Abstract
Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose \(\tau {\textsc {CFI}}\), an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, \(\tau {\textsc {CFI}}\) can be used to harden legacy applications for which source code may not be available. We have evaluated \(\tau {\textsc {CFI}}\) on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that \(\tau {\textsc {CFI}}\) is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, \(\tau {\textsc {CFI}}\) achieves higher forward-edge caller-callee matching precision.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Since an indirect call can target a function only if the function’s address is taken, there is no need to analyze functions whose addresses are not taken; this is similar to TypeArmor.
References
LLVM: Clang CFI (2017). https://goo.gl/W7aMF9
LLVM: Clang’s SafeStack. https://clang.llvm.org/docs/SafeStack.html
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming. In: S&P (2015)
Crane, S., et al.: It’s a TRaP: table randomization and protection against function-reuse attacks. In: CCS (2015)
Lettner, J., et al.: Subversive-C: abusing and protecting dynamic message dispatch. In: USENIX ATC (2016)
BlueLotus Team: BCTF challenge: Bypass VTable read-only checks (2015). https://goo.gl/4RYDS2
Lan, B., Li, Y., Sun, H., Su, C., Liu, Y., Zeng, Q.: Loop-oriented programming: a new code reuse attack to bypass modern defenses. In: IEEE Trustcom/BigDataSE/ISPA (2015)
Evans, I., et al.: Control Jujutsu: on the weaknesses of fine-grained control flow integrity. In: CCS (2015)
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control flow integrity. In: CCS (2005)
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control flow integrity principles, implementations, and applications. In: TISSEC (2009)
Burow, N.: Control-flow integrity: precision, security, and performance. CSUR 50, 16:1–16:33 (2017)
Tan, G., Jaeger, T.: CFG construction soundness in control-flow integrity. In: PLAS (2017)
Ramalingam, G.: The undecidability of aliasing. TOPLAS 16, 1467–1471 (1994)
Jang, D., Tatlock, T., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: NDSS (2014)
Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI (2014)
Niu, B., Tan, G.: RockJIT: securing just-in-time compilation using modular control-flow inegrity. In: CCS (2014)
Haller, I., Goktas, E., Athanasopoulos, E., Portokalidis, G., Bos, H.: ShrinkWrap: VTable protection without loose ends. In: ACSAC (2015)
Bounov, D., Gökhan K., R., Lerner, S.: Protecting C++ dynamic dispatch through VTable interleaving. In: NDSS (2016)
Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC and LLVM. In: USENIX Security (2014)
Zhang, C., et al. : Practical control flow integrity and randomization for binary executables. In: S&P (2013)
Prakash, A., Hu, X., Yin, H.: Strict protection for virtual function calls in COTS C++ binaries. In: NDSS (2015)
Zhang, C., Song, C., Zhijie, K.C., Chen, Z., Song, D.: VTint: protecting virtual function tables’ integrity. In: NDSS (2015)
Elsabagh, M., Fleck, D., Stavrou, A.: Strict virtual call integrity checking for C ++ binaries. In: ASIACCS (2017)
Pawlowski, A., et al.: MARX: uncovering class hierarchies in C++ programs. In: NDSS (2017)
Veen, V.V.D., et al.: A tough call: mitigating advanced code-reuse attacks at the binary level. In: S&P (2016)
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: OSDI (2014)
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security (2015)
Goktas, E., et al.: Bypassing Clang’s SafeStack for fun and profit. In: Blackhat Europe (2016). https://goo.gl/zKMHzs
Dang, T., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ASIACCS (2015)
Bernat, A.R., Miller, B.P.: Anywhere, any-time binary instrumentation. In: PASTE (2011)
Andriesse, D., Chen, X., Veen, V.V.D., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security (2016)
Mycroft, A.: Lecture Notes (2007). https://goo.gl/F7tUZj
Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS (2010)
Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_37
Fokin, A., Derevenets, Y., Chernov, A., Troshina, K.: SmartDec: approaching C++ decompilation. In: WCRE (2011)
Balakrishnan, G., Reps, T.: DIVINE: discovering variables IN executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-69738-1_1
Caballero, J., Lin, Z.: Type inference on executables. CSUR 48, 35 (2016)
Lee, B., Song, C., Kim, T., Lee, W.: Type casting verification: stopping an emerging attack vector. In: USENIX Security (2015)
Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: Euro S&P (2017)
Bruening, D.: DynamoRIO. http://dynamorio.org/home.html
Davi, L., et al.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security (2013)
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security (2013)
Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS (2015)
Veen, V.V.D., et al.: Practical context-sensiticve CFI. In: CCS (2015)
Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8
Acknowledgement
We thank the anonymous reviewers for their feedback, which helped to considerably improve the quality of this paper. Jens Grossklags’ research is supported by the German Institute for Trust and Safety on the Internet (DIVSI). Gang Tan is supported by US NSF grants CCF-1723571 and CNS-1624126, the Defense Advanced Research Projects Agency (DARPA) under agreement number N6600117C4052, and Office of Naval Research (ONR) under agreement number N00014-17-1-2539. Zhiqiang Lin is partially supported by US NSF grant CNS-1812553 and CNS-1834215, AFOSR award FA9550-14-1-0119, and ONR award N00014-17-1-2995.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Muntean, P., Fischer, M., Tan, G., Lin, Z., Grossklags, J., Eckert, C. (2018). \(\tau \) CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-00470-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00469-9
Online ISBN: 978-3-030-00470-5
eBook Packages: Computer ScienceComputer Science (R0)