research-article

Public Access

GRIFFIN: Guarding Control Flows Using Intel Processor Trace

Authors:

Trent JaegerAuthors Info & Claims

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 585 - 598

https://doi.org/10.1145/3037697.3037716

Published: 04 April 2017 Publication History

Abstract

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI enforcement may have the potential for advantages in performance and flexibility over software instrumentation, current hardware-assisted defenses are either incomplete (i.e., do not enforce all control transfers) or less efficient in comparison. We find that the recent introduction of hardware features to log complete control-flow traces, such as Intel Processor Trace (PT), provides an opportunity to explore how efficient and flexible a hardware-assisted CFI enforcement system may become. While Intel PT was designed to aid in offline debugging and failure diagnosis, we explore its effectiveness for online CFI enforcement over unmodified binaries by designing a parallelized method for enforcing various types of CFI policies. We have implemented a prototype called GRIFFIN in the Linux 4.2 kernel that enables complete CFI enforcement over a variety of software, including the Firefox browser and its jitted code. Our experiments show that GRIFFIN can enforce fine-grained CFI policies with shadow stack as recommended by researchers at a performance that is comparable to software-only instrumentation techniques. In addition, we find that alternative logging approaches yield significant performance improvements for trace processing, identifying opportunities for further hardware assistance.

References

[1]

ApacheBench: a complete benchmarking and regression testing suite. https://httpd.apache.org/docs/2.2/programs/ab.html.

[2]

Intel control-flow enforcement technology (CET) preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.

[3]

pyftpdlib. https://github.com/giampaolo/pyftpdlib.

[4]

sendemail. http://caspian.dotconf.net/menu/Software/SendEmail.

[5]

Intel 64 and IA-32 architectures software developer's manual. Volume 3 (3A, 3B, 3C & 3D): System Programming Guide, 2016.

[6]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 340--353. ACM, 2005.

Digital Library

[7]

S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, 2004.

[8]

T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pages 353--362. ACM, 2011.

Digital Library

[9]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security). USENIX Association, 2014.

[10]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security). USENIX Association, 2015.

[11]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attacks. In Proceedings of the 21th Network and Distributed System Security Symposium (NDSS). ISOC, 2014.

[12]

N. Christoulakis, G. Christou, E. Athanasopoulos, and S. Ioannidis. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2016.

Digital Library

[13]

M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen, M. Qunaibit, and A.-R. Sadeghi. Losing control: On the effectiveness of control-flow integrity under stack attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 952--963. ACM, 2015.

Digital Library

[14]

J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete control-flow integrity for commodity operating system kernels. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P), pages 292--307. IEEE, 2014.

Digital Library

[15]

G. Dabah. diStorm - Powerful Disassembler Library for x86/AMD64. https://github.com/gdabah/distorm.

[16]

T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 555--566. ACM, 2015.

Digital Library

[17]

L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 40--51. ACM, 2011.

Digital Library

[18]

berger, and Sadeghi]mocfiL. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS). ISOC, 2012.

[19]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 401--416. USENIX Association, 2014.

[20]

L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (DAC). ACM, 2015.

Digital Library

[21]

z, Otgonbaatar, Tang, Shrobe, Sidiroglou-Douskos, Rinard, and Okhravi]missingI. Evans, S. Fingeret, J. González, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P). IEEE, 2015.

Digital Library

[22]

X. Ge, N. Talele, M. Payer, and T. Jaeger. Fine-grained control-flow integrity for kernel software. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2016.

[23]

E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P). IEEE, 2014.

Digital Library

[24]

a\c s et al.(2014)Göktać, Athanasopoulos, Polychronakis, Bos, and Portokalidis]sizedoesmatterE. Göktać, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pages 417--432. USENIX Association, 2014.

[25]

Y. Gu, Q. Zhao, Y. Zhang, and Z. Lin. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 2017.

Digital Library

[26]

le et al.(1992)Hölzle, Chambers, and Ungar]osrU. Hölzle, C. Chambers, and D. Ungar. Debugging optimized code with dynamic deoptimization. In Proceedings of the ACM SIGPLAN'92 Conference on Programming Language Design and Implementation (PLDI), pages 32--43. ACM, 1992.

Digital Library

[27]

W. Huang, Z. Huang, D. Miyani, and D. Lie. LMP: light-weighted memory protection with hardware assistance. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC). ACM, 2016.

Digital Library

[28]

R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (USENIX Security), pages 383--398. USENIX Association, 2009.

[29]

B. Kasikci, B. Schubert, C. Pereira, G. Pokam, and G. Candea. Failure sketching: a technique for automated root cause diagnosis of in-production failures. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP), pages 344--360. ACM, 2015.

Digital Library

[30]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, 2014.

[31]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with return-less kernels. In Proceedings of the 5th European Conference on Computer Systems (EuroSys), pages 195--208. ACM, 2010.

Digital Library

[32]

Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. Transparent and efficient cfi enforcement with intel processor trace. In Proceedings of the 23rd IEEE Symposium on High Performance Computer Architecture (HPCA). IEEE, 2017.

[33]

]mcfiB. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 2014\natexlaba.

[34]

]rockjitB. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1317--1328. ACM, 2014\natexlabb.

Digital Library

[35]

B. Niu and G. Tan. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 914--926. ACM, 2015.

Digital Library

[36]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security), pages 447--462. USENIX Association, 2013.

[37]

008)]paxPaX Team. Documentation for the PaX project - overall description. https://pax.grsecurity.net/docs/pax.txt, 2008.

[38]

M. Payer and T. R. Gross. Generating low-overhead dynamic binary translators. In Proceedings of the 3rd Annual Haifa Experimental Systems Conference (SYSTOR). ACM, 2010.

Digital Library

[39]

M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 144--164. Springer, 2015.

Digital Library

[40]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 2012.

[41]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C

[42]

applications. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P), pages 745--762. IEEE, 2015.

[43]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), 2014.

[44]

aş, Gras, Sambuc, Slowinska, Bos, and Giuffrida]patharmorV. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 927--940. ACM, 2015.

[45]

as, Contag, Pawlowski, Chen, Rawat, Bos, Holz, Athanasopoulos, and Giuffrida]typearmorV. van der Veen, E. Göktas, M. Contag, A. Pawlowski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P). IEEE, 2016.

[46]

Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S&P), pages 380--395. IEEE, 2010.

Digital Library

[47]

J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen. RIPE: Runtime intrusion prevention evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). ACM, 2011.

Digital Library

[48]

Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1--12. IEEE, 2012.

[49]

P. Yuan, Q. Zeng, and X. Ding. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 66--85. Springer, 2015.

Digital Library

[50]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 29--40. ACM, 2011.

Digital Library

[51]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P), pages 559--573. IEEE, 2013.

[52]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security). USENIX Association, 2013.

[53]

M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In Proceedings of the 10th ACM SIGPLAN International Conference on Virtual Execution Environments (VEE). ACM, 2014.

Digital Library

Cited By

Xia THu HWu DBalzarotti DXu W(2024)DEEPTYPEProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699229(5877-5894)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699229
Zhang ZHao YChen WZou XLi XLi HZhai YQian ZLau BBalzarotti DXu W(2024)SymBisectProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699040(2493-2510)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699040
Xiang HCheng ZLi JMa JLu KLuo BLiao XXu JKirda ELie D(2024)Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin AwarenessProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670308(4524-4538)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670308
Show More Cited By

Index Terms

GRIFFIN: Guarding Control Flows Using Intel Processor Trace
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
GRIFFIN: Guarding Control Flows Using Intel Processor Trace
ASPLOS '17

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI ...
GRIFFIN: Guarding Control Flows Using Intel Processor Trace
Asplos'17

Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

April 2017

856 pages

ISBN:9781450344654

DOI:10.1145/3037697

General Chairs:
Yunji Chen
Institute of Computing Technology, CAS, China
,
Olivier Temam
Google, USA
,
Program Chair:
John Carter
IBM, USA

ACM SIGARCH Computer Architecture News Volume 45, Issue 1
Asplos'17
March 2017
812 pages
ISSN:0163-5964
DOI:10.1145/3093337
Editor:
Babak Falsafi
Interim
Issue’s Table of Contents
ACM SIGPLAN Notices Volume 52, Issue 4
ASPLOS '17
April 2017
811 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/3093336
Editor:
Matthew Fluet
Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASPLOS '17

Sponsor:

ASPLOS '17: Architectural Support for Programming Languages and Operating Systems

April 8 - 12, 2017

Xi'an, China

Acceptance Rates

ASPLOS '17 Paper Acceptance Rate 53 of 320 submissions, 17%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

91
Total Citations
View Citations
2,351
Total Downloads

Downloads (Last 12 months)415
Downloads (Last 6 weeks)69

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Xia THu HWu DBalzarotti DXu W(2024)DEEPTYPEProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699229(5877-5894)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699229
Zhang ZHao YChen WZou XLi XLi HZhai YQian ZLau BBalzarotti DXu W(2024)SymBisectProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699040(2493-2510)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699040
Xiang HCheng ZLi JMa JLu KLuo BLiao XXu JKirda ELie D(2024)Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin AwarenessProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670308(4524-4538)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670308
Ismail MJelesnianski CJang YMin CXiong WTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651342
Park YChoi SChoi UJin HNor NPark Y(2024)A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracingScientific Reports10.1038/s41598-024-65374-w14:1Online publication date: 26-Jun-2024
https://doi.org/10.1038/s41598-024-65374-w
Fan XLong SHuang CYang CLi FBartolini ARietveld KSchuman CMoreira J(2023)Accelerating Type Confusion Detection by Identifying Harmless Type CastingsProceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592205(91-100)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592205
Jelesnianski CIsmail MJang YWilliams DMin CAamodt TJerger NSwift M(2023)Protect the System Call, Protect (Most of) the World with BASTIONProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582066(528-541)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582066
Tan XZhao ZMeng WJensen CCremers CKirda E(2023)SHERLOC: Secure and Holistic Control-Flow Violation Detection on Embedded SystemsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623077(1332-1346)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623077
Porter CKhan SPande SAamodt TJerger NSwift M(2023)Decker: Attack Surface Reduction via On-Demand Code MappingProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3575693.3575734(192-206)Online publication date: 27-Jan-2023
https://dl.acm.org/doi/10.1145/3575693.3575734
Park MLee D(2023)BGCFI: Efficient Verification in Fine-Grained Control-Flow Integrity Based on Bipartite GraphIEEE Access10.1109/ACCESS.2023.323418411(4291-4305)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3234184
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents