TY - GEN
T1 - Per-input control-flow integrity
AU - Niu, Ben
AU - Tan, Gang
N1 - Funding Information:
We thank anonymous reviewers for their insightful comments. We also thank Michael Spear and Stephen McCamant for useful discussions. This research is supported by US NSF grants CNS-1408826, CCF-1217710, CCF-1149211, and a research award from Google.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - Control-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically generated CFG includes all edges for all possible inputs; however, for a concrete input, the CFG may include many unnecessary edges. We present Per-Input Control-Flow Integrity (PICFI or πCFI), which is a new CFI technique that can enforce a CFG computed for each concrete input. πCFI starts executing a program with the empty CFG and lets the program itself lazily add edges to the enforced CFG if such edges are required for the concrete input. The edge addition is performed by πCFI-inserted instrumentation code. To prevent attackers from arbitrarily adding edges, πCFI uses a statically computed all-input CFG to constrain what edges can be added at runtime. To minimize performance overhead, operations for adding edges are designed to be idempotent, so they can be patched to no-ops after their first execution. As our evaluation shows, πCFI provides better security than conventional finegrained CFI with comparable performance overhead.
AB - Control-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically generated CFG includes all edges for all possible inputs; however, for a concrete input, the CFG may include many unnecessary edges. We present Per-Input Control-Flow Integrity (PICFI or πCFI), which is a new CFI technique that can enforce a CFG computed for each concrete input. πCFI starts executing a program with the empty CFG and lets the program itself lazily add edges to the enforced CFG if such edges are required for the concrete input. The edge addition is performed by πCFI-inserted instrumentation code. To prevent attackers from arbitrarily adding edges, πCFI uses a statically computed all-input CFG to constrain what edges can be added at runtime. To minimize performance overhead, operations for adding edges are designed to be idempotent, so they can be patched to no-ops after their first execution. As our evaluation shows, πCFI provides better security than conventional finegrained CFI with comparable performance overhead.
UR - http://www.scopus.com/inward/record.url?scp=84954150177&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84954150177&partnerID=8YFLogxK
U2 - 10.1145/2810103.2813644
DO - 10.1145/2810103.2813644
M3 - Conference contribution
AN - SCOPUS:84954150177
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 914
EP - 926
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Y2 - 12 October 2015 through 16 October 2015
ER -