Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms

Control-flow integrity (CFI) is a promising technique to mitigate control-flow hijacking attacks. In the past decade, dozens of CFI mechanisms have been proposed by researchers. Despite the claims made by themselves, the security promises of these mechanisms have not been carefully evaluated, and thus are questionable. In this paper, we present a solution to measure the gap between the practical security and the claimed theoretical security. First, we propose CScan to precisely measure runtime feasible targets of indirect control transfer (ICT) instructions protected by CFI, by enumerating all potential code addresses and testing whether ICTs are allowed to jump to them. Second, we propose CBench as a sanity check for verifying CFI solutions? effectiveness against typical attacks, by exploiting a comprehensive set of vulnerable programs protected by CFI and verifying the recognized feasible targets. We evaluated 12 most recent open-source CFI mechanisms and discovered 10 flaws in most CFI mechanisms or implementations. For some CFIs, their security policies or protected ICT sets do not match what they claimed. Some CFIs even expand the attack surface (e.g. introducing unintended targets). To facilitate a deeper understanding of CFI, we summarize the flaws into 7 common pitfalls which cover the whole lifetime of CFI mechanisms and reveal issues that affect CFI mechanisms in practical security.

[1]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[2]  Yi Fang,et al.  JITDefender: A Defense against JIT Spraying Attacks , 2011, SEC.

[3]  Kevin W. Hamlen,et al.  Object Flow Integrity , 2017, CCS.

[4]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[5]  N. Asokan,et al.  CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers , 2017, RAID.

[6]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[7]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[10]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[11]  Claudia Eckert,et al.  τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries , 2018, RAID.

[12]  Chao Zhang,et al.  Exploiting and Protecting Dynamic Code Generation , 2015, NDSS.

[13]  Petrus de Clercq Hardware supported Software and Control Flow Integrity ; Hardware-gebaseerde integriteit van software en de programmastroom , 2017 .

[14]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[15]  Jun Xu,et al.  Architecture Support for Defending Against Buffer Overflow Attacks , 2002 .

[16]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[17]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[18]  Jun Zhang,et al.  RAGuard: A Hardware Based Mechanism for Backward-Edge Control-Flow Integrity , 2017, Conf. Computing Frontiers.

[19]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[20]  Claudia Eckert,et al.  Analyzing control flow integrity with LLVM-CFI , 2019, ACSAC.

[21]  Thomas Unterluggauer,et al.  Sponge-Based Control-Flow Protection for IoT Devices , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[22]  Ben Niu,et al.  RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity , 2014, CCS.

[23]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[24]  Vasilis Pappas,et al.  kBouncer : Efficient and Transparent ROP Mitigation , 2012 .

[25]  Sorin Lerner,et al.  Protecting C++ Dynamic Dispatch Through VTable Interleaving , 2016, NDSS.

[26]  Chao Zhang,et al.  VTrust: Regaining Trust on Virtual Calls , 2016, NDSS.

[27]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[28]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[29]  Yajin Zhou,et al.  Adaptive Call-Site Sensitive Control Flow Integrity , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Scott A. Carr,et al.  CFIXX : Object Type Integrity for C + + Virtual Dispatch , 2017 .

[31]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  Kevin W. Hamlen,et al.  CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software , 2019, USENIX Security Symposium.

[33]  Bryan C. Ward,et al.  Control-Flow Integrity for Real-Time Embedded Systems , 2019, ECRTS.

[34]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[35]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[36]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[37]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[38]  Chao Zhang,et al.  VTint: Protecting Virtual Function Tables' Integrity , 2015, NDSS.

[39]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[40]  Gang Qu,et al.  HCIC: Hardware-Assisted Control-Flow Integrity Checking , 2018, IEEE Internet of Things Journal.

[41]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[42]  Christopher Krügel,et al.  Taming Transactions: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory , 2016, RAID.

[43]  Yunheung Paek,et al.  VM-CFI: Control-Flow Integrity for Virtual Machine Kernel Using Intel PT , 2018, ICCSA.

[44]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[45]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[46]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[47]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[48]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[49]  Thorsten Holz,et al.  Towards automated integrity protection of C++ virtual function tables in binary programs , 2014, ACSAC.

[50]  Heng Yin,et al.  vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries , 2015, NDSS.

[51]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[52]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[53]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[54]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[55]  Stefan Mangard,et al.  Protecting the Control Flow of Embedded Processors against Fault Attacks , 2015, CARDIS.

[56]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[57]  Cristiano Giuffrida,et al.  VTPin: practical VTable hijacking protection for binaries , 2016, ACSAC.

[58]  Jie Yang,et al.  Origin-sensitive Control Flow Integrity , 2019, USENIX Security Symposium.

[59]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[60]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[61]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[62]  Kui Wang,et al.  PAC it up: Towards Pointer Integrity using ARM Pointer Authentication , 2018, USENIX Security Symposium.

[63]  Jingling Xue,et al.  On-demand strong update analysis via value-flow refinement , 2016, SIGSOFT FSE.

[64]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[65]  Taesoo Kim,et al.  JITScope: Protecting web users from control-flow hijacking attacks , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[66]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[67]  Sandro Etalle,et al.  ECFI: Asynchronous Control Flow Integrity for Programmable Logic Controllers , 2017, ACSAC.

[68]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[69]  Heng Yin,et al.  Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries , 2015, ACSAC 2015.

[70]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.