ABSTRACT
Control flow integrity (CFI) has received significant attention in the community to combat control hijacking attacks in the presence of memory corruption vulnerabilities. The challenges in creating a practical CFI has resulted in the development of a new type of CFI based on runtime type checking (RTC). RTC-based CFI has been implemented in a number of recent practical efforts such as GRSecurity Reuse Attack Protector (RAP) and LLVM-CFI. While there has been a number of previous efforts that studied the strengths and limitations of other types of CFI techniques, little has been done to evaluate the RTC-based CFI. In this work, we study the effectiveness of RTC from the security and practicality aspects. From the security perspective, we observe that type collisions are abundant in sufficiently large code bases but exploiting them to build a functional attack is not straightforward. Then we show how an attacker can successfully bypass RTC techniques using a variant of ROP attacks that respect type checking (called TROP) and also built two proof-of-concept exploits, one against Nginx web server and the other against Exim mail server. We also discuss practical challenges of implementing RTC. Our findings suggest that while RTC is more practical for applying CFI to large code bases, its policy is not strong enough when facing a motivated attacker.
- Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. 2008. Preventing memory error exploits with WIT. In Security and Privacy, 2008. SP 2008. IEEE Symposium on. IEEE, 263--277. Google ScholarDigital Library
- David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Andrea Bittau, Adam Belay, Ali José Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking Blind. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Tyler Bletsch, Xuxian Jiang, and Vince Freeh. 2011. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 353--362. Google ScholarDigital Library
- Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. 2016. Control-Flow Integrity: Precision, Security, and Performance. https://arxiv.org/abs/1602.04056. In arXiv. Google ScholarDigital Library
- Nicolas Carlini, Antonio Barresi, Mathias Payer, and David Wagner. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In USENIX Security Symposium. Google ScholarDigital Library
- Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav ShachamâĂă, and Marcel Winandy. 2010. Return-Oriented Programming Without Returns. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It's A TRaP: Table Randomization and Protection against Function-Reuse Attacks. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In USENIX Security Symposium. Google ScholarDigital Library
- Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient protection of path-sensitive control security. In 26th USENIX Security Symposium (USENIX Security 17). Vancouver, BC: USENIX Association. 131--148. Google ScholarDigital Library
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- gera and riq. 2002. Advances in Format String Exploitation. http://phrack.org/issues/59/7.html. (2002).Google Scholar
- Enes GÃűktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of Control: Overcoming Control-Flow Integrity. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated Software Diversity. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making Context-Sensitive Points-to Analysis with Heap Cloning Practical for the Real World. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Google ScholarDigital Library
- Christopher Liebchen, Marco Negro, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Stephen Crane, Mohaned Qunaibit, Michael Franz, and Mauro Conti. 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- LLVM Developer Group. 2018. LLVM CFI. https://clang.llvm.org/docs/ControlFlowIntegrity.html. (2018).Google Scholar
- Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- João Moreira, Sandro Rigo, Michalis Polychronakis, and Vasileios Kemerlis. 2017. DROP THE ROP: Fine-grained Control-Flow Integrity for the Linux Kernel. (2017).Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety For C. In International Symposium on Memory Management (ISMM). Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Google ScholarDigital Library
- Ben Niu and Gang Tan. 2013. Monitor integrity protection with space efficiency and separate compilation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 199--210. Google ScholarDigital Library
- Ben Niu and Gang Tan. 2015. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 914--926. Google ScholarDigital Library
- Aleph One. 1996. Smashing The Stack For Fun And Profit. http://phrack.org/issues/49/14.html. (1996).Google Scholar
- PaX Team. 2003. Non-Executable Pages Design. https://pax.grsecurity.net/docs/pax.txt. (2003).Google Scholar
- Mathias Payer, Antonio Barresi, and Thomas R Gross. 2015. Fine-grained control-flow integrity through binary hardening. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 144--164. Google ScholarDigital Library
- The Chromium Projects. 2015. Control Flow Integrity in Chromium. https://www.chromium.org/developers/testing/control-flow-integrity. (2015).Google Scholar
- Ganesan Ramalingam. 1994. The Undecidability of Aliasing. ACM Transactions on Programming Languages and Systems (TOPLAS) 16, 5 (1994), 1467--1471. Google ScholarDigital Library
- Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address-Oblivious Code Reuse: On the Effectiveness of Leakage-Resilient Diversity. In Network and Distributed System Security Symposium (NDSS).Google Scholar
- Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Security Focus. 1988. BSD Fingerd Buffer Overflow Vulnerability. http://www.securityfocus.com/bid/2/info. (1988).Google Scholar
- Jeff Seibert, Hamed Okhravi, and Eric Söderström. 2014. Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Kevin Z. Snow, Roman Rogowski, Fabian Monrose, Jan Werner, Hyungjoon Koo, and Michalis Polychronakis. 2016. Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks. In IEEE Symposium on Security and Privacy (S&P).Google ScholarCross Ref
- Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. 2009. Breaking The Memory Secrecy Assumption. In European Workshop on System Security (EUROSEC). Google ScholarDigital Library
- Subgraph Team. 2014. Subgraph OS. https://subgraph.com/. (2014).Google Scholar
- Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural Static Value-Flow Analysis in LLVM. In International Conference on Compiler Construction (CC). Google ScholarDigital Library
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Ben Niu Gang Tan. 2014. Modular Control-Flow Integrity. In Programming Language Design and Implementation (PLDI). Google ScholarDigital Library
- Jack Tang. 2015. Exploring Control Flow Guard in Windows 10. http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10. (2015).Google Scholar
- Pax Team. 2015. RAP: RIP ROP. https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf. (2015).Google Scholar
- Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, ÃŽlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control- Flow Integrity in GCC & LLVM. In USENIX Security Symposium. Google ScholarDigital Library
- Ubuntu. 2017. Ubuntu Popularity Contest. http://popcon.ubuntu.com/by_inst. (2017).Google Scholar
- Victor van der Veen, Enes Göktas, Moritz Contag, Andre Pawlowski, Xi ChenâĂă, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level. In IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Zhi Wang and Xuxian Jiang. 2010. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 380--395. Google ScholarDigital Library
- Fedora Wiki. 2018. Security Features Matrix. (2018). https://fedoraproject.org/wiki/Security_Features_MatrixGoogle Scholar
- Sen Ye, Yulei Sui, and Jingling Xue. 2014. Region-Based Selective Flow-Sensitive Pointer Analysis. In International Static Analysis Symposium.Google Scholar
- Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In USENIX Security Symposium. Google ScholarDigital Library
- On the Effectiveness of Type-based Control Flow Integrity
Recommendations
Control-Flow Integrity: Precision, Security, and Performance
Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications ConferenceDespite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control --- the ability to execute arbitrary low-...
Comments