BeCFI: detecting hidden control flow with performance monitoring counters

Most of existing control flow integrity efforts target keeping intended control flow in good integrity. However, they fail to expose hidden control flow that may be introduced by the execution of rootkits, ROP gadgets, etc. To overcome the challenge, we propose an innovative approach BeCFI to detect hidden control flow based on crossview principle. Since modern processors are capable of observing the execution of all branch instructions, BeCFI obtains the hardware view with the support of performance monitoring counters(PMC). To obtain software view, we build a software-based counters by compiler-patching and binary-overwriting, and monitors the execution of branch instruction with software-based counters. If a control transfer only appears in hardware view, BeCFI considers that it is hidden control transfer. We have developed a prototype system on Intel x86 Linux kernel. Our evaluations show BeCFI is capable of detecting the hidden control flow introduced by kernel rootkits and ROP attacks. Furthermore our performance tests demonstrates that BeCFI incurs an acceptable overhead.

[1]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[2]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[3]  Ben Niu,et al.  Monitor integrity protection with space efficiency and separate compilation , 2013, CCS.

[4]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[5]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[6]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[7]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[8]  G. Danezis,et al.  Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing , 2011 .

[9]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[10]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[11]  Zhi Wang,et al.  Comprehensive and Efficient Protection of Kernel Control Data , 2011, IEEE Transactions on Information Forensics and Security.

[12]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[13]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Jing Gong,et al.  A security system implementation using software agents , 2005, Int. J. High Perform. Comput. Netw..

[15]  Klaus Zaerens,et al.  Gaining the profits of cloud computing in a public authority environment , 2012, Int. J. Comput. Sci. Eng..

[16]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[17]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[18]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[19]  Chao Zhang,et al.  Protecting function pointers in binary , 2013, ASIA CCS '13.

[20]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[21]  Péter Kacsuk,et al.  Parallel program execution support in the JGrid system , 2009, Int. J. Comput. Sci. Eng..

[22]  Xin Wu,et al.  HDROP: Detecting ROP Attacks Using Performance Monitoring Counters , 2014, ISPEC.

[23]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.