research-article

Public Access

Hurdle: Securing Jump Instructions Against Code Reuse Attacks

Authors:

Christian DeLozier,

Kavya Lakshminarayanan,

Joseph DeviettiAuthors Info & Claims

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 653 - 666

https://doi.org/10.1145/3373376.3378506

Published: 13 March 2020 Publication History

Abstract

Code-reuse attacks represent the state-of-the-art in exploiting memory safety vulnerabilities. Control-flow integrity techniques offer a promising direction for preventing code-reuse attacks, but these attacks are resilient against imprecise and heuristic-based detection and prevention mechanisms.

In this work, we propose a new context-sensitive control-flow integrity system (Hurdle) that guarantees pairwise gadgets cannot be chained in a code-reuse attack. Hurdle improves upon prior techniques by using SMT constraint solving to ensure that indirect control flow transfers cannot be maliciously redirected to execute gadget chains. At the same time, Hurdle's security policy is flexible enough that benign executions are only rarely mischaracterized as malicious. When such mischaracterizations occur, Hurdle can generalize its constraint solving to avoid these mischaracterizations at low marginal cost.

We propose architecture extensions for Hurdle which consist of an extended branch history register and new instructions. Thanks to its hardware support, Hurdle enforces a context-sensitive control-flow integrity policy with 1.02% average runtime overhead.

References

[1]

Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 25--25, Berkeley, CA, USA, 2011. USENIX Association.

[2]

Nicholas Carlini and David Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 385--399, Berkeley, CA, USA, 2014. USENIX Association.

Digital Library

[3]

Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP '14, pages 575--589, Washington, DC, USA, 2014. IEEE Computer Society.

Digital Library

[4]

Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Conference on Security Symposium, SEC'15, pages 161--176, Berkeley, CA, USA, 2015. USENIX Association.

[5]

Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 401--416, Berkeley, CA, USA, 2014. USENIX Association.

[6]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM.

Digital Library

[7]

Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack. In Proceedings of the 2018 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '18, pages 28:1--28:30, New York, NY, USA, June 2018. ACM.

Digital Library

[8]

Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. Code-pointer integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI'14, pages 147--163, Berkeley, CA, USA, 2014. USENIX Association.

Digital Library

[9]

Mart'in Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13(1):4:1--4:40, November 2009.

Digital Library

[10]

Thurston H.Y. Dang, Petros Maniatis, and David Wagner. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '15, pages 555--566, New York, NY, USA, 2015. ACM.

Digital Library

[11]

Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi, Patrick Koeberl, Dean Sullivan, Orlando Arias, and Yier Jin. HAFIX: Hardware-assisted Flow Integrity Extension. In Proceedings of the 52Nd Annual Design Automation Conference, DAC '15, pages 74:1--74:6, New York, NY, USA, 2015. ACM.

[12]

Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. Preventing Memory Error Exploits with WIT. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP '08, pages 263--277, Washington, DC, USA, 2008. IEEE Computer Society.

[13]

Tyler Bletsch, Xuxian Jiang, and Vince Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 353--362, New York, NY, USA, 2011. ACM.

Digital Library

[14]

John Criswell, Nathan Dautenhahn, and Vikram Adve. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP '14, pages 292--307, Washington, DC, USA, 2014. IEEE Computer Society.

[15]

Úlfar Erlingsson, Mart'in Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. XFI: Software Guards for System Address Spaces. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7, OSDI '06, pages 6--6, Berkeley, CA, USA, 2006. USENIX Association.

[16]

Ben Niu and Gang Tan. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, pages 199--210, New York, NY, USA, 2013. ACM.

Digital Library

[17]

Zhi Wang and Xuxian Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 380--395, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[18]

Bin Zeng, Gang Tan, and Úlfar Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 369--382, Berkeley, CA, USA, 2013. USENIX Association.

[19]

Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh, and Dmitry Ponomarev. Branch regulation: Low-overhead protection from code reuse attacks. In Proceedings of the 39th Annual International Symposium on Computer Architecture, ISCA '12, pages 94--105, Washington, DC, USA, 2012. IEEE Computer Society.

