Control-Flow Integrity: Attacks and Protections

Despite the intense efforts to prevent programmers from writing code with memory errors, memory corruption vulnerabilities are still a major security threat. Consequently, control-flow integrity has received significant attention in the research community, and software developers to combat control code execution attacks in the presence of type of faults. Control-flow Integrity (CFI) is a large family of techniques that aims to eradicate memory error exploitation by ensuring that the instruction pointer (IP) of a running process cannot be controlled by a malicious attacker. In this paper, we assess the effectiveness of 14 CFI techniques against the most popular exploitation techniques, including code reuse attacks, return-to-user, return-to-libc, and replay attacks. We also classify these techniques based on their security, robustness, and implementation complexity. Our study indicates that the majority of the CFI techniques are primarily focused on restricting indirect branch instructions and cannot prevent all forms of vulnerability exploitation. We conclude that the performance overhead introduced, jointly with the partial attack coverage, is discouraging the industry from adopting most of them.

[1]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[2]  Dan Meng,et al.  Zipper Stack: Shadow Stacks Without Shadow , 2020, ESORICS.

[3]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Angelos D. Keromytis,et al.  kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse , 2017, EuroSys.

[5]  Jianfeng Ma,et al.  Fine-CFI: Fine-Grained Control-Flow Integrity for Operating System Kernels , 2018, IEEE Transactions on Information Forensics and Security.

[6]  Per Larsen,et al.  It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks , 2015, CCS.

[7]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[8]  Jing Wang,et al.  Protecting Private Keys against Memory Disclosure Attacks Using Hardware Transactional Memory , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Christopher Krügel,et al.  Taming Transactions: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory , 2016, RAID.

[10]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[11]  Paul R. Wilson,et al.  Dynamic Storage Allocation: A Survey and Critical Review , 1995, IWMM.

[12]  Mark Dowson,et al.  The Ariane 5 software failure , 1997, SOEN.

[13]  David C. Keezer,et al.  Hardware-Based Run-Time Code Integrity in Embedded Devices , 2018, Cryptogr..

[14]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[15]  Wenke Lee,et al.  ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks , 2015, CCS.

[16]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[17]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[18]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[19]  Ismael Ripoll,et al.  On the Effectiveness of NX, SSP, RenewSSP, and ASLR against Stack Buffer Overflows , 2014, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[20]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[21]  Gang Qu,et al.  HCIC: Hardware-Assisted Control-Flow Integrity Checking , 2018, IEEE Internet of Things Journal.

[22]  Tzi-cker Chiueh,et al.  Foreign Code Detection on the Windows/X86 Platform , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[23]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[24]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[25]  Peng Li,et al.  Understanding integer overflow in C/C++ , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[26]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[27]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[28]  Jiliang Zhang,et al.  DeepCheck: A Non-intrusive Control-flow Integrity Checking based on Deep Learning , 2019, ArXiv.

[29]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Kui Wang,et al.  PAC it up: Towards Pointer Integrity using ARM Pointer Authentication , 2018, USENIX Security Symposium.

[31]  Ismael Ripoll,et al.  Address Space Layout Randomization Next Generation , 2019, Applied Sciences.

[32]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[33]  Thomas R. Gross,et al.  String oriented programming: when ASLR is not enough , 2013, PPREW '13.

[34]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[35]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[36]  Brian Demsky,et al.  BlackBox: Lightweight security monitoring for COTS binaries , 2016, 2016 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[37]  João Moreira,et al.  DROP THE ROP Fine-grained Control-flow Integrity for the Linux Kernel , 2017 .

[38]  Michael Franz,et al.  Venerable Variadic Vulnerabilities Vanquished , 2017, USENIX Security Symposium.

[39]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[40]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[41]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[42]  Jun Zhang,et al.  RAGuard: A Hardware Based Mechanism for Backward-Edge Control-Flow Integrity , 2017, Conf. Computing Frontiers.

[43]  Ingrid Verbauwhede,et al.  A survey of Hardware-based Control Flow Integrity (CFI) , 2017, ArXiv.

[44]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[45]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[46]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[47]  Christopher Liebchen Advancing Memory-corruption Attacks and Defenses , 2018 .

[48]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[49]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[50]  Yi Yang,et al.  Towards Efficient Heap Overflow Discovery , 2017, USENIX Security Symposium.

[51]  Mauro Conti,et al.  Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets , 2018, NDSS.

[52]  Yuval Yarom,et al.  RAMBleed: Reading Bits in Memory Without Accessing Them , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[53]  Chris Preston,et al.  What you need to know to knead , 1989 .

[54]  Chenyu Wang Advanced code reuse attacks against modern defences , 2019 .

[55]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[56]  Claudia Eckert,et al.  Blind Format String Attacks , 2014, SecureComm.

[57]  Mingwei Zhang,et al.  A platform for secure static binary instrumentation , 2014, VEE '14.

[58]  Ismael Ripoll,et al.  return-to-csu: a new method to bypass 64-bit Linux ASLR , 2018 .

[59]  Vasileios Pappas,et al.  Defending against Return-Oriented Programming , 2015 .

[60]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[61]  Xi Chen,et al.  StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries , 2015, NDSS.

[62]  Yongqiang Lyu,et al.  Control Flow Integrity Based on Lightweight Encryption Architecture , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[63]  Angelos D. Keromytis,et al.  Kernel Protection Against Just-In-Time Code Reuse , 2019, ACM Trans. Priv. Secur..

[64]  Haibo Chen,et al.  DTrace: fine-grained and efficient data integrity checking with hardware instruction tracing , 2019, Cybersecur..

[65]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[66]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[67]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[68]  Hector Marco Gisbert,et al.  On the Effectiveness of Full-ASLR on 64-bit Linux , 2014 .

[69]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[70]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[71]  Jian Guo,et al.  To Detect Stack Buffer Overflow with Polymorphic Canaries , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[72]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[73]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[74]  William K. Robertson,et al.  On the Effectiveness of Type-based Control Flow Integrity , 2018, ACSAC.