Origin-sensitive Control Flow Integrity

CFI is an effective, generic defense against control-flow hijacking attacks, especially for C/C++ programs. However, most previous CFI systems have poor security as demonstrated by their large equivalence class (EC) sizes. An EC is a set of targets that are indistinguishable from each other in the CFI policy; i.e., an attacker can “bend” the control flow within an EC without being detected. As such, the large ECs denote the weakest link in a CFI system and should be broken down in order to improve security. An approach to improve the security of CFI is to use contextual information, such as the last branches taken, to refine the CFI policy, the so-called context-sensitive CFI. However, contexts based on the recent execution history are often inadequate in breaking down large ECs due to the limited number of incoming execution paths to an indirect control transfer instruction (ICT).1 In this paper, we propose a new context for CFI, origin sensitivity, that can effectively break down large ECs and reduce the average and largest EC size. Origin-sensitive CFI (OS-CFI) takes the origin of the code pointer called by an ICT as the context and constrains the targets of the ICT with this context. It supports both C-style indirect calls and C++ virtual calls. Additionally, we leverage common hardware features in the commodity Intel processors (MPX and TSX) to improve both security and performance of OS-CFI. Our evaluation shows that OS-CFI can substantially reduce the largest and average EC sizes (by 98% in some cases) and has strong performance – 7.6% overhead on average for all C/C++ benchmarks of SPEC CPU2006 and NGINX.

[1]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[2]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[3]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Ben Niu,et al.  RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity , 2014, CCS.

[5]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[6]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[7]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[8]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[10]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[11]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[12]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[13]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  Ahmad-Reza Sadeghi,et al.  Building Control-Flow Integrity Defenses , 2015 .

[15]  Yajin Zhou,et al.  Adaptive Call-Site Sensitive Control Flow Integrity , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[16]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[17]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[18]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[19]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[20]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[21]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[22]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Chao Zhang,et al.  VTrust: Regaining Trust on Virtual Calls , 2016, NDSS.

[24]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[25]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[26]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[27]  Jingling Xue,et al.  On-demand strong update analysis via value-flow refinement , 2016, SIGSOFT FSE.

[28]  Ruby B. Lee,et al.  CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds , 2016, RAID.

[29]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[30]  Michael K. Reiter,et al.  Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu , 2017, AsiaCCS.

[31]  Christof Fetzer,et al.  Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches , 2017, ArXiv.

[32]  Mathias Payer,et al.  SoK: Shining Light on Shadow Stacks , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[33]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[34]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[35]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[36]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[37]  Zhi Wang,et al.  Comprehensive and Efficient Protection of Kernel Control Data , 2011, IEEE Transactions on Information Forensics and Security.

[38]  Mathias Payer,et al.  CFIXX: Object Type Integrity for C++ , 2018, NDSS.