research-article

Open access

CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation

Authors:

Zhe WangAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 2989 - 3002

https://doi.org/10.1145/3548606.3559344

Published: 07 November 2022 Publication History

Abstract

Intel control-flow enforcement technology (CET) is a new hardware feature available in recent Intel processors. It supports the coarse-grained control-flow integrity for software to defeat memory corruption attacks. In this paper, we retrofit CET, particularly the write-protected shadow pages of CET used for implementing shadow stacks, to develop a generic and efficient intra-process memory isolation mechanism, dubbed CETIS.

To provide user-friendly interfaces, a CETIS framework was developed, which provides memory file abstraction for the isolated memory regions and a set of APIs to access said regions. CETIS also comes with a compiler-assisted tool chain for users to build secure applications easily. The practicality of using CETIS to protect CPI, CFIXX, and JIT-compilers was demonstrated, and the evaluation reveals that CETIS is performed better than state-of-the-art intra-memory isolation mechanisms, such as MPK.

Supplementary Material

MP4 File (CCS22-fp0089.mp4)

Presentation video

Download
101.94 MB

References

[1]

Nathan Burow, Derrick McKee, Scott A Carr, and Mathias Payer. 2018. Cfixx: Object type integrity for c virtual dispatch. In Symposium on Network and Distributed System Security (NDSS).

[2]

Nathan Burow, Xinping Zhang, and Mathias Payer. 2019. SoK: Shining light on shadow stacks. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 985--999.

[3]

Chapter 23.1 Introduction to virtual machine extensions. 2019. Intel 64 and IA-32 Architectures Software Developer's Manual.

[4]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and communications security. 559--572.

Digital Library

[5]

R Joseph Connor, Tyler McDaniel, Jared M Smith, and Max Schuchard. 2020. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In 29th USENIX Security Symposium (USENIX Security 20). 1409--1426.

[6]

Aurélien Francillon and Claude Castelluccia. 2008. Code injection attacks on harvard-architecture devices. In Proceedings of the 15th ACM conference on Computer and communications security. 15--26.

Digital Library

[7]

Tommaso Frassetto, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. Jitguard: hardening just-in-time compilers with sgx. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2405--2419.

Digital Library

[8]

Tommaso Frassetto, Patrick Jauernig, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2018. IMIX: In-Process Memory Isolation EXtension. In USENIX Security.

[9]

Robert Gawlik, Benjamin Kollenda, Philipp Koppe, Behrad Garmany, and Thorsten Holz. 2016. Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding. In NDSS.

[10]

Google. 2017. The JavaScript Benchmark Suite for the modern web. http://chromium.github.io/octane/.

[11]

Spyridoula Gravani, Mohammad Hedayati, John Criswell, and Michael L Scott. 2019. IskiOS: Lightweight defense against kernel-level code-reuse attacks. arXiv preprint arXiv:1903.04654 (2019).

[12]

William G Halfond, Jeremy Viegas, Alessandro Orso, et al. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering, Vol. 1. IEEE, 13--15.

[13]

Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L. Scott, Kai Shen, and Mike Marty. 2019. Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries. In USENIX ATC.

[14]

Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 969--986.

[15]

Intel. 2020. Intel 64 and IA-32 Architectures Software Developer's Manual.

[16]

Kyriakos K Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. 2018. Block oriented programming: Automating data-only attacks. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1868--1882.

Digital Library

[17]

Koen Koning, Xi Chen, Herbert Bos, Cristiano Giuffrida, and Elias Athanasopoulos. 2017. No Need to Hide: Protecting Safe Regions on Commodity Hardware. In EuroSys (Belgrade, Serbia). 16 pages. https://doi.org/10.1145/3064176.3064217

Digital Library

[18]

Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-pointer Integrity. In OSDI.

[19]

Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation. In CCS (Denver, Colorado, USA). ACM, 1607--1619. https://doi.org/10.1145/2810103.2813690

Digital Library

[20]

Kangjie Lu, Wenke Lee, Stefan Nü rnberger, and Michael Backes. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In NDSS.

[21]

Lucian Mogosanu, Ashay Rane, and Nathan Dautenhahn. 2018. MicroStache: A Lightweight Execution Context for In-Process Safe Region Isolation. In RAID.

[22]

Joao Moreira. 2021. FineIBT. https://lssna2021.sched.com/event/ljR8?iframe=no.

[23]

Shravan Narayan, Craig Disselkoen, Daniel Moghimi, Sunjay Cauligi, Evan Johnson, Zhao Gang, Anjo Vahldiek-Oberwagner, Ravi Sahita, Hovav Shacham, Dean Tullsen, et al. 2021. Swivel: Hardening WebAssembly against Spectre. In 30th USENIX Security Symposium (USENIX) Security 21).

[24]

Ben Niu and Gang Tan. 2014. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. 577--587.

Digital Library

[25]

Ben Niu and Gang Tan. 2015. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 914--926.

Digital Library

[26]

Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking Holes in Information Hiding. In USENIX Security.

[27]

Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. libmpk: Software abstraction for intel memory protection keys (intel MPK). In 2019 USENIX Annual Technical Conference (USENIX ATC). 241--254.

[28]

Taemin Park, Karel Dhondt, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2020. NoJITsu: Locking Down JavaScript Engines. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society. https://www.ndss-symposium.org/ndss-paper/nojitsu-locking-down-javascript-engines/

[29]

Marco Prandini and Marco Ramilli. 2012. Return-oriented programming. IEEE Security & Privacy, Vol. 10, 6 (2012), 84--87.

Digital Library

[30]

Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P. Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective Memory Protection for Kernel and User Space. In 2020 IEEE Symposium on Security and Privacy (SP). 563--577. https://doi.org/10.1109/SP40000.2020.00041

[31]

Roman Rogowski, Micah Morton, Forrest Li, Fabian Monrose, Kevin Z Snow, and Michalis Polychronakis. 2017. Revisiting browser security in the modern era: New data-only attacks and defenses. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 366--381.

[32]

Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security. 552--561.

Digital Library

[33]

C. Song, H. Moon, M. Alam, I. Yun, B. Lee, T. Kim, W. Lee, and Y. Paek. 2016. HDFI: Hardware-Assisted Data-Flow Isolation. In 2016 IEEE Symposium on Security and Privacy (SP). 1--17. https://doi.org/10.1109/SP.2016.9

[34]

Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in web applications. Acm Sigplan Notices, Vol. 41, 1 (2006), 372--382.

Digital Library

[35]

Theori. 2016. Chakra JIT CFG Bypass. http://theori.io/research/chakra-jit-cfg- bypass.

[36]

Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in {GCC} & {LLVM}. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). 941--955.

[37]

Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK). In USENIX Security.

[38]

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-based Fault Isolation. SIGOPS Oper. Syst. Rev., Vol. 27, 5 (Dec. 1993), 203--216. https://doi.org/10.1145/173668.168635

Digital Library

[39]

Zhe Wang, Chenggang Wu, Mengyao Xie, Yinqian Zhang, Kangjie Lu, Xiaofeng Zhang, Yuanming Lai, Yan Kang, and Min Yang. 2020. Seimi: Efficient and secure smap-enabled intra-process memory isolation. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 592--607.

[40]

Z. Wang, C. Wu, Y. Zhang, B. Tang, P. Yew, M. Xie, Y. Lai, Y. Kang, Y. Cheng, and Z. Shi. 5555. Making Information Hiding Effective Again. IEEE Transactions on Dependable and Secure Computing 01 (mar 5555), 1--1. https://doi.org/10.1109/TDSC.2021.3064086

[41]

Zhe Wang, Chenggang Wu, Yinqian Zhang, Bowen Tang, Pen-Chung Yew, Mengyao Xie, Yuanming Lai, Yan Kang, Yueqiang Cheng, and Zhiping Shi. 2019. SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 1239--1256.

