No-jump-into-basic-block: Enforce basic block CFI on the fly for real-world binaries

Code-reuse attack is a growing threat to computing systems as it can circumvent existing security defenses. Fortunately, control flow integrity (CFI) is promising in defending such attack. However, former implementations generally suffer from two major drawbacks: 1) complex pre-processing to obtain control flow graph; 2) high overhead. In this paper, we propose a cross-layer approach that employs basic block information inside the binary code and read-only data to enforce fine-grained control-flow integrity. Our approach demonstrates high applicability and thorough attack detection coverage without static analysis or recompilation. Meanwhile, it can effectively protect even striped programs, while incurring negligible 0.13% performance overhead.

[1]  Xuhua Ding,et al.  Hardware-Assisted Fine-Grained Code-Reuse Attack Detection , 2015, RAID.

[2]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[3]  Wei Zhang,et al.  Reconfigurable Dynamic Trusted Platform Module for Control Flow Checking , 2014, 2014 IEEE Computer Society Annual Symposium on VLSI.

[4]  Yan Lin,et al.  Control Flow Integrity Enforcement with Dynamic Code Optimization , 2016, ISC.

[5]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[6]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[7]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[9]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[10]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[11]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[12]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[13]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[14]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[15]  Sergey Bratus,et al.  Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code , 2011, WOOT.

[16]  Wei Zhang,et al.  A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems , 2016, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[17]  David R. Kaeli,et al.  Multi2Sim: A simulation framework for CPU-GPU computing , 2012, 2012 21st International Conference on Parallel Architectures and Compilation Techniques (PACT).

[18]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[19]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[20]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[21]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[22]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[23]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[24]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[25]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.