ρFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings
Authors: 
Paul Muntean, 
Mathias Neumayer, Zhiqiang Lin, Gang Tan, 
Jens Grossklags, Claudia EckertAuthors Info & Claims
Paul Muntean, Mathias Neumayer, Zhiqiang Lin, Gang Tan, Jens Grossklags, Claudia EckertAuthors Info & ClaimsPages 466 - 479
Abstract
In this paper, we propose reversed forward-edge mapper (ρFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program’s control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated ρFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that ρFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. ρFEM’s runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.
References
[1]
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. 2005. Control Flow Integrity. In ACM Conference on Computer and Communications Security (CCS).
[2]
N. S. Almakhdhub, A. A. Clements, S. Bagchi, and M. Payer. 2020. μRAI: Securing Embedded Systems with Return Address Integrity. In Network and Distributed System Security Symposium (NDSS).
[3]
Apache Software Foundation. 2017. Apache Httpd. https://httpd.apache.org/.
[4]
Apache Software Foundation. 2017. Apache Traffic Server. http://trafficserver.apache.org/.
[5]
O. Arias, L. Davi, M. Hanreich, Y. Jin, P. Koeberl, D. Paul, A.-R. Sadeghi, and D. Sullivan. 2015. HAFIX: Hardware-Assisted Flow Integrity Extension. In Annual Design Automation Conference (DAC).
[6]
ARM. 2015. C++ ABI for the ARM Architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0041e/IHI0041E cppabi.pdf.
[7]
T. Bletsch, X. Jiang, and V. Freeh. 2011. Mitigating Code-reuse Attacks with Control-flow Locking. In Annual Computer Security Applications Conference (ACSAC).
[8]
T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. 2011. Jump-Oriented Programming: A New Class of Code-Reuse Attack. In ACM Asia Conference on Computer & Communications Security (AsiaCCS).
[9]
D. Bounov, R. G. Kici, and S. Lerner. 2016. Protecting C++ Dynamic Dispatch Through VTable Interleaving. In Network and Distributed System Security Symposium (NDSS).
[10]
E. Buchanan, R. Roemer, H. Shacham, and S. Savage. 2008. When Good Instructions Go Bad: Generalizing Return-oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS).
[11]
N. Burow, X. Zhang, and M. Payer. 2019. SoK: Shining Light on Shadow Stacks. In IEEE Symposium on Security and Privacy (S&P).
[12]
N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In USENIX Security Symposium (USENIX Security).
[13]
T. Chiueh and F.H. Hsu. 2001. RAD: A Compile-Time Solution to Buffer Overflow Attacks. In International Conference on Distributed Computing Systems (ICDCS).
[14]
Clang/LLVM. [n. d.]. Clang/LLVM compiler framework. https://clang.llvm.org/.
[15]
Clang/LLVM. [n. d.]. Clang’s SafeStack. https://clang.llvm.org/docs/SafeStack.html.
[16]
Industry Coalition. [n. d.]. Itanium C++ ABI. https://mentorembedded.github.io/cxx-abi/abi.html.
[17]
T. H. Y. Dang, P. Maniatis, and D. Wagner. 2015. The Performance Cost of Shadow Stacks and Stack Canaries. In ACM Asia Conference on Computer & Communications Security (AsiaCCS).
[18]
R. Ding, C. Qian, C. Song, W. Harris, T. Kim, and W. Lee. 2017. Efficient Protection of Path-Sensitive Control Security. In USENIX Security Symposium (USENIX Security).
[19]
GCC. 2019. GCC’s Shadow Stack Proposal. https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-stack_005fprotect-function-attribute.
[20]
X. Ge, N. Talele, M. Payer, and T. Jaeger. 2016. Fine-Grained Control-Flow Integrity for Kernel Software. In European Symposium on Security and Privacy (EuroS&P).
[21]
E. Goktas, B. Kollenda, P. Koppe, G. Bosman, Portokalidis, T. Holz, H. Bos, and C. Giuffrida. 2018. Position-independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure. In European Symposium on Security and Privacy (EuroS&P).
[22]
E. K. Goktas, A. Oikonomopoulos, R. Gawlik, B. Kollenda, I. Athanasopoulos, C. Giuffrida, G. Portokalidis, and H. J. Bos. 2016. Bypassing Clang’s SafeStack for Fun and Profit. In Black Hat Europe.
[23]
Google. 2017. Google’s Chrome Web browser. https://www.chromium.org/.
[24]
J. Gray. 1994. C++: Under the Hood. http://www.openrce.org/articles/files/jangrayhood.pdf.
[25]
Y. Gu, Q. Zhao, Y. Zhang, and Z. Lin. 2017. PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace. In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy (CODASPY).
[26]
I. Haller, E. Goktas, E. Athanasopoulos, G. Portokalidis, and H. Bos. 2015. ShrinkWrap: VTable Protection Without Loose Ends. In Annual Computer Security Applications Conference (ACSAC).
[27]
Intel. [n. d.]. Intel Control-Flow Enforcement Technology (CET). https://software.intel.com/en-us/blogs/2016/06/09/intel-release-new-technology-specifications-protect-rop-attacks.
[28]
J. Salwan. 2018. ROPgadget. https://github.com/JonathanSalwan/ROPgadget.
[29]
D. Jang, Z. Tatlock, and S. Lerner. 2014. SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks. In Network and Distributed System Security Symposium (NDSS).
[30]
LightHTTPD. 2017. LightHTTPD. https://www.lighttpd.net/.
[31]
Memcached. 2017. Memcached. https://memcached.org/.
[32]
Microsoft. 2009. The STRIDE Threat Model. https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)?redirectedfrom=MSDN.
[33]
Microsoft. 2018. Microsft’s Data Execution Prevention. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85).aspx.
[34]
P. Muntean, M. Fischer, G. Tan, Z. Lin, J. Grossklags, and C. Eckert. 2018. τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries. In Symposium on Research in Attacks, Intrusions, and Defenses (RAID).
[35]
P. Muntean, M. Neumayer, Z. Lin, G. Tan, J. Grossklags, and C. Eckert. 2019. Analyzing Control Flow Integrity with LLVM-CFI. In Annual Computer Security Applications Conference (ACSAC).
[36]
P. Muntean, S. Wuerl, J. Grossklags, and C. Eckert. 2018. CastSan: Efficient Detection of Polymorphic C++ Object Type Confusions with LLVM. In European Symposium on Research in Computer Security (ESORICS).
[37]
Nginx. 2017. Nginx. https://nginx.org/en/.
[38]
B. Niu and G. Tan. 2014. Modular Control-Flow Integrity. In Programming Language Design and Implementation (PLDI).
[39]
B. Niu and G. Tan. 2014. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS).
[40]
B. Niu and G. Tan. 2015. Per-Input Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS).
[41]
Node.js Foundation. 2017. NodeJS. https://nodejs.org/en/.
[42]
A. Oikonomopoulos, E. Athanasopoulos, H. Bos, and C. Giuffrida. 2018. Poking Holes in Information Hiding. In USENIX Security Symposium (USENIX Security).
[43]
G. Ramalingam. 1994. The Undecidability of Aliasing. In Transactions on Programming Languages and Systems (TOPLAS), ACM.
[44]
Redis. 2017. Redis. https://redis.io/.
[45]
R. Rudd, R. Skowyra, D. Bigelow, V. Dedhia, T. Hobson, S. Crane, C. Liebchen, P. Larsen, L. Davi, and M. Franz. [n. d.]. Address oblivious code reuse: On the effectiveness of leakage resilient diversity. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).
[46]
F. Schuster, T. Tendyck, J. Pewny, A. Tendyck, M. Steegmanns, M. Contag, and T. Holz. 2014. Evaluating the Effectiveness of Current Anti-ROP Defenses. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID).
[47]
H. Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (On the x86). In ACM Conference on Computer and Communications Security (CCS).
[48]
M. Theodorides. 2017. Breaking Active-Set Backward-Edge CFI. In Technical Report No. UCB/EECS-2017-78. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html.
[49]
M. Theodorides and D. Wagner. [n. d.]. Breaking Active-Set Backward-Edge CFI. In Hardware Oriented Security and Trust (HOST).
[50]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC and LLVM. In USENIX Security Symposium (USENIX Security).
[51]
V. van der Veen, D. Andriesse, E. Göktas, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. 2015. Practical Context-Sensiticve CFI. In ACM Conference on Computer and Communications Security (CCS).
[52]
xLab. [n. d.]. Return Flow Guard. http://xlab.tencent.com/en/2016/11/02/return-flow-guard/.
[53]
C. Zhang, S. A. Carr, T. Li, Y. Ding, C. Song, M. Payer, and D. Song. 2016. vTrust: Regaining Trust on Virtual Calls. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).
[54]
M. Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In USENIX Security Symposium (USENIX Security).
[55]
P. Zieris and J. Horsch. 2018. A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity. In ACM Asia Conference on Computer and Communications Security (AsiaCCS).
Index Terms
- ρFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings
Index terms have been assigned to the content through auto-classification.
Recommendations
iTOP: Automating Counterfeit Object-Oriented Programming Attacks
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and DefensesExploiting a program requires a security analyst to manipulate data in program memory with the goal to obtain control over the program counter and to escalate privileges. However, this is a tedious and lengthy process as: (1) the analyst has to massage ...
Analyzing control flow integrity with LLVM-CFI
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications ConferenceControl-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without ...
Compiler-based Attack Origin Tracking with Dynamic Taint Analysis
Information Security and Cryptology – ICISC 2021AbstractOver the last decade, many exploit mitigations based on Control Flow Integrity (CFI) have been developed to secure programs from being hijacked by attackers. However, most of them only abort the protected application after attack detection, ...
Comments
Information & Contributors
Information
Published In
December 2020
962 pages
ISBN:9781450388580
DOI:10.1145/3427228
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 December 2020
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSAC '20
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 158Total Downloads
- Downloads (Last 12 months)10
- Downloads (Last 6 weeks)1
Reflects downloads up to 08 Feb 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format