[20]

Ben Niu and Gang Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 577--587, New York, NY, USA, 2014. ACM.

Digital Library

[21]

Ben Niu and Gang Tan. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1317--1328, New York, NY, USA, 2014. ACM.

[22]

Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, and Huijie Robert Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In In Symposium on Network and Distributed System Security (NDSS, 2014.

[23]

Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 447--462, Berkeley, CA, USA, 2013. USENIX Association.

Digital Library

[24]

Victor van der Veen, Dennis Andriesse, Enes Göktacs, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. Practical Context-Sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 927--940, New York, NY, USA, 2015. ACM.

[25]

Xinyang Ge, Weidong Cui, and Trent Jaeger. Griffin: Guarding control flows using intel processor trace. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '17, pages 585--598, New York, NY, USA, 2017. ACM.

Digital Library

[26]

Yutao Liu, Peitao Shi, Xinran Wang, Haibo Chen, Binyu Zang, and Haibing Guan. Transparent and Efficient CFI Enforcement with Intel Processor Trace. In 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA), pages 529--540, Feb 2017.

[27]

Intel Corporation. Control-flow enforcement technology preview. Technical report, Intel Corporation, 2017.

[28]

Leonardo De Moura and Nikolaj Bjørner. Z3: An Efficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS'08/ETAPS'08, pages 337--340, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[29]

Intel Corporation. Intel 64 and ia-32 architectures software developer's manual. Technical report, Intel Corporation, 2016.

[30]

Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. Jump-oriented programming: A new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 30--40, New York, NY, USA, 2011. ACM.

Digital Library

[31]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 559--572, New York, NY, USA, 2010. ACM.

Digital Library

[32]

EEMBC. Autobench 2.0, 2017. http://www.eembc.org/autobench2/index.php.

[33]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '05, pages 190--200, New York, NY, USA, 2005. ACM.

Digital Library

[34]

Y. Shi and G. Lee. Augmenting branch predictor to secure program execution. In 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07), pages 10--19, June 2007.

Digital Library

[35]

Matthew Guthaus, Jeff Ringenberg, Dan Ernst, Todd Austin, Trevor Mudge, and Richard Brown. MiBench: A Free, Commercially Representative Embedded Benchmark Suite. In Proceedings of the Workload Characterization, 2001. WWC-4. 2001 IEEE International Workshop, WWC '01, pages 3--14, Washington, DC, USA, 2001. IEEE Computer Society.

[36]

Andrew R. Bernat and Barton P. Miller. Anywhere, any-time binary instrumentation. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools, PASTE '11, pages 9--16, New York, NY, USA, 2011. ACM.

[37]

Trevor E. Carlson, Wim Heirman, Stijn Eyerman, Ibrahim Hur, and Lieven Eeckhout. An evaluation of high-level mechanistic core models. ACM Transactions on Architecture and Code Optimization (TACO), 2014.

Digital Library

[38]

ImageTragick. ImageTragick, 2016. https://imagetragick.com.

[39]

Mart'in Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS '05, pages 340--353, New York, NY, USA, 2005. ACM.

Digital Library

[40]

Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev, and Nael Abu-Ghazaleh. SCRAP: Architecture for signature-based protection from Code Reuse Attacks. In 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA), pages 258--269, Feb 2013.

Digital Library

[41]

Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C

[42]

Applications. In 2015 IEEE Symposium on Security and Privacy, pages 745--762, May 2015.

Digital Library

[43]

Erdem Aktas, Furat Afram, and Kanad Ghose. Continuous, Low Overhead, Run-Time Validation of Program Executions. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture, pages 229--241, Dec 2014.

[44]

William Arthur, Ben Mehne, Reetuparna Das, and Todd Austin. Getting in control of your control flow with control-data isolation. In Proceedings of the 13th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO '15, pages 79--90, Washington, DC, USA, 2015. IEEE Computer Society.

Digital Library

[45]

William Arthur, Sahil Madeka, Reetuparna Das, and Todd Austin. Locking down insecure indirection with hardware-based control-data isolation. In Proceedings of the 48th International Symposium on Microarchitecture, MICRO-48, pages 115--127, New York, NY, USA, 2015. ACM.

Digital Library

[46]

Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R. Harris, Taesoo Kim, and Wenke Lee. Enforcing unique code target property for control-flow integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS '18, pages 1470--1486, New York, NY, USA, 2018. ACM.

Digital Library

[47]

Mingwei Zhang and R. Sekar. Control flow and code integrity for cots binaries: An effective defense against real-world rop attacks. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 91--100, New York, NY, USA, 2015. ACM.

Digital Library

[48]

Ashish Venkat, Sriskanda Shamasunder, Dean M. Tullsen, and Hovav Shacham. HIPStR: Heterogeneous-ISA Program State Relocation. In Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS'16, 2016.

Digital Library

[49]

Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 8--8, Berkeley, CA, USA, 2003. USENIX Association.

[50]

Pawel Sarbinowski, Vasileios P. Kemerlis, Cristiano Giuffrida, and Elias Athanasopoulos. VTPin: Practical VTable Hijacking Protection for Binaries. In Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC '16, pages 448--459, New York, NY, USA, 2016. ACM.

[51]

Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, SSYM'98, pages 5--5, Berkeley, CA, USA, 1998. USENIX Association.

[52]

Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. Jump over ASLR: Attacking branch predictors to bypass ASLR. In 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pages 1--13, Oct 2016.

[53]

Dinakar Dhurjati and Vikram Adve. Backwards-compatible array bounds checking for c with very low overhead. In Proceedings of the 28th International Conference on Software Engineering, ICSE '06, pages 162--171, New York, NY, USA, 2006. ACM.

Digital Library

[54]

Dinakar Dhurjati, Sumant Kowshik, and Vikram Adve. Safecode: Enforcing alias analysis for weakly typed languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '06, pages 144--157, New York, NY, USA, 2006. ACM.

[55]

Zhengyang Liu and John Criswell. Flexible and efficient memory object metadata. In Proceedings of the 2017 ACM SIGPLAN International Symposium on Memory Management, ISMM 2017, pages 36--46, New York, NY, USA, 2017. ACM.

Digital Library

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Li YChung YXing JBao YLin G(2022)MProbe: Make the code probing meaninglessProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567967(214-226)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567967
Omotosho AWelearegai GHammer CHong JBures MPark JCerny T(2022)Detecting return-oriented programming on firmware-only embedded devices using hardware performance countersProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507108(510-519)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507108
Show More Cited By

Index Terms

Hurdle: Securing Jump Instructions Against Code Reuse Attacks
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Security in hardware
    1. Hardware security implementation

Recommendations

Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the ...
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

March 2020

1412 pages

ISBN:9781450371025

DOI:10.1145/3373376

General Chair:
James Larus
EPFL
,
Program Chairs:
Luis Ceze
University of Washington
,
Karin Strauss
Microsoft

Copyright © 2020 ACM.

© 2020 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

ASPLOS '20

Sponsor:

ASPLOS '20: Architectural Support for Programming Languages and Operating Systems

March 16 - 20, 2020

Lausanne, Switzerland

Acceptance Rates

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
1,408
Total Downloads

Downloads (Last 12 months)296
Downloads (Last 6 weeks)47

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Li YChung YXing JBao YLin G(2022)MProbe: Make the code probing meaninglessProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567967(214-226)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567967
Omotosho AWelearegai GHammer CHong JBures MPark JCerny T(2022)Detecting return-oriented programming on firmware-only embedded devices using hardware performance countersProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507108(510-519)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507108
Ozdemir SSaptarshi RPrakash APonomarev D(2021)Track Conventions, Not Attack Signatures: Fortifying X86 ABI and System Call Interfaces to Mitigate Code Reuse Attacks2021 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED51797.2021.00029(176-188)Online publication date: Sep-2021
https://doi.org/10.1109/SEED51797.2021.00029
Liu WWang WChen HWang XLu YChen KWang XShen QChen YTang H(2021)Practical and Efficient in-Enclave Verification of Privacy Compliance2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00052(413-425)Online publication date: Jun-2021
https://doi.org/10.1109/DSN48987.2021.00052

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents