Scott A. Carr
Mathias Payer
ABSTRACT
Applications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating. Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming languages with an- notations, allowing the programmer to protect selected data types. The DCI compiler and runtime system prevent illegal reads (confidentiality) and writes (integrity) to instances of these types. The programmer selects types that contain security critical information such as passwords, cryptographic keys, or identification tokens. Protecting only this critical data greatly reduces performance overhead relative to complete memory safety.
Our prototype implementation of DCI, DataShield, shows the applicability and efficiency of our approach. For SPEC CPU2006, the performance overhead is at most 16.34%. For our case studies, we instrumented mbedTLS, astar, and libquantum to show that our annotation approach is practical. The overhead of our SSL/TLS server is 35.7% with critical data structures protected at all times. Our security evaluation shows DataShield mitigates a recently discovered vulnerability in mbedTLS.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity. CCS 2005. Google Scholar
Digital Library
- P. Akritidis. Cling: A Memory Allocator to Mitigate Dangling Pointers. USENIX Security 2010. Google ScholarDigital Library
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing Memory Error Exploits with WIT. In S&P 2008. Google ScholarDigital Library
- P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense Against Out-of-Bounds Errors. In USENIX Security 2009. Google ScholarDigital Library
- E. D. Berger and B. G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. PLDI 2006. Google ScholarDigital Library
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In ASIACCS '11. Google ScholarDigital Library
- N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. Control-Flow Integrity: Protection, Security, and Performance. In CSUR, 2017.Google Scholar
- N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In USENIX Security 2015. Google ScholarDigital Library
- S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data Attacks Are Realistic Threats. SSYM 2005. Google ScholarDigital Library
- Y. Chen, S. Reymondjohnson, Z. sun, and L. Lu. Shreds: Fine-grained Execution Units with Private Memory. In S&P 2016.Google Scholar
- P. Collingbourne. LLVM -- Control Flow Integrity, 2015. http://clang.llvm.org/docs/ControlFlowIntegrity.html.Google Scholar
- C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security 1998. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-overflow Attacks. SSYM 1998. Google ScholarDigital Library
- J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. ASPLOS XIII (2008). Google ScholarDigital Library
- D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. PLDI 2006. Google ScholarDigital Library
- Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. The Matter of Heartbleed. In IMC 2014. Google ScholarDigital Library
- H.-C. Estler, C. Furia, M. Nordio, M. Piccioni, and B. Meyer. Contracts in Practice. In FM 2014: Formal Methods. Google ScholarDigital Library
- I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the Point: On the Effectiveness of Code Pointer Integrity. In S&P 2015. Google ScholarDigital Library
- I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In CCS 2015. Google ScholarDigital Library
- I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of fine-grained Control Flow Integrity. 2015.Google Scholar
- E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out Of Control: Overcoming Control-Flow Integrity. In S&P 2014. Google ScholarDigital Library
- I. Haller, E. van der Kouwe, C. Giuffrida, and H. Bos. METAlloc: Efficient and Comprehensive Metadata Management for Software Security Hardening. EuroSec 2006. Google ScholarDigital Library
- M. Hicks. What is memory safety. http://www.pl-enthusiast.net/2014/07/21/memory-safety/.Google Scholar
- H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In 2016 IEEE Symposium on Security and Privacy (SP), pages 969--986, May 2016.Google ScholarCross Ref
- D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing CGoogle Scholar
- virtual calls from memory corruption attacks. In NDSS 2014.Google Scholar
- T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. ATEC 2002. Google ScholarDigital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In OSDI 2014. Google ScholarDigital Library
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In USENIX Security 2006. Google ScholarDigital Library
- Microsoft Corporation. Control Flow Guard (Windows). https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx, 2016.Google Scholar
- S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Everything You Want to Know About Pointer-Based Checking. In SNAPL 2015.Google Scholar
- S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety. ISCA 2012. Google ScholarDigital Library
- S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking. CGO 2014. Google ScholarDigital Library
- S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. CETS: Compiler Enforced Temporal Safety for C. ISMM 2010. Google ScholarDigital Library
- S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. PLDI 2009. Google ScholarDigital Library
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe Retrofitting of Legacy Software. ACM Trans. Program. Lang. Syst. Google ScholarDigital Library
- Nergal. The advanced return-into-lib(c) exploits. Phrack, 11(58):http://phrack.com/issues.html?issue=67&id=8, Nov. 2007.Google Scholar
- B. Niu and G. Tan. Modular Control-flow Integrity. PLDI 2014. Google ScholarDigital Library
- B. Niu and G. Tan. Monitor Integrity Protection with Space Efficiency and Separate Compilation. CCS 2013. Google ScholarDigital Library
- B. Niu and G. Tan. Per-Input Control-Flow Integrity. CCS 2015. Google ScholarDigital Library
- B. Niu and G. Tan. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. CCS 2014. Google ScholarDigital Library
- G. Novark and E. D. Berger. DieHarder: Securing the Heap. CCS 2010. Google ScholarDigital Library
- A. Oikonomopoulos, E. Athanasopoulos, H. Bos, and C. Giuffrida. Poking Holes in Information Hiding. In USENIX Security 2016).Google Scholar
- K. Pattabiraman, V. Grover, and B. G. Zorn. Samurai: Protecting Critical Data in Unsafe Languages. Eurosys 2008. Google ScholarDigital Library
- PaX-Team. PaX ASLR. http://pax.grsecurity.net/docs/aslr.txt, 2003.Google Scholar
- M. Payer, A. Barresi, and T. R. Gross. Fine-Grained Control-Flow Integrity Through Binary Hardening. In DIMVA 2015. Google ScholarDigital Library
- T. W. Schiller, K. Donohue, F. Coward, and M. D. Ernst. Case Studies and Tools for Contract Specifications. ICSE 2014. Google ScholarDigital Library
- C. Schlesinger, K. Pattabiraman, N. Swamy, D. Walker, and B. Zorn. Modular Protections against Non-Control Data Attacks. In CSF 2011. Google ScholarDigital Library
- F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in CGoogle Scholar
- Applications. In S&P 2015.Google Scholar
- C. Song, B. Lee, K. Lu, W. R. Harris, T. Kim, and W. Lee. Enforcing Kernel Security Invariants with Data Flow Integrity. In NDSS 2016.Google Scholar
- L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal War in Memory. S&P 2013. Google ScholarDigital Library
- C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security 2014. Google ScholarDigital Library
- A. van de Ven and I. Molnar. Exec Shield. https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf, 2004.Google Scholar
- V. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical Context-Sensitive CFI. CCS 2015. Google ScholarDigital Library
- G. Vranken. CVE-2015--5291: remote heap corruption in ARM mbed TLS / PolarSSL, October 2015.Google Scholar
- J. Wagner, V. Kuznetsov, G. Candea, and J. Kinder. High System-Code Security with Low Overhead. In S&P 2015. Google ScholarDigital Library
- B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In S&P 2009. Google ScholarDigital Library
- Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs. ASIACCS 2010. Google ScholarDigital Library
Index Terms
- DataShield: Configurable Data Confidentiality and Integrity
Recommendations
A Survey on XSS Attack Detection and Prevention in Web Applications
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingWith the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may ...
Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine LearningCross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
Control-Flow Hijacking: Are We Making Progress?
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMemory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today's systems. Over the last 10+ years the security community developed several defenses [4]. Data Execution Prevention (DEP) protects against code ...
Comments