BeCFI: detecting hidden control flow with performance monitoring counters

Most of existing control flow integrity efforts target keeping intended control flow in good integrity. However, they fail to expose hidden control flow that may be introduced by the execution of rootkits, ROP gadgets, etc. To overcome the challenge, we propose an innovative approach BeCFI to detect hidden control flow based on cross-view principle. Since modern processors are capable of observing the execution of all branch instructions, BeCFI obtains the hardware view with the support of performance monitoring counters PMCs. To obtain software view, we build a software-based counter by compiler-patching and binary-overwriting, and monitor the execution of branch instructions with software-based counters. If a control transfer only appears in hardware view, BeCFI considers that it is hidden control transfer. We have developed a prototype system on Intel x86 Linux kernel. Our evaluations show BeCFI is capable of detecting the hidden control flow introduced by kernel rootkits and ROP attacks. Furthermore our performance tests demonstrate that BeCFI incurs an acceptable overhead.

[1]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[2]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[3]  Péter Kacsuk,et al.  Parallel program execution support in the JGrid system , 2009, Int. J. Comput. Sci. Eng..

[4]  Xin Wu,et al.  HDROP: Detecting ROP Attacks Using Performance Monitoring Counters , 2014, ISPEC.

[5]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[6]  J. Gregory Morrisett,et al.  Combining control-flow integrity and static analysis for efficient and validated data sandboxing , 2011, CCS '11.

[7]  Klaus Zaerens,et al.  Gaining the profits of cloud computing in a public authority environment , 2012, Int. J. Comput. Sci. Eng..

[8]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[9]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[10]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[11]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[12]  Xuxian Jiang,et al.  Mitigating code-reuse attacks with control-flow locking , 2011, ACSAC '11.

[13]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[14]  Ben Niu,et al.  Monitor integrity protection with space efficiency and separate compilation , 2013, CCS.

[15]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[16]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[17]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[18]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[19]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[20]  Jing Gong,et al.  A security system implementation using software agents , 2005, Int. J. High Perform. Comput. Netw..