Authors: Qintao Shen, Lei Luo, Jun Ma, Jie Yu, Qingbo Wu, Yongqi Ma, Zhengji Liu

Abstract:

Control Flow Integrity (CFI) is one of the most promising technique to defend Code-Reuse Attacks (CRAs). Traditional CFI Systems and recent Context-Sensitive CFI use coarse control flow graphs (CFGs) to analyze whether the control flow hijack occurs, left vast space for attackers at indirect call-sites. Coarse CFGs make it difficult to decide which target to execute at indirect control-flow transfers, and weaken the existing CFI systems actually. It is an unsolved problem to extract CFGs precisely and perfectly from binaries now. In this paper, we present an algorithm to get a more precise CFG from binaries. Parameters are analyzed at indirect call-sites and functions firstly. By comparing counts of parameters prepared before call-sites and consumed by functions, targets of indirect calls are reduced. Then the control flow would be more constrained at indirect call-sites in runtime. Combined with CCFI, we implement our policy. Experimental results on some popular programs show that our approach is efficient. Further analysis show that it can mitigate COOP and other advanced attacks.

Keywords: Contex-sensitive, CFI, binary analysis, code reuse attack.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1131425

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 898

References:

[1] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity,” in Proceedings of the 12th ACM conference on Computer and communications security. ACM, 2005, pp. 340–353.
[2] V. van der Veen, D. Andriesse, E. G¨oktas¸, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida, “Practical context-sensitive cfi,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 927–940.
[3] M. Zhang and R. Sekar, “Control flow integrity for cots binaries,” in Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp. 337–352.
[4] M. Abadi, M. Budiu, U´ . Erlingsson, and J. Ligatti, “Control-flow integrity principles, implementations, and applications,” ACM Transactions on Information and System Security (TISSEC), vol. 13, no. 1, p. 4, 2009.
[5] C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity and randomization for binary executables,” in Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013, pp. 559–573.
[6] Z. Wang and X. Jiang, “Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity,” in 2010 IEEE Symposium on Security and Privacy. IEEE, 2010, pp. 380–395.
[7] M. Payer, A. Barresi, and T. R. Gross, “Fine-grained control-flow integrity through binary hardening,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2015, pp. 144–164.
[8] T. Bletsch, X. Jiang, and V. Freeh, “Mitigating code-reuse attacks with control-flow locking,” in Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 2011, pp. 353–362.
[9] C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U´ . Erlingsson, L. Lozano, and G. Pike, “Enforcing forward-edge control-flow integrity in gcc & llvm,” in 23rd USENIX Security Symposium (USENIX Security 14), 2014, pp. 941–955.
[10] F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz, “Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c++ applications,” in 2015 IEEE Symposium on Security and Privacy. IEEE, 2015, pp. 745–762.
[11] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, “Control-flow bending: On the effectiveness of control-flow integrity,” in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 161–176.
[12] J. Kinder, F. Zuleger, and H. Veith, “An abstract interpretation-based framework for control flow reconstruction from binaries,” in International Workshop on Verification, Model Checking, and Abstract Interpretation. Springer, 2009, pp. 214–228.
[13] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, “Bap: A binary analysis platform,” in International Conference on Computer Aided Verification. Springer, 2011, pp. 463–469.
[14] R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and B. Thuraisingham, “Differentiating code from data in x86 binaries,” in Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 2011, pp. 522–536.
[15] S. Designer, “Getting around non-executable stack (and fix),” 1997.
[16] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning, “On the expressiveness of return-into-libc attacks,” in International Workshop on Recent Advances in Intrusion Detection. Springer, 2011, pp. 121–141.
[17] H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007, pp. 552–561.
[18] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, “Return-oriented programming without returns,” in Proceedings of the 17th ACM conference on Computer and communications security. ACM, 2010, pp. 559–572.
[19] E. G¨oktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, “Out of control: Overcoming control-flow integrity,” in 2014 IEEE Symposium on Security and Privacy. IEEE, 2014, pp. 575–589.
[20] L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose, “Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection,” in 23rd USENIX Security Symposium (USENIX Security 14), 2014, pp. 401–416.
[21] I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos, “Control jujutsu: On the weaknesses of fine-grained control flow integrity,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 901–913.
[22] M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen, M. Qunaibit, and A.-R. Sadeghi, “Losing control: On the effectiveness of control-flow integrity under stack attacks,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 952–963.
[23] I. P. Disassembler, “Debugger,” 2010.
[24] Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna, “SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis,” in IEEE Symposium on Security and Privacy, 2016.