research-article

Public Access

Analyzing control flow integrity with LLVM-CFI

Authors:

Matthias Neumayer,

Jens Grossklags,

Claudia EckertAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 584 - 597

https://doi.org/10.1145/3359789.3359806

Published: 09 December 2019 Publication History

Abstract

Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availability. Further, tool comparison is underdeveloped or not possible at all. CFI has proven to be one of the most promising protections against control flow hijacking attacks, thus many efforts have been made to improve CFI in various ways. However, there is a lack of systematic assessment of existing CFI protections.

In this paper, we present LLVM-CFI, a static source code analysis framework for analyzing state-of-the-art static CFI protections based on the Clang/LLVM compiler framework. LLVM-CFI works by precisely modeling a CFI policy and then evaluating it within a unified approach. LLVM-CFI helps determine the level of security offered by different CFI protections, after the CFI protections were deployed, thus providing an important step towards exploit creation/prevention and stronger defenses. We have used LLVM-CFI to assess eight state-of-the-art static CFI defenses on real-world programs such as Google Chrome and Apache Httpd. LLVM-CFI provides a precise analysis of the residual attack surfaces, and accordingly ranks CFI policies against each other. LLVM-CFI also successfully paves the way towards construction of COOP-like code reuse attacks and elimination of the remaining attack surface by disclosing protected calltargets under eight restrictive CFI policies.

References

[1]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. 2005. Control Flow Integrity. In Proceedings of the Conference on Computer and Communications Security (CCS).

[2]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. 2009. Control Flow Integrity Principles, Implementations, and Applications. In Transactions on Information and System Security (TISSEC).

[3]

M. Backes and S. Nuerenberger. 2014. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In Proceedings of the USENIX Security Symposium (USENIX Security).

[4]

BlueLotus. 2015. BlueLotus Team, bctf challenge: Bypass vtable read-only checks. https://github.com/ctfs/write-ups-2015/tree/master/bctf-2015/exploit/zhongguancun.

[5]

D. Bounov, R. G. Kici, and S. Lerner. 2016. Protecting C++ Dynamic Dispatch Through VTable Interleaving. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).

[6]

N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. 2017. Control-Flow Integrity: Precision, Security, and Performance. In CSUR.

[7]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T.-R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proceedings of the USENIX Security Symposium (USENIX Security).

[8]

N. Carlini and D. Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the USENIX Security Symposium (USENIX Security).

[9]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. 2014. ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).

[10]

M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, M. Negro, M. Qunaibit, and A.-R. Sadeghi. 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In Proceedings of the Conference on Computer and Communications Security (CCS).

Digital Library

[11]

S. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M. Franz. 2015. It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks. In Proceedings of the Conference on Computer and Communications Security (CCS).

[12]

L. Davi, A.-R. Sadeghi, and M. Winandy. 2011. ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks. In Proceedings of the Asia Conference on Computer and Communications Security (AsiaCCS).

[13]

M. Elsabagh, D. Fleck, and A. Stavrou. 2017. Strict Virtual Call Integrity Checking for C ++ Binaries. In Proceedings of the Asia Conference on Computer and Communications Security (AsiaCCS).

[14]

I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskosr. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the Conference on Computer and Communications Security (CCS).

[15]

Apache Foundation. 2019. Apache Traffic Server. http://trafficserver.apache.org/.

[16]

X. Ge, N. Talele, M. Payer, and T. Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In Proceedings of the European Symposium on Security and Privacy (Euro S&P).

[17]

Google. 2019. Google Chromium. https://www.chromium.org/.

[18]

Y. Gu, Q. Zhao, Y. Zhang, and Z. Lin. 2017. PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace. In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy. ACM, Scottsdale, Arizona, USA.

[19]

E. Göktas, E. Athanasopoulos, and H. Bos. 2014. Out Of Control: Overcoming Control-Flow Integrity. In Proceedings of the Symposium on Security and Privacy (S&P).

[20]

I. Haller, E. Göktas, E. Athanasopoulos, G. Portokalidis, and H Bos. 2015. ShrinkWrap: VTable Protection without Loose Ends. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[21]

Httpd. 2019. Httpd. https://httpd.apache.org/docs/2.4/programs/httpd.html.

[22]

K. K. Ispoglou, B. AlBassam, T. Jaeger, and M. Payer. 2018. Block Oriented Programming: Automating Data-Only Attacks. In Proceedings of the Conference on Computer and Communications Security (CCS).

[23]

S. Krahmer. 2005. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. https://users.suse.com/~krahmer/no-nx.pdf.

[24]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. 2014. Code-Pointer Integrity. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI).

[25]

B. Lan, Y. Li, H. Sun, C. Su, Y. Liu, and Q. Zeng. 2015. Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses. In Proceedings of IEEE Trustcom/BigDataSE/ISPA.

[26]

J. Lettner, B. Kollenda, A. Homescu, P. Larsen, F. Schuster, L. Davi, A.-R. Sadeghi, T. Holz, and M. Franz. 2016. Subversive-C: Abusing and Protecting Dynamic Message Dispatch. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC).

[27]

Lighthttpd. 2019. Lighthttpd. https://www.lighttpd.net/.

[28]

LLVM. 2017. The LLVM Compiler Infrastructure. https://llvm.org/.

[29]

LLVM. 2018. Clang/LLVM compiler framework. https://clang.llvm.org/.

[30]

Memcached. 2019. Memcached. https://memcached.org/.

[31]

P. Muntean, M. Fischer, G. Tan, Z. Lin, J. Grossklags, and C. Eckert. 2018. CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries. In Proceedings of the Symposium on Research in Attacks, Intrusions, and Defenses (RAID).

[32]

P. Muntean, S. Wuerl, J. Grossklags, and C. Eckert. 2018. CastSan: Efficient Detection of Polymorphic C++ Object Type Confusions with LLVM. In Proceedings of the European Symposium on Research in Computer Security (ESORICS).

[33]

Nginx. 2019. Nginx. https://nginx.org/en/.

[34]

B. Niu and G. Tan. 2014. Modular Control-Flow Integrity. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI).

[35]

B. Niu and G. Tan. 2015. Per-Input Control-Flow Integrity. In Proceedings of the Conference on Computer and Communications Security (CCS).

[36]

NodeJS. 2019. NodeJS. https://nodejs.org/en/.

[37]

A. Pawlowski, M. Contag, V. van der Veen, C. Ouwehand, T. Holz, H. Bos, E. Athanasopoulos, and C. Giuffrida. 2017. MARX: Uncovering Class Hierarchies in C++ Programs. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).

[38]

A. Prakash, X. Hu, and H. Yin. 2015. vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).

[39]

A. Pslyak. 1997. Return-into-libc overflow exploit. https://seclists.org/bugtraq/1997/Aug/63.

[40]

G. Ramalingam. 1994. The Undecidability of Aliasing. In Transactions on Programming Languages and Systems (TOPLAS).

[41]

Redis. 2019. Redis. https://redis.io/.

[42]

J. Rossie Jr. and D. Friedman. 1995. An Algebraic Semantics of Subobjects. In Proceedings of the Annual Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA).

[43]

J. Salwan. 2011. ROPgadget - Gadgets Finder and Auto-roper. http://shell-storm.org/project/ROPgadget/.

[44]

S. Schirra. 2017. Ropper. https://github.com/sashs/Ropper.

[45]

S. Schirra. 2018. Valgrind Home. http://valgrind.org/.

[46]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proceedings of the Symposium on Security and Privacy (S&P).

[47]

F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. 2014. Evaluating the Effectiveness of Current Anti-ROP Defenses. In Proceedings of the Symposium on Research in Attacks, Intrusions, and Defenses (RAID).

[48]

H. Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (On the x86). In Proceedings of the Conference on Computer and Communications Security (CCS).

Digital Library

[49]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC and LLVM. In Proceedings of the USENIX Security Symposium (USENIX Security).

[50]

F. Tip, J.-D. Choi, J. Field, and G. Ramalingam. 1996. Slicing Class Hierarchies in C++. In Proceedings of the Annual Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA).

[51]

V. van der Veen, D. Andriesse, M. Stamatogiannakis, X. Chen, H. Bos, and C. Giuffrida. 2017. The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later. In Proceedings of the Conference on Computer and Communications Security (CCS).

[52]

V. van der Veen, E. Göktas, M. Contag, A. Pawoloski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. 2016. A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level. In Proceedings of the Symposium on Security and Privacy (S&P).

[53]

Y. Wang, C. Zhang, X. Xiang, Z. Zhao, W. Li, X. Gong, B. Liu, K. Chen, and W. Zou. 2018. Revery: From Proof-of-Concept to Exploitable. In Proceedings of the Conference on Computer and Communications Security (CCS).

[54]

D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. 2016. Shuffler: Fast and Deployable Continous Code Re-Randomization. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI).

[55]

P. Wollgast, R. Gawlik, B. Garmany, B. Kollenda, and T. Holz. 2016. Automated Multi-architectural Discovery of CFI-Resistant Code Gadgets. In Proceedings of the European Symposium on Research in Computer Security (ESORICS).

[56]

X. Xu, M. Ghaffarinia, W. Wang, K. Hamlen, and Z. Lin. 2019. CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software. In 28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA, 1805--1821.

[57]

C. Zhang, S. A. Carr, T. Li, Y. Ding, C. Song, M. Payer, and D. Song. 2016. vTrust: Regaining Trust on Virtual Calls. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).

[58]

C. Zhang, C. Song, K. Z. Chen, Z. Chen, and D. Song. 2015. vTint: Protecting Virtual Function TablesÍntegrity. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).

[59]

M. Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In Proceedings of the USENIX Security Symposium (USENIX Security).

Cited By

Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
Vaidya RKulkarni P(2024)Effectiveness of Binary-Level CFI TechniquesFoundations and Practice of Security10.1007/978-3-031-57537-2_6(87-103)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_6
Bauman EDuan JHamlen KLin Z(2023)Renewable Just-In-Time Control-Flow IntegrityProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607239(580-594)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607239
Show More Cited By

Index Terms

Analyzing control flow integrity with LLVM-CFI
1. Security and privacy
  1. Software and application security
  2. Systems security

Recommendations

Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Control-flow integrity (CFI) is a promising technique to mitigate control-flow hijacking attacks. In the past decade, dozens of CFI mechanisms have been proposed by researchers. Despite the claims made by themselves, the security promises of these ...
Live Path CFI Against Control Flow Hijacking Attacks
Information Security and Privacy
Abstract
Through memory vulnerabilities, control flow hijacking allows an attacker to force a running program to execute other than what the programmer has intended. Control Flow Integrity (CFI) aims to prevent the adversarial effects of these attacks. CFI ...
Static-Dynamic Control Flow Integrity
3PGCIC '14: Proceedings of the 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing

CCFIR (Compact Control Flow Integrity and Randomization) has low performance overhead as an exploit mitigation, but it is hard to mitigate exploits by hijacking virtual function pointer, which are emerging in recent years. Because of the polymorphism of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

US NSF
ONR

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
956
Total Downloads

Downloads (Last 12 months)237
Downloads (Last 6 weeks)32

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
Vaidya RKulkarni P(2024)Effectiveness of Binary-Level CFI TechniquesFoundations and Practice of Security10.1007/978-3-031-57537-2_6(87-103)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_6
Bauman EDuan JHamlen KLin Z(2023)Renewable Just-In-Time Control-Flow IntegrityProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607239(580-594)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607239
Tan XZhao ZMeng WJensen CCremers CKirda E(2023)SHERLOC: Secure and Holistic Control-Flow Violation Detection on Embedded SystemsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623077(1332-1346)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623077
Li YLin GChung YMa YLu YBao Y(2023)MagBoxFuture Generation Computer Systems10.1016/j.future.2022.10.035140:C(282-298)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.future.2022.10.035
Brown MPruett MBigelow RMururu GPande S(2021)Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget setsProceedings of the ACM on Programming Languages10.1145/34855315:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485531
Fiedler BEntrup GDietrich CLohmann D(2021)ARA: Static Initialization of Dynamically-Created System Objects2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS52030.2021.00039(400-412)Online publication date: May-2021
https://doi.org/10.1109/RTAS52030.2021.00039

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents