Article

A theory of secure control flow

Authors:

Úlfar Erlingsson,

Jay LigattiAuthors Info & Claims

ICFEM'05: Proceedings of the 7th international conference on Formal Methods and Software Engineering

Pages 111 - 124

https://doi.org/10.1007/11576280_9

Published: 01 November 2005 Publication History

Abstract

Control-Flow Integrity (CFI) means that the execution of a program dynamically follows only certain paths, in accordance with a static policy. CFI can prevent attacks that, by exploiting buffer overflows and other vulnerabilities, attempt to control program behavior. This paper develops the basic theory that underlies two practical techniques for CFI enforcement, with precise formulations of hypotheses and guarantees.

References

[1]

M. Abadi. Protection in programming-language translations. In K.G. Larsen, S. Skyum, and G. Winskel, editors, Proceedings of the 25th International Colloquium on Automata, Languages and Programming, volume 1443 of Lecture Notes in Computer Science, pages 868-883. Springer-Verlag, 1998. Also Digital Equipment Corporation Systems Research Center report No. 154, April 1998.

Digital Library

[2]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the ACM Conference on Computer and Communications Security, 2005. A preliminary version appears as Microsoft Research Technical Report MSR-TR-05-18, February 2005.

Digital Library

[3]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Further formal material on CFI and SMAC. Manuscript, available at http://research.microsoft.com/ research/sv/gleipnir, 2005.

[4]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the Usenix Security Symposium, pages 63-78, 1998.

Digital Library

[5]

Ú. Erlingsson and F.B. Schneider. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop, pages 87-95, 1999.

Digital Library

[6]

N. Hamid, Z. Shao, V. Trifonov, S. Monnier, and Z. Ni. A Syntactic Approach to Foundational Proof-Carrying Code. Technical Report YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University, 2002.

[7]

J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(1- 2):2-16, February 2005.

Digital Library

[8]

Microsoft Corporation. Changes to functionality in Microsoft Windows XP SP2: Memory protection technologies, 2004. http://www.microsoft.com/technet/ prodtechnol/winxppro/maintain/sp2mempr.mspx.

[9]

G. Morrisett, D.Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM Transactions on Programming Languages and Systems, 21(3):527- 568, 1999.

Digital Library

[10]

G. Necula. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, pages 106-119, January 1997.

Digital Library

[11]

PaX Project. The PaX project, 2004. http://pax.grsecurity.net/.

[12]

J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20-27, 2004.

Digital Library

[13]

O. Ruwase and M.S. Lam. A practical dynamic buffer overflow detector. In Proceedings of Network and Distributed System Security Symposium, pages 159-169, 2004.

[14]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security, pages 298-307, 2004.

Digital Library

[15]

A. Srivastava, A. Edwards, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.

[16]

A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools. Technical Report WRL Research Report 94/2, Digital Equipment Corporation, 1994.

Digital Library

[17]

G.E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85-96, 2004.

Digital Library

[18]

R. Wahbe, S. Lucco, T.E. Anderson, and S.L. Graham. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review, 27(5):203-216, 1993.

Digital Library

[19]

J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium, pages 149-162, 2003.

[20]

J. Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent runtime randomization for security. In Proceedings of the Symposium on Reliable and Distributed Systems, pages 260-269, 2003.

Cited By

Pesin BBoulmé SMonniaux DPotet MStark KTimany ABlazy STabareau N(2025)Formally Verified Hardening of C Programs against Hardware Fault InjectionProceedings of the 14th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3703595.3705880(140-155)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3703595.3705880
Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Tan XZhao ZMeng WJensen CCremers CKirda E(2023)SHERLOC: Secure and Holistic Control-Flow Violation Detection on Embedded SystemsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623077(1332-1346)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623077
Show More Cited By

Recommendations

Control-flow integrity
CCS '05: Proceedings of the 12th ACM conference on Computer and communications security

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is ...
Control-flow bending: on the effectiveness of control-flow integrity
SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

Control-Flow Integrity (CFI) is a defense which prevents control-flow hijacking attacks. While recent research has shown that coarse-grained CFI does not stop attacks, fine-grained CFI is believed to be secure.

We argue that assessing the effectiveness ...
Control-Flow Hijacking: Are We Making Progress?
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today's systems. Over the last 10+ years the security community developed several defenses [4]. Data Execution Prevention (DEP) protects against code ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ICFEM'05: Proceedings of the 7th international conference on Formal Methods and Software Engineering

November 2005

494 pages

ISBN:3540297979

Editors:
Kung-Kiu Lau
School of Computer Science, The University of Manchester, Manchester, United Kingdom
,
Richard Banach
School of Computer Science, University of Manchester, Manchester, UK

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 November 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pesin BBoulmé SMonniaux DPotet MStark KTimany ABlazy STabareau N(2025)Formally Verified Hardening of C Programs against Hardware Fault InjectionProceedings of the 14th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3703595.3705880(140-155)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3703595.3705880
Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Tan XZhao ZMeng WJensen CCremers CKirda E(2023)SHERLOC: Secure and Holistic Control-Flow Violation Detection on Embedded SystemsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623077(1332-1346)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623077
Berlakovich FBrunthaler SFedorova ANarayanan DDi Luna GQuerzoni L(2023)R2C: AOCR-Resilient Diversity with Reactive and Reflective CamouflageProceedings of the Eighteenth European Conference on Computer Systems10.1145/3552326.3587439(488-504)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3552326.3587439
Berlakovich FNeugschwandtner MBarany GLindorfer MPolakis J(2022)Look Ma, no constantsProceedings of the 15th European Workshop on Systems Security10.1145/3517208.3523751(36-42)Online publication date: 5-Apr-2022
https://dl.acm.org/doi/10.1145/3517208.3523751
Skorstengaard LDevriese DBirkedal L(2019)StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilitiesProceedings of the ACM on Programming Languages10.1145/32903323:POPL(1-28)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290332
Patrignani MAhmed AClarke D(2019)Formal Approaches to Secure CompilationACM Computing Surveys10.1145/328098451:6(1-36)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3280984
(2018)ReferencesThe Continuing Arms Race10.1145/3129743.3129753(261-281)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1145/3129743.3129753
Coppens BDe Sutter BVolckaert S(2018)Multi-variant execution environmentsThe Continuing Arms Race10.1145/3129743.3129752(211-258)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1145/3129743.3129752
Jin YSullivan DArias OSadeghi ADavi L(2018)Hardware control flow integrityThe Continuing Arms Race10.1145/3129743.3129751(181-210)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1145/3129743.3129751
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten