Automated CFI Policy Assessment with Reckon

Protecting programs against control-flow hijacking attacks recently has become an arms race between defenders and attackers. While certain defenses, e.g., \textit{Control Flow Integrity} (CFI), restrict the targets of indirect control-flow transfers through static and dynamic analysis, attackers could search the program for available gadgets that fall into the legitimate target sets to bypass the defenses. There are several tools helping both attackers in developing exploits and analysts in strengthening their defenses. Yet, these tools fail to adequately (1) model the deployed defenses, (2) compare them in a head-to-head way, and (3) use program semantic information to help craft the attack and the countermeasures. Control Flow Integrity (CFI) has proved to be one of the promising defenses against control flow hijacks and tons of efforts have been made to improve CFI in various ways in the past decade. However, there is a lack of a systematic assessment of the existing CFI defenses. In this paper, we present Reckon, a static source code analysis tool for assessing state-of-the-art static CFI defenses, by first precisely modeling them and then evaluating them in a unified framework. Reckon helps determine the level of security offered by different CFI defenses, and find usable code gadgets even after the CFI defenses were applied, thus providing an important step towards successful exploits and stronger defenses. We have used Reckon to assess eight state-of-the-art static CFI defenses on real-world programs such as Google's Chrome and Apache Httpd. Reckon provides precise measurements of the residual attack surfaces, and accordingly ranks CFI policies against each other. It also successfully paves the way to construct code reuse attacks and to eliminate the remaining attack surface, by disclosing calltargets under one of the most restrictive CFI defenses.

[1]  Jonathan G. Rossie,et al.  An algebraic semantics of subobjects , 1995, OOPSLA.

[2]  Per Larsen,et al.  It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks , 2015, CCS.

[3]  Chao Zhang,et al.  VTint: Protecting Virtual Function Tables' Integrity , 2015, NDSS.

[4]  Herbert Bos,et al.  MARX: Uncovering Class Hierarchies in C++ Programs , 2017, NDSS.

[5]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[6]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[8]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[10]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[11]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.

[12]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[13]  Ahmad-Reza Sadeghi,et al.  Subversive-C: Abusing and Protecting Dynamic Message Dispatch , 2016, USENIX Annual Technical Conference.

[14]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[15]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[16]  Moritz Contag,et al.  Evaluating the Effectiveness of Current Anti-ROP Defenses , 2014, RAID.

[17]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[18]  Heng Yin,et al.  vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries , 2015, NDSS.

[19]  Angelos Stavrou,et al.  Strict Virtual Call Integrity Checking for C++ Binaries , 2017, AsiaCCS.

[20]  Herbert Bos,et al.  ShrinkWrap: VTable Protection without Loose Ends , 2015, ACSAC 2015.

[21]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[22]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[23]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[24]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[25]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[26]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[27]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[28]  Dongli Zhang,et al.  NORAX: Enabling Execute-Only Memory for COTS Binaries on AArch64 , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[29]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[30]  Chao Zhang,et al.  Revery: From Proof-of-Concept to Exploitable , 2018, CCS.

[31]  Yan Li,et al.  Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[32]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[33]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[35]  Thorsten Holz,et al.  Automated Multi-architectural Discovery of CFI-Resistant Code Gadgets , 2016, ESORICS.

[36]  Jong-Deok Choi,et al.  Slicing class hierarchies in C++ , 1996, OOPSLA '96.

[37]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[38]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[39]  Sorin Lerner,et al.  Protecting C++ Dynamic Dispatch Through VTable Interleaving , 2016, NDSS.