[42]

Zhe Wang, Chenggang Wu, Yinqian Zhang, Bowen Tang, Pen-Chung Yew, Mengyao Xie, Yuanming Lai, Yan Kang, Yueqiang Cheng, and Zhiping Shi. 2021. Making Information Hiding Effective Again. IEEE Transactions on Dependable and Secure Computing (2021).

[43]

Chao Zhang, Chengyu Song, Kevin Zhijie Chen, Zhaofeng Chen, and Dawn Song. 2015. VTint: Protecting Virtual Function Tables' Integrity. In NDSS.

[44]

Chao Zhang, Dawn Song, Scott A Carr, Mathias Payer, Tongxin Li, Yu Ding, and Chengyu Song. 2016. VTrust: Regaining Trust on Virtual Calls. In NDSS.

Cited By

Kim JPark JLee YSong CKim TLee BLuo BLiao XXu JKirda ELie D(2024)PeTAL: Ensuring Access Control Integrity against Data-only Attacks on LinuxProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690184(2919-2933)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690184
Momeu MSchnückel SAngnis KPolychronakis MKemerlis VLuo BLiao XXu JKirda ELie D(2024)Safeslab: Mitigating Use-After-Free Vulnerabilities via Memory Protection KeysProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670279(1345-1359)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670279
Momeu MKilger FRoemheld CSchnückel SProskurin SPolychronakis MKemerlis VQuek TGao DZhou JCardenas A(2024)ISLAB: Immutable Memory Management Metadata for Commodity Operating System KernelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644994(1159-1172)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644994
Show More Cited By

Index Terms

CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation
1. Security and privacy
  1. Software and application security

Recommendations

PANIC: PAN-assisted Intra-process Memory Isolation on ARM
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Intra-process memory isolation is a well-known technique to enforce least privilege within a process. In this paper, we propose a generic and efficient intra-process memory isolation technique named PANIC, by leveraging Privileged Access Never (PAN) and ...
Conception D'un système de Gestion de L'inventaire Pour un Portefeuille de Produits à Profil de Demande Mixte
Génération Automatique de Preuves Pour un Logiciel Tuteur en Géométrie

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
1,898
Total Downloads

Downloads (Last 12 months)826
Downloads (Last 6 weeks)75

Reflects downloads up to 22 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kim JPark JLee YSong CKim TLee BLuo BLiao XXu JKirda ELie D(2024)PeTAL: Ensuring Access Control Integrity against Data-only Attacks on LinuxProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690184(2919-2933)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690184
Momeu MSchnückel SAngnis KPolychronakis MKemerlis VLuo BLiao XXu JKirda ELie D(2024)Safeslab: Mitigating Use-After-Free Vulnerabilities via Memory Protection KeysProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670279(1345-1359)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670279
Momeu MKilger FRoemheld CSchnückel SProskurin SPolychronakis MKemerlis VQuek TGao DZhou JCardenas A(2024)ISLAB: Immutable Memory Management Metadata for Commodity Operating System KernelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644994(1159-1172)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644994
Jacobs AGülmez MAndries AVolckaert SVoulimeneas A(2024)System Call Interposition Without Compromise2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00030(183-194)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00030
Xu JXie MWu CZhang YLi QHuang XLai YKang YWang WWei QWang ZMeng WJensen CCremers CKirda E(2023)PANIC: PAN-assisted Intra-process Memory Isolation on ARMProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623206(919-933)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623206
Peng DLiu CPalit TFonseca PVahldiek-Oberwagner AVij M(2023)μSwitch: Fast Kernel Context Isolation with Implicit Context Switches2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179284(2956-2973)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179284
Narayanan VBurtsev A(2023)The Opportunities and Limitations of Extended Page Table Switching for Fine-Grained IsolationIEEE Security and Privacy10.1109/MSEC.2023.325138521:3(16-26)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/MSEC.2023.3251385

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents