerra GAromolo FButtazzo GPrinetto P(2024)Memory Integrity Techniques for Memory-Unsafe Languages: A SurveyIEEE Access10.1109/ACCESS.2024.338047812(43201-43221)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380478
Kim SJin HJoo KLee JLee D(2024)DROPSYS: Detection of ROP attacks using system informationComputers & Security10.1016/j.cose.2024.103813(103813)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2024.103813
Bundt JDavinroy MAgadakos IOprea ARobertson W(2023)Black-box Attacks Against Neural Binary Function DetectionProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607200(1-16)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607200
Xu XFeng SYe YShen GSu ZCheng STao GShi QZhang ZZhang XJust RFraser G(2023)Improving Binary Code Similarity Transformer Models by Semantics-Driven Instruction DeemphasisProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598121(1106-1118)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598121
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents