Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware, on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proof-of-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.

[1]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Dan S. Wallach,et al.  Opportunities and Limits of Remote Timing Attacks , 2009, TSEC.

[3]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  Elena Gabriela Barrantes,et al.  Known/Chosen Key Attacks against Software Instruction Set Randomization , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[5]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[6]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[7]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[8]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[9]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[10]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[11]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[12]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[13]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[15]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[16]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[17]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[18]  Jack W. Davidson,et al.  Security through Diversity: Leveraging Virtual Machine Technology , 2009, IEEE Security & Privacy.

[19]  Salvatore J. Stolfo,et al.  The MINESTRONE Architecture Combining Static and Dynamic Analysis Techniques for Software Security , 2011, 2011 First SysSec Workshop.

[20]  Mary Lou Soffa,et al.  Retargetable and reconfigurable software dynamic translation , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[21]  William W. Streilein,et al.  Finding Focus in the Blur of Moving-Target Techniques , 2014, IEEE Security & Privacy.

[22]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[23]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[24]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[25]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[26]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[27]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[28]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[29]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[30]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[31]  François Durvaux,et al.  Efficient Removal of Random Delays from Embedded Software Implementations Using Hidden Markov Models , 2012, CARDIS.

[32]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[34]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[35]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[36]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[37]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[38]  Jeff Seibert,et al.  Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code , 2014, CCS.

[39]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[40]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[41]  Per Larsen,et al.  Diversifying the Software Stack Using Randomized NOP Insertion , 2013, Moving Target Defense.

[42]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[43]  Will Reese,et al.  Nginx: the high-performance web server and reverse proxy , 2008 .

[44]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[45]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[46]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[47]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[48]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[49]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[50]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[51]  Michael Franz,et al.  Compiler-Generated Software Diversity , 2011, Moving Target Defense.

[52]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[53]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[54]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[55]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[56]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[57]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.