Code-pointer integrity
Volodymyr Kuznetsov,Laszlo Szekeres,Mathias Payer,George Candea,R. C. Sekar,Dawn Song +5 more
- pp 147-163
TLDR
This chapter describes code-pointer integrity (CPI), a new design point that guarantees the integrity of all code pointers in a program and thereby prevents all control-flow hijack attacks that exploit memory corruption errors, including attacks that bypass control- flow integrity mechanisms, such as control-flows bending.Abstract:
Systems code is often written in low-level languages like C/C++, which offer many benefits but also delegate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed defense mechanisms (e.g., ASLR, DEP) are incomplete, and stronger defense mechanisms (e.g., CFI) often have high overhead and limited guarantees [19, 15, 9].We introduce code-pointer integrity (CPI), a new design point that guarantees the integrity of all code pointers in a program (e.g., function pointers, saved return addresses) and thereby prevents all control-flow hijack attacks, including return-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2% overhead for C and 1.9% for C/C++, while CPI's overhead is 2.9% for C and 8.4% for C/C++.A prototype implementation of CPI and CPS can be obtained from http://levee.epfl.ch.read more
Citations
More filters
Proceedings ArticleDOI
VC3: Trustworthy Data Analytics in the Cloud Using SGX
Felix Schuster,Manuel Costa,Cédric Fournet,Christos Gkantsidis,Marcus Peinado,Gloria Mainar-Ruiz,Mark Russinovich +6 more
TL;DR: VC3 is the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results.
Proceedings ArticleDOI
Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
Felix Schuster,Thomas Tendyck,Christopher Liebchen,Lucas Davi,Ahmad-Reza Sadeghi,Thorsten Holz +5 more
TL;DR: It is demonstrated that many of these defenses that do not consider object-oriented C++ semantics precisely can be generically bypassed in practice, and that even recently proposed defenses that specifically target C++ are vulnerable to COOP.
Proceedings Article
Control-flow bending: on the effectiveness of control-flow integrity
TL;DR: This paper argues that assessing the effectiveness of practical CFI implementations is non-trivial and that common evaluation metrics fail to do so, and evaluates fullyprecise static CFI -- the most restrictive CFI policy that does not break functionality -- and reveals limitations in its security.
Proceedings ArticleDOI
Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks
TL;DR: This paper builds 3 end-to-end attacks to bypass randomization defenses without leaking addresses, to run a network bot which takes commands from the attacker, and to alter the memory permissions, demonstrating how the expressiveness offered by DOP significantly empowers the attacker.
Proceedings ArticleDOI
Readactor: Practical Code Randomization Resilient to Memory Disclosure
Stephen Crane,Christopher Liebchen,Andrei Homescu,Lucas Davi,Per Larsen,Ahmad-Reza Sadeghi,Stefan Brunthaler,Michael Franz +7 more
TL;DR: This paper presents the first practical, fine-grained code randomization defense, called Read actor, resilient to both static and dynamic ROP attacks, and uses a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary.
References
More filters
Book ChapterDOI
Z3: an efficient SMT solver
TL;DR: Z3 is a new and efficient SMT Solver freely available from Microsoft Research that is used in various software verification and analysis applications.
Proceedings Article
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
Crispin Cowan,Calton Pu,Dave Maier,Heather Hintony,Jonathan Walpole,Peat Bakke,Steve Beattie,Aaron Grier,Perry Wagle,Qian Zhang +9 more
TL;DR: StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Proceedings ArticleDOI
Efficient software-based fault isolation
TL;DR: It is demonstrated that for frequently communicating modules, implementing fault isolation in software rather than hardware can substantially improve end-to-end application performance.
Proceedings ArticleDOI
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
TL;DR: A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.
Proceedings ArticleDOI
Control-flow integrity
TL;DR: Control-Flow Integrity provides a useful foundation for enforcing further security policies, as it is demonstrated with efficient software implementations of a protected shadow call stack and of access control for memory regions.