GPT Conjecture: Understanding the Trade-offs between Granularity, Performance and Timeliness in Control-Flow Integrity

Performance/security trade-off is widely noticed in CFI research, however, we observe that not every CFI scheme is subject to the trade-off. Motivated by the key observation, we ask three questions. Although the three questions probably cannot be directly answered, they are inspiring. We find that a deeper understanding of the nature of the trade-off will help answer the three questions. Accordingly, we proposed the GPT conjecture to pinpoint the trade-off in designing CFI schemes, which says that at most two out of three properties (fine granularity, acceptable performance, and preventive protection) could be achieved.

[1]  Harish Patil,et al.  Efficient Run-time Monitoring Using Shadow Processing , 1995, AADEBUG.

[2]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[3]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[4]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[5]  Scott A. Carr,et al.  CFIXX : Object Type Integrity for C + + Virtual Dispatch , 2017 .

[6]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[7]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Oded Goldreich,et al.  Computational complexity - a conceptual perspective , 2008 .

[9]  Kevin W. Hamlen,et al.  CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software , 2019, USENIX Security Symposium.

[10]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[11]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[12]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[13]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[14]  Jon Erickson,et al.  Hacking: The Art of Exploitation , 2008 .

[15]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[16]  Mateo Valero,et al.  A Comprehensive Analysis of Indirect Branch Prediction , 2002, ISHPC.

[17]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[18]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[19]  Claudia Eckert,et al.  τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries , 2018, RAID.

[20]  Heng Yin,et al.  vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries , 2015, NDSS.

[21]  Gang Qu,et al.  HCIC: Hardware-Assisted Control-Flow Integrity Checking , 2018, IEEE Internet of Things Journal.

[22]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[23]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[24]  Frances E. Allen,et al.  Control-flow analysis , 2022 .

[25]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[27]  Gerhard J. Woeginger,et al.  Space and Time Complexity of Exact Algorithms : Some Open Problems , 2004 .

[28]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[29]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[30]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[31]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[32]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[33]  Sandro Etalle,et al.  ECFI: Asynchronous Control Flow Integrity for Programmable Logic Controllers , 2017, ACSAC.

[34]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[35]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[36]  Jun Zhang,et al.  RAGuard: A Hardware Based Mechanism for Backward-Edge Control-Flow Integrity , 2017, Conf. Computing Frontiers.

[37]  Sorin Lerner,et al.  Protecting C++ Dynamic Dispatch Through VTable Interleaving , 2016, NDSS.

[38]  Peng Zhang,et al.  Known-plaintext attack on optical encryption based on double random phase keys. , 2006, Optics letters.

[39]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[40]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[41]  Milo M. K. Martin,et al.  Practical low-overhead enforcement of memory safety for c programs , 2012 .

[42]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[43]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[44]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[45]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[46]  Susan Horwitz,et al.  Precise flow-insensitive may-alias analysis is NP-hard , 1997, TOPL.

[47]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[48]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[49]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[50]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.