Live Path CFI Against Control Flow Hijacking Attacks

Through memory vulnerabilities, control flow hijacking allows an attacker to force a running program to execute other than what the programmer has intended. Control Flow Integrity (CFI) aims to prevent the adversarial effects of these attacks. CFI attempts to enforce the programmer’s intent by ensuring that a program only runs according to a control flow graph (CFG) of the program. The enforced CFG can be built statically or dynamically, and Per-Input Control Flow Integrity (PICFI) represents a recent advance in dynamic CFI techniques. PICFI begins execution with the empty CFG of a program and lazily adds edges to the CFG during execution according to concrete inputs. However, this CFG grows monotonically, i.e., edges are never removed when corresponding control flow transfers become illegal. This paper presents LPCFI, Live Path Control Flow Integrity, to more precisely enforce forward edge CFI using a dynamically computed CFG by both adding and removing edges for all indirect control flow transfers from indirect callsites, thereby raising the bar against control flow hijacking attacks.

[1]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[2]  Jingling Xue,et al.  On-demand strong update analysis via value-flow refinement , 2016, SIGSOFT FSE.

[3]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[4]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[5]  Chao Zhang,et al.  VTrust: Regaining Trust on Virtual Calls , 2016, NDSS.

[6]  Xiangke Liao,et al.  Boosting the precision of virtual call integrity protection with partial pointer analysis for C++ , 2017, ISSTA.

[7]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[8]  W. Wong,et al.  Transparent Runtime Shadow Stack : Protection against malicious return address modifications , 2006 .

[9]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[10]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[11]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  Shiping Chen,et al.  Live path control flow integrity , 2018, ICSE.

[13]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[14]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[15]  Herbert Bos,et al.  ShrinkWrap: VTable Protection without Loose Ends , 2015, ACSAC 2015.

[16]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[17]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[18]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.