research-article

Public Access

Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries

Authors:

Abhishek Vasisht Bhaskar,

Dengguo FengAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 331 - 340

https://doi.org/10.1145/2818000.2818017

Published: 07 December 2015 Publication History

Abstract

Control Flow Integrity (CFI) is an effective technique to mitigate threats such as code-injection and code-reuse attacks in programs by protecting indirect transfers. For stripped binaries, a CFI policy has to be made conservatively due to the lack of source code level semantics. Existing binary-only CFI solutions such as BinCFI and CCFIR demonstrate the ability to protect stripped binaries, but the policies they apply are too permissive, allowing sophisticated code-reuse attacks. In this paper, we propose a new binary-only CFI protection scheme called BinCC, which applies static binary rewriting to provide finer-grained protection for x86 stripped ELF binaries. Through code duplication and static analysis, we divide the binary code into several mutually exclusive code continents. We further classify each indirect transfer within a code continent as either an Intra-Continent transfer or an Inter-Continent transfer, and apply separate, strict CFI polices to constrain these transfers. To evaluate BinCC, we introduce new metrics to estimate the average amount of legitimate targets of each kind of indirect transfer as well as the difficulty to leverage call preceded gadgets to generate ROP exploits. Compared to the state of the art binary-only CFI, BinCFI, the experimental results show that BinCC significantly reduces the legitimate transfer targets by 81.34% and increases the difficulty for adversaries to bypass CFI restriction to launch sophisticated ROP attacks. Also, BinCC achieves a reasonable performance, around 14% of the space overhead decrease and only 4% runtime overhead increase as compared to BinCFI.

References

[1]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009.

Digital Library

[2]

S. Andersen and V. Abella. Data execution prevention. changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies, 2004.

[3]

T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 353--362. ACM, 2011.

Digital Library

[4]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 30--40. ACM, 2011.

Digital Library

[5]

N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In USENIX Security Symposium, 2014.

Digital Library

[6]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. Ropecker: A generic and practical approach for defending against rop attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.

[7]

L. Davi, A.-R. Sadeghi, and M. Winandy. Ropdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 40--51. ACM, 2011.

Digital Library

[8]

U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. Xfi: Software guards for system address spaces. In Proceedings of the 7th symposium on Operating systems design and implementation, pages 75--88. USENIX Association, 2006.

Digital Library

[9]

I. Evans, S. Fingeret, J. González, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point (er): On the effectiveness of code pointer integrity1. In Security and Privacy (SP), 2015.

Digital Library

[10]

E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 575--589. IEEE, 2014.

Digital Library

[11]

D. Jang, Z. Tatlock, and S. Lerner. Safedispatch: Securing c++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS), 2014.

[12]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.

Digital Library

[13]

S. McCamant and G. Morrisett. Evaluating sfi for a cisc architecture. In Usenix Security, page 15, 2006.

Digital Library

[14]

V. Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz. Opaque control-flow integrity. In Symposium on Network and Distributed System Security (NDSS), 2015.

[15]

B. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, page 58. ACM, 2014.

Digital Library

[16]

B. Niu and G. Tan. Rockjit: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1317--1328. ACM, 2014.

Digital Library

[17]

M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In Detection of Intrusions and Malware, and Vulnerability Assessment, 2015.

Digital Library

[18]

A. Prakash, X. Hu, and H. Yin. vfguard: Strict protection for virtual function calls in cots c++ binaries. In Network and Distributed System Security Symposium, NDSS, volume 15, 2015.

[19]

A. Prakash, H. Yin, and Z. Liang. Enforcing system-wide control flow integrity for exploit detection and diagnosis. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 311--322. ACM, 2013.

Digital Library

[20]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 15(1):2, 2012.

Digital Library

[21]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552--561. ACM, 2007.

Digital Library

[22]

P. Team. Pax address space layout randomization, 2003.

[23]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In USENIX Security Symposium, 2014.

Digital Library

[24]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In ACM SIGOPS Operating Systems Review, volume 27, pages 203--216. ACM, 1994.

Digital Library

[25]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Security and Privacy, 2009 30th IEEE Symposium on, pages 79--93. IEEE, 2009.

Digital Library

[26]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 559--573. IEEE, 2013.

Digital Library

[27]

M. Zhang and R. Sekar. Control flow integrity for cots binaries. In Usenix Security, pages 337--352, 2013.

Digital Library

Cited By

Houy SBartel A(2024)Lessons Learned and Challenges of Deploying Control Flow Integrity in Complex Software: the Case of OpenJDK’s Java Virtual Machine2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00020(153-165)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00020
Vaidya RKulkarni P(2024)Effectiveness of Binary-Level CFI TechniquesFoundations and Practice of Security10.1007/978-3-031-57537-2_6(87-103)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_6
Kim HKim SLee JJee KCha SCalandrino JTroncoso C(2023)Reassembly is hardProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620320(1469-1486)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620320
Show More Cited By

Index Terms

Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Code Reuse Prevention through Control Flow Lazily Check
PRDC '12: Proceedings of the 2012 IEEE 18th Pacific Rim International Symposium on Dependable Computing

Despite the numerous prevention and protection techniques that have been developed, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. Because of the adoption of the ...
A platform for secure static binary instrumentation
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Program instrumentation techniques form the basis of many recent software security defenses, including defenses against common exploits and security policy enforcement. As compared to source-code instrumentation, binary instrumentation is easier to use ...
Hardware-Assisted Fine-Grained Code-Reuse Attack Detection
RAID 2015: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 9404

Code-reuse attacks have become the primary exploitation technique for system compromise despite of the recently introduced Data Execution Prevention technique in modern platforms. Different from code injection attacks, they result in unintended control-...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

Control Flow Integrity

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
721
Total Downloads

Downloads (Last 12 months)95
Downloads (Last 6 weeks)7

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Houy SBartel A(2024)Lessons Learned and Challenges of Deploying Control Flow Integrity in Complex Software: the Case of OpenJDK’s Java Virtual Machine2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00020(153-165)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00020
Vaidya RKulkarni P(2024)Effectiveness of Binary-Level CFI TechniquesFoundations and Practice of Security10.1007/978-3-031-57537-2_6(87-103)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_6
Kim HKim SLee JJee KCha SCalandrino JTroncoso C(2023)Reassembly is hardProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620320(1469-1486)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620320
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Xie MLin YLuo CPeng GFu J(2023)PointerScope: Understanding Pointer Patching for Code RandomizationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320304320:4(3019-3036)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3203043
Sun RGuo YWang ZZeng Q(2023)AttnCall: Refining Indirect Call Targets in Binaries with AttentionComputer Security – ESORICS 202310.1007/978-3-031-51482-1_20(391-409)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51482-1_20
Ding ZGuo YXu HYan LCui LPeng YCheng FHao Z(2023)SeqTrace: API Call Tracing Based on Intel PT and VMI for Malware DetectionAlgorithms and Architectures for Parallel Processing10.1007/978-3-031-22677-9_6(98-116)Online publication date: 11-Jan-2023
https://doi.org/10.1007/978-3-031-22677-9_6
Zhang WXu ZXiao YXue Y(2022)Unleashing the power of pseudo-code for binary code similarity analysisCybersecurity10.1186/s42400-022-00121-05:1Online publication date: 1-Dec-2022
https://doi.org/10.1186/s42400-022-00121-0
Singhal VPillai ASaumya CKulkarni MMachiry A(2022)Cornucopia : A Framework for Feedback Guided Generation of BinariesProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3561152(1-13)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3561152
Zhang YLiu XSun CZeng DTan GKan XMa S(2021)ReCFA: Resilient Control-Flow AttestationAnnual Computer Security Applications Conference10.1145/3485832.3485900(311-322)Online publication date: 6-Dec-2021
https://doi.org/10.1145/3485832.3485900
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents