Enforcing Unique Code Target Property for Control-Flow Integrity

Hong, Hui; Qian, Chenxiong; Yagemann, Carter; Chung, Simon P.; Harris, William R.; Kim, Taesoo; Lee, Wenke

doi:10.1145/3243734.3243797

Cited by 86 publications

(66 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…HAFIX [17] is a hardware-assisted CFI scheme that confines function returns to active call sites. Contextsensitive CFI [18,24,45] further ensures that each control-flow transfer taken by the program is consistent with a non-malicious trace. This leads to a more expressive policy compared to stateless CFI, but context-sensitive CFI enforcement has been dismissed as impractical for real-world adoption [1].…”

Section: Related Workmentioning

confidence: 99%

Authenticated Call Stack

Liljestrand

Nyman

Ekberg

et al. 2019

Proceedings of the 56th Annual Design Automation Conference 2019

View full text Add to dashboard Cite

A popular run-time attack technique is to compromise the controlflow integrity of a program by modifying function return addresses on the stack. So far, shadow stacks have proven to be essential for comprehensively preventing return address manipulation. Shadow stacks record return addresses in integrity-protected memory, secured with hardware-assistance or software access control. Software shadow stacks incur high overheads or trade off security for efficiency. Hardware-assisted shadow stacks are efficient and secure, but require the deployment of special-purpose hardware.We present authenticated call stack (ACS), an approach that uses chained message authentication codes (MACs) to achieve comparable security without requiring additional hardware support. We present PACStack, a realization of ACS on the ARMv8.3-A architecture, using its general purpose hardware mechanism for pointer authentication (PA). Via a rigorous security analysis, we show that PACStack achieves security comparable to hardware-assisted shadow stacks without requiring dedicated hardware. We demonstrate that PACStack's performance overhead is negligible (<1%). 1 https://gcc.gnu.org/onlinedocs/gcc/AArch64-Function-Attributes.html 2 https://reviews.llvm.org/D49793 1

show abstract

Section: Related Workmentioning

confidence: 99%

Authenticated Call Stack

Liljestrand

Nyman

Ekberg

et al. 2019

Proceedings of the 56th Annual Design Automation Conference 2019

View full text Add to dashboard Cite

show abstract

“…This is in contrast to CFI mechanisms [23], where the security guarantees are reduced by over-approximating the valid target set. There is no known method to statically compute a fully precise target sets for CFI [23], while dynamic methods [60] require special hardware extensions that are not available on MCUS. Thus, an attacker can perform a control-flow bending style attack by over-writing the return address with a return target within the over-approximated target set and divert the control-flow [28], [61].…”

Section: Designmentioning

confidence: 99%

$\mu$RAI: Securing Embedded Systems with Return Address Integrity

Almakhdhub

Clements

Bagchi

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Embedded systems are deployed in security critical environments and have become a prominent target for remote attacks. Microcontroller-based systems (MCUS) are particularly vulnerable due to a combination of limited resources and low level programming which leads to bugs. Since MCUS are often a part of larger systems, vulnerabilities may jeopardize not just the security of the device itself but that of other systems as well. For example, exploiting a WiFi System on Chip (SoC) allows an attacker to hijack the smart phone's application processor. Control-flow hijacking targeting the backward edge (e.g., Return-Oriented Programming-ROP) remains a threat for MCUS. Current defenses are either susceptible to ROP-style attacks or require special hardware such as a Trusted Execution Environment (TEE) that is not commonly available on MCUS. We present µRAI 1 , a compiler-based mitigation to prevent control-flow hijacking attacks targeting backward edges by enforcing the Return Address Integrity (RAI) property on MCUS. µRAI does not require any additional hardware such as TEE, making it applicable to the wide majority of MCUS. To achieve this, µRAI introduces a technique that moves return addresses from writable memory, to readable and executable memory. It repurposes a single general purpose register that is never spilled, and uses it to resolve the correct return location. We evaluate against the different control-flow hijacking attacks scenarios targeting return addresses (e.g., arbitrary write), and demonstrate how µRAI prevents them all. Moreover, our evaluation shows that µRAI enforces its protection with negligible overhead.

show abstract

“…Various experiments demonstrated that call-preceded gadgets are able to bypass the CFI technique that limits itself to only control-flow transfer checks prior to unsafe function calls [47]. binCFI enhances strong compatibility; however, it fails to restrict all types of control-flow attacks [58].…”

Section: Cfi For Cots Binaries (Bincfi)mentioning

confidence: 99%

“…In addition to that, the springboard consumes a lot more memory [60]. Although CCFIR comprises better performance but unable to provide enough security to mitigate control-hijacking attacks [58].…”

Section: Practical Cfi and Randomization For Binary Executables (Ccfir)mentioning

confidence: 99%

Control-Flow Integrity: Attacks and Protections

et al. 2019

View full text Add to dashboard Cite

Despite the intense efforts to prevent programmers from writing code with memory errors, memory corruption vulnerabilities are still a major security threat. Consequently, control-flow integrity has received significant attention in the research community, and software developers to combat control code execution attacks in the presence of type of faults. Control-flow Integrity (CFI) is a large family of techniques that aims to eradicate memory error exploitation by ensuring that the instruction pointer (IP) of a running process cannot be controlled by a malicious attacker. In this paper, we assess the effectiveness of 14 CFI techniques against the most popular exploitation techniques, including code reuse attacks, return-to-user, return-to-libc, and replay attacks. We also classify these techniques based on their security, robustness, and implementation complexity. Our study indicates that the majority of the CFI techniques are primarily focused on restricting indirect branch instructions and cannot prevent all forms of vulnerability exploitation. We conclude that the performance overhead introduced, jointly with the partial attack coverage, is discouraging the industry from adopting most of them.

show abstract

Enforcing Unique Code Target Property for Control-Flow Integrity

Cited by 86 publications

References 41 publications

Authenticated Call Stack

Authenticated Call Stack

$\mu$RAI: Securing Embedded Systems with Return Address Integrity

Control-Flow Integrity: Attacks and Protections

Contact Info

Product

Resources

About