TY - GEN
T1 - Enforcing unique code target property for control-flow integrity
AU - Hu, Hong
AU - Qian, Chenxiong
AU - Yagemann, Carter
AU - Chung, Simon Pak Ho
AU - Harris, William R.
AU - Kim, Taesoo
AU - Lee, Wenke
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/10/15
Y1 - 2018/10/15
N2 - The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because their approaches are inaccurate and as a result, the set of allowable targets for an ICT instruction is too large, making illegal jumps possible. In this paper, we propose the Unique Code Target (UCT) property for CFI. Namely, for each invocation of an ICT instruction, there should be one and only one valid target. We develop a prototype called CFI to enforce this new property. During compilation, CFI identifies the sensitive instructions that influence ICT and instruments the program to record necessary execution context. At runtime, CFI monitors the program execution in a different process, and performs points-to analysis by interpreting sensitive instructions using the recorded execution context in a memory safe manner. It checks runtime ICT targets against the analysis results to detect CFI violations. We apply CFI to SPEC benchmarks and 2 servers (nginx and vsftpd) to evaluate its efficacy of enforcing UCT and its overhead. We also test CFI against control-hijacking attacks, including 5 real-world exploits, 1 proof of concept COOP attack, and 2 synthesized attacks that bypass existing defenses. The results show that CFI strictly enforces the UCT property for protected programs, successfully detects all attacks, and introduces less than 10% performance overhead.
AB - The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because their approaches are inaccurate and as a result, the set of allowable targets for an ICT instruction is too large, making illegal jumps possible. In this paper, we propose the Unique Code Target (UCT) property for CFI. Namely, for each invocation of an ICT instruction, there should be one and only one valid target. We develop a prototype called CFI to enforce this new property. During compilation, CFI identifies the sensitive instructions that influence ICT and instruments the program to record necessary execution context. At runtime, CFI monitors the program execution in a different process, and performs points-to analysis by interpreting sensitive instructions using the recorded execution context in a memory safe manner. It checks runtime ICT targets against the analysis results to detect CFI violations. We apply CFI to SPEC benchmarks and 2 servers (nginx and vsftpd) to evaluate its efficacy of enforcing UCT and its overhead. We also test CFI against control-hijacking attacks, including 5 real-world exploits, 1 proof of concept COOP attack, and 2 synthesized attacks that bypass existing defenses. The results show that CFI strictly enforces the UCT property for protected programs, successfully detects all attacks, and introduces less than 10% performance overhead.
UR - http://www.scopus.com/inward/record.url?scp=85056910692&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85056910692&partnerID=8YFLogxK
U2 - 10.1145/3243734.3243797
DO - 10.1145/3243734.3243797
M3 - Conference contribution
AN - SCOPUS:85056910692
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1470
EP - 1486
BT - CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 25th ACM Conference on Computer and Communications Security, CCS 2018
Y2 - 15 October 2018
ER -