control flow integrity behavior based detection
play

Control Flow Integrity Behavior-based detection Stack canaries, - PowerPoint PPT Presentation

Sep 09, 2022 •143 likes •314 views

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR aim to complicate various steps in a standard attack But they still may not stop it Idea: observe the programs behavior is it doing

  1. Control Flow Integrity

  2. Behavior-based detection • Stack canaries, non-executable data, and ASLR aim to complicate various steps in a standard attack • But they still may not stop it • Idea: observe the program’s behavior — is it doing what we expect it to? • If not, might be compromised • Challenges • Define “expected behavior” • Detect deviations from expectation efficiently • Avoid compromise of the detector

  3. Control-flow Integrity (CFI) • Define “expected behavior”: Control flow graph (CFG) • Detect deviations from expectation efficiently In-line reference monitor (IRM) • Avoid compromise of the detector Sufficient randomness, immutability

  4. Efficient? • Classic CFI (2005) imposes 16% overhead on average, 45% in the worst case • Works on arbitrary executables • Not modular (no dynamically linked libraries) • Modular CFI (2014) imposes 5% overhead on average, 12% in the worst case • C only (part of LLVM) • Modular, with separate compilation • http://www.cse.lehigh.edu/~gtan/projects/upro/

  5. Secure? • MCFI can eliminate 95.75% of ROP gadgets on x86-64 versions of SPEC2006 benchmark suite • By ruling their use non-compliant with the CFG • Average Indirect-target Reduction (AIR) > 99% • AIR is, in essence, the percentage of possible targets of indirