TY - GEN
T1 - PFEM
T2 - 36th Annual Computer Security Applications Conference, ACSAC 2020
AU - Muntean, Paul
AU - Neumayer, Mathias
AU - Lin, Zhiqiang
AU - Tan, Gang
AU - Grossklags, Jens
AU - Eckert, Claudia
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/12/7
Y1 - 2020/12/7
N2 - In this paper, we propose reversed forward-edge mapper (PFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program's control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated PFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that PFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. PFEM's runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.
AB - In this paper, we propose reversed forward-edge mapper (PFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program's control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated PFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that PFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. PFEM's runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.
UR - http://www.scopus.com/inward/record.url?scp=85098050844&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85098050844&partnerID=8YFLogxK
U2 - 10.1145/3427228.3427246
DO - 10.1145/3427228.3427246
M3 - Conference contribution
AN - SCOPUS:85098050844
T3 - ACM International Conference Proceeding Series
SP - 466
EP - 479
BT - Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
PB - Association for Computing Machinery
Y2 - 7 December 2020 through 11 December 2020
ER -