skip to main content
10.1145/3321705.3329815acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Control-Flow Carrying Code

Published: 02 July 2019 Publication History

Abstract

Control-Flow Integrity~(CFI) is an effective approach in mitigating control-flow hijacking attacks including code-reuse attacks. Most conventional CFI techniques use memory page protection mechanism, Data Execution Prevention~(DEP), as an underlying basis. For instance, CFI defenses use read-only address tables to avoid metadata corruption. However, this assumption has shown to be invalid with advanced attacking techniques, such as Data-Oriented Programming, data race, and Rowhammer attacks. In addition, there are scenarios in which DEP is unavailable, e.g., bare-metal systems and applications with dynamically generated code. We present the design and implementation of Control-Flow Carrying Code~(C^3), a new CFI enforcement without depending on DEP, which makes the CFI policies embedded safe from being overwritten by attackers. C3 embeds the Control-Flow Graph (CFG) and its enforcement into instructions of the program by encrypting each basic block with a key derived from the CFG. The "proof-carrying" code ensures that only valid control flow transfers can decrypt the corresponding instruction sequences, and that any unintended control flow transfers or overwritten code segment would cause program crash with high probability due to the wrong decryption key and the corresponding random code bytes obtained. We implement C3 on top of an instrumentation platform and apply it to many popular programs. Our security evaluation shows that C3 is capable of enforcing strong CFI policies and is able to defend against most control-flow hijacking attacks while suffering from moderate runtime overhead.

References

[1]
Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security. ACM, 340--353.
[2]
Elena Gabriela Barrantes, David H Ackley, Trek S Palmer, Darko Stefanovic, and Dino Dai Zovi. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM conference on Computer and communications security. ACM, 281--289.
[3]
Andrew R Bernat and Barton P Miller. 2011. Anywhere, any-time binary instrumentation. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools. ACM, 9--16.
[4]
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy. IEEE, 227--242.
[5]
Tyler Bletsch, Xuxian Jiang, Vince W Freeh, and Zhenkai Liang. 2011. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 30--40.
[6]
Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup est machina: Memory deduplication as an advanced exploitation vector. In 2016 IEEE symposium on security and privacy (SP). IEEE, 987--1004.
[7]
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proceedings of the 24th USENIX Security Symposium. 161--176.
[8]
Nicholas Carlini and David Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium. 385--399.
[9]
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 559--572.
[10]
Xiaoyang Cheng, Yan Lin, Debin Gao, and Chunfu Jia. 2019. DynOpvm: VM-based software Obfuscation with Dynamic Opcode Mapping. In Proceedings of the 17th International Conference on Applied Cryptography and Network Security.
[11]
Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, Huijie Deng, et almbox. 2014. ROPecker: A generic and practical approach for defending against ROP attack. In Symposium on Network and Distributed System Security.
[12]
Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Marco Negro, Christopher Liebchen, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing control: On the effectiveness of control-flow integrity under stack attacks. In Proceedings of the 22nd ACM Conference on Computer and Communications Security. ACM, 952--963.
[13]
Intel Corporation. 2019. Intel Software Guard Extensions (Intel SGX). https://software.intel.com/en-us/sgx/.
[14]
Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Security Symposium.
[15]
Ruan de Clercq, Johannes Götzfried, David Übler, Pieter Maene, and Ingrid Verbauwhede. 2017. SOFIA: Software and control flow integrity architecture. Computers & Security, Vol. 68 (2017), 16--35.
[16]
Jianming Fu, Xu Zhang, and Yan Lin. 2015. An Instruction-Set Randomization Using Length-Preserving Permutation. In IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 376--383.
[17]
Xinyang Ge, Weidong Cui, and Trent Jaeger. 2017. GRIFFIN: Guarding control flows using intel processor trace. In Proceedings of the 22nd International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, 585--598.
[18]
Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy. IEEE, 575--589.
[19]
Yufei Gu, Qingchuan Zhao, Yinqian Zhang, and Zhiqiang Lin. 2017. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. ACM, 173--184.
[20]
Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R Harris, Taesoo Kim, and Wenke Lee. 2018. Enforcing unique code target property for control-flow integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1470--1486.
[21]
Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In Proceedings of the 37th IEEE Symposium on Security and Privacy. IEEE, 969--986.
[22]
Gaurav S Kc, Angelos D Keromytis, and Vassilis Prevelakis. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and communications security. ACM, 272--280.
[23]
Yan Lin, Xiaoxiao Tang, Debin Gao, and Jianming Fu. 2016. Control flow integrity enforcement with dynamic code optimization. In International Conference on Information Security. Springer, 366--385.
[24]
Yutao Liu, Peitao Shi, Xinran Wang, Haibo Chen, Binyu Zang, and Haibing Guan. 2017. Transparent and efficient cfi enforcement with intel processor trace. In Proceedings of the 23rd IEEE International Symposium on High Performance Computer Architecture. IEEE, 529--540.
[25]
Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM conference on Programming language design and implementation. ACM, 190--200.
[26]
Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin W Hamlen, and Michael Franz. 2015. Opaque Control-Flow Integrity. In Symposium on Network and Distributed System Security, Vol. 26. 27--30.
[27]
George C Necula. 2002. Proof-carrying code. design and implementation. In Proof and system-reliability. Springer, 261--288.
[28]
Ben Niu and Gang Tan. 2014. Modular control-flow integrity. In Proceedings of the 21st ACM Conference on Computer and Communications Security. ACM, 577--587.
[29]
Ben Niu and Gang Tan. 2015. Per-input control-flow integrity. In Proceedings of the 22nd ACM Conference on Computer and Communications Security. ACM, 914--926.
[30]
Heidi Pan, Krste Asanović, Robert Cohn, and Chi-Keung Luk. 2005. Controlling program execution through binary instrumentation. ACM SIGARCH Computer Architecture News, Vol. 33, 5 (2005), 45--50.
[31]
Antonis Papadogiannakis, Laertis Loutsis, Vassilis Papaefstathiou, and Sotiris Ioannidis. 2013. ASIST: architectural support for instruction set randomization. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 981--992.
[32]
Vasilis Pappas, Michalis Polychronakis, and Angelos D Keromytis. 2013. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Proceedings of the 22nd USENIX Security Symposium. 447--462.
[33]
Mathias Payer, Antonio Barresi, and Thomas R Gross. 2015. Fine-grained control-flow integrity through binary hardening. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 144--164.
[34]
Georgios Portokalidis and Angelos D Keromytis. 2010. Fast and practical instruction-set randomization for commodity systems. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 41--48.
[35]
Rui Qiao and R Sekar. 2017. Function interface analysis: A principled approach for function recognition in COTS binaries. In Proceeding of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 201--212.
[36]
Nguyen Anh Quynh. 2014. Capstone: Next-gen disassembly framework. Black Hat USA (2014).
[37]
Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security. ACM, 552--561.
[38]
Adi Shamir. 1979. How to share a secret. Commun. ACM, Vol. 22, 11 (1979), 612--613.
[39]
Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing Functions in Binaries with Neural Networks. In Proceeding of the 24th USENIX Security Symposium. 611--626.
[40]
Kanad Sinha, Vasileios P Kemerlis, and Simha Sethumadhavan. 2017. Reviving instruction set randomization. In International Symposium on Hardware Oriented Security and Trust. IEEE, 21--28.
[41]
Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy. IEEE, 574--588.
[42]
Ana Nora Sovarel, David Evans, and Nathanael Paul. 2005. Where's the FEEB? The Effectiveness of Instruction Set Randomization. In Proceedings of the 15th USENIX Security Symposium.
[43]
Dean Sullivan, Orlando Arias, David Gens, Lucas Davi, Ahmad-Reza Sadeghi, and Yier Jin. 2017. Execution Integrity with In-Place Encryption. arXiv preprint arXiv:1703.02698 (2017).
[44]
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium. 941--955.
[45]
Victor van der Veen, Enes Göktas, Moritz Contag, Andre Pawoloski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the 37th IEEE Symposium on Security and Privacy. IEEE, 934--953.
[46]
Robert Wahbe, Steven Lucco, Thomas E Anderson, and Susan L Graham. 1994. Efficient software-based fault isolation. In ACM SIGOPS Operating Systems Review, Vol. 27. ACM, 203--216.
[47]
Minghua Wang, Heng Yin, Abhishek Vasisht Bhaskar, Purui Su, and Dengguo Feng. 2015. Binary code continent: Finer-grained control flow integrity for stripped binaries. In Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 331--340.
[48]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical control flow integrity and randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy. IEEE, 559--573.
[49]
Mingwei Zhang, Michalis Polychronakis, and R Sekar. 2017. Protecting COTS binaries from disclosure-guided code reuse attacks. In Proceedings of the 33rd Annual Computer Security Applications Conference. 128--140.
[50]
Mingwei Zhang and R Sekar. 2013. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium. 337--352.
[51]
Mingwei Zhang and R Sekar. 2015. Control flow and code integrity for COTS binaries: An effective defense against real-world ROP attacks. (2015).

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
July 2019
708 pages
ISBN:9781450367523
DOI:10.1145/3321705
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 July 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. control-flow hijacking
  2. control-flow integrity
  3. instruction-set randomization
  4. secret sharing

Qualifiers

  • Research-article

Conference

Asia CCS '19
Sponsor:

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)23
  • Downloads (Last 6 weeks)3
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media