skip to main content
10.1145/2818000.2818016acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article
Free access

Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks

Published: 07 December 2015 Publication History

Abstract

Despite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control --- the ability to execute arbitrary low-level code. Attackers have shown time and again their ability to overcome widely deployed countermeasures such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by crafting Return Oriented Programming (ROP) attacks. Although Turing-complete ROP attacks have been demonstrated in research papers, real-world ROP payloads have had a more limited objective: that of disabling DEP so that injected native code attacks can be carried out. In this paper, we provide a systematic defense, called Control Flow and Code Integrity (CFCI), that makes injected native code attacks impossible. CFCI achieves this without sacrificing compatibility with existing software, the need to replace system programs such as the dynamic loader, and without significant performance penalty. We will release CFCI as open-source software by the time of this conference.

References

[1]
CVE-2000-0854: Earliest side-loading attack.
[2]
CVE-2007-3508: Integer overflow in loader. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3508.
[3]
CVE-2010-0830: Integer signedness error in loader. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830.
[4]
CVE-2010-3847: privilege escalation in loader with $origin for the ld_audit environment variable. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847.
[5]
CVE-2010-3856: privilege escalation in loader with the ld audit environment. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856.
[6]
CVE-2011-0562: Untrusted search path vulnerability in adobe reader.
[7]
CVE-2011-0570: Untrusted search path vulnerability in adobe reader. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0570.
[8]
CVE-2011-0588: Untrusted search path vulnerability in adobe reader. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0588.
[9]
CVE-2011-1658: privilege escalation in loader with $origin in rpath. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658.
[10]
CVE-2011-2398: privilege escalation in loader. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2398.
[11]
CVE-2012-0158: Side loading attack via microsoft office. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158.
[12]
CVE-2013-0977: overlapping segments. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977.
[13]
CVE-2014-1273: text relocation. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273.
[14]
LibJIT. https://code.google.com/p/libjit-linear-scan-register-allocator/.
[15]
WinSxS: Side-by-side assembly. http://en.wikipedia.org/wiki/Side-by-side_assembly.
[16]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, 2005.
[17]
P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In USENIX Security, 2009.
[18]
M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In USENIX Security, 2014.
[19]
E. Bendersky. LibJIT Samples. https://github.com/eliben/libjit-samples, 2013.
[20]
S. Bhatkar and R. Sekar. Data space randomization. In DIMVA, 2008.
[21]
S. Bhatkar, R. Sekar, and D. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security, 2005.
[22]
N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014.
[23]
S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In S&P, 2015.
[24]
L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nãijrnberger, and A. reza Sadeghi. MoCFI: a framework to mitigate control-flow attacks on smartphones. In NDSS, 2012.
[25]
L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security, 2014.
[26]
L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In NDSS, 2015.
[27]
T. Durden. Bypassing pax aslr protection. Technical report, Phrack Magazine, vol. 0x0b, no. 0x3b, 2002.
[28]
I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In CCS, 2015.
[29]
A. D. Federico, A. Cama, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. How the elf ruined christmas. In USENIX Security, 2015.
[30]
B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86. In USENIX ATC, 2008.
[31]
E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security, 2014.
[32]
E. Gãűkta, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In S&P, 2014.
[33]
N. Hasabnis, A. Misra, and R. Sekar. Light-weight bounds checking. In ACM CGO, 2012.
[34]
R. W. M. Jones, P. H. J. Kelly, M. C, and U. Errors. Backwards-compatible bounds checking for arrays and pointers in c programs. In AADEBUG, 1997.
[35]
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In OSDI, 2014.
[36]
L. Li, J. E. Just, and R. Sekar. Address-space randomization for windows systems. In ACSAC, 2006.
[37]
S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In USENIX Security, 2006.
[38]
V. Mohan, P. Larseny, S. Brunthalery, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In NDSS, 2015.
[39]
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: highly compatible and complete spatial memory safety for c. In PLDI, 2009.
[40]
S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. BIRD: binary interpretation using runtime disassembly. In CGO, 2006.
[41]
S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. Foreign code detection on the windows/x86 platform. In ACSAC, 2006.
[42]
Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 2001.
[43]
B. Niu and T. Gang. Per-input control-flow integrity. In CCS, 2015.
[44]
B. Niu and G. Tan. RockJIT: Securing just-in-time compilation using modular control-flow integrity.
[45]
B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In CCS, 2013.
[46]
B. Niu and G. Tan. Modular control-flow integrity. In PLDI, 2014.
[47]
PaX. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt, 2001.
[48]
M. Payer, T. Hartmann, and T. R. Gross. Safe loading - a foundation for secure execution of untrusted programs. In S&P, 2012.
[49]
J. Pewny and T. Holz. Control-flow Restrictor: Compiler-based CFI for iOS. In ACSAC, 2013.
[50]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In SOSP, 2007.
[51]
H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, 2007.
[52]
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS, 2004.
[53]
R. Shapiro, S. Bratus, and S. W. Smith. "weird machines" in elf: A spotlight on the underappreciated metadata. In USENIX WOOT, 2013.
[54]
K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In S&P, 2013.
[55]
C. Song, C. Zhang, T. Wang, W. Lee, and D. Melski. Exploiting and protecting dynamic code generation. In NDSS, 2015.
[56]
A. Stewart. DLL side-loading: A thorn in the side of the anti-virus industry, 2014. http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf.
[57]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In USENIX Security, 2014.
[58]
V. van der Veen, D. Andriesse, E. Goktas, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive cfi. In CCS, 2015.
[59]
W. Xu, D. C. DuVarney, and R. Sekar. An efficient and backwards-compatible transformation to ensure memory safety of c programs. 2004.
[60]
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: a sandbox for portable, untrusted x86 native code. In S&P, 2009.
[61]
Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. Paricheck: an efficient pointer arithmetic checker for c programs. In ACM ASIACCS, 2010.
[62]
B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In CCS, 2011.
[63]
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In S&P, 2013.
[64]
M. Zhang. PSI: Platform for Static binary Instrumentation. http://seclab.cs.sunysb.edu/seclab/download.html.
[65]
M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In ACM VEE, 2014.
[66]
M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security, 2013.
[67]
M. Zhang and R. Sekar. Squeezing the dynamic loader for fun and profit. http://seclab.cs.sunysb.edu/seclab/pubs/seclab15-12.pdf, 2015.

Cited By

View all
  1. Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference
    December 2015
    489 pages
    ISBN:9781450336826
    DOI:10.1145/2818000
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    In-Cooperation

    • ACSA: Applied Computing Security Assoc

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 07 December 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Funding Sources

    Conference

    ACSAC 2015

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)256
    • Downloads (Last 6 weeks)20
    Reflects downloads up to 03 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media