Position paper: GPT conjecture: understanding the trade-offs between granularity, performance and timeliness in control-flow integrity

Performance/security trade-off is widely noticed in CFI research, however, we observe that not every CFI scheme is subject to the trade-off. Motivated by the key observation, we ask three questions: ➊ does trade-off really exist in different CFI schemes? ➋ if trade-off do exist, how do previous works comply with it? ➌ how can it inspire future research? Although the three questions probably cannot be directly answered, they are inspiring. We find that a deeper understanding of the nature of the trade-off will help answer the three questions. Accordingly, we proposed the GPT conjecture to pinpoint the trade-off in designing CFI schemes, which says that at most two out of three properties (fine granularity, acceptable performance, and preventive protection) could be achieved.

[1]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[2]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[3]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[4]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[6]  Harish Patil,et al.  Efficient Run-time Monitoring Using Shadow Processing , 1995, AADEBUG.

[7]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Sorin Lerner,et al.  Protecting C++ Dynamic Dispatch Through VTable Interleaving , 2016, NDSS.

[9]  Peng Zhang,et al.  Known-plaintext attack on optical encryption based on double random phase keys. , 2006, Optics letters.

[10]  Jon Erickson,et al.  Hacking: The Art of Exploitation , 2008 .

[11]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[12]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[13]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[14]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[15]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[16]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[17]  Scott A. Carr,et al.  CFIXX : Object Type Integrity for C + + Virtual Dispatch , 2017 .

[18]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[19]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[20]  Sandro Etalle,et al.  ECFI: Asynchronous Control Flow Integrity for Programmable Logic Controllers , 2017, ACSAC.

[21]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[22]  Gang Qu,et al.  HCIC: Hardware-Assisted Control-Flow Integrity Checking , 2018, IEEE Internet of Things Journal.

[23]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[24]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[25]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Claudia Eckert,et al.  τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries , 2018, RAID.

[27]  Mathias Payer,et al.  CFIXX: Object Type Integrity for C++ , 2018, NDSS.

[28]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[29]  Heng Yin,et al.  vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries , 2015, NDSS.

[30]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[31]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[32]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[33]  Jun Zhang,et al.  RAGuard: A Hardware Based Mechanism for Backward-Edge Control-Flow Integrity , 2017, Conf. Computing Frontiers.

[34]  F. Allen,et al.  Control flow analysis , 1970, Symposium on Compiler Optimization.

[35]  Gerhard J. Woeginger,et al.  Space and Time Complexity of Exact Algorithms: Some Open Problems (Invited Talk) , 2004, IWPEC.

[36]  Milo M. K. Martin,et al.  Practical low-overhead enforcement of memory safety for c programs , 2012 .

[37]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[38]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[39]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[40]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[41]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[42]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[43]  Mateo Valero,et al.  A Comprehensive Analysis of Indirect Branch Prediction , 2002, ISHPC.

[44]  Kevin W. Hamlen,et al.  CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software , 2019, USENIX Security Symposium.

[45]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[46]  Susan Horwitz,et al.  Precise flow-insensitive may-alias analysis is NP-hard , 1997, TOPL.

[47]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[48]  Oded Goldreich,et al.  Computational complexity: a conceptual perspective , 2008, SIGA.

[49]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[50]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[51]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[52]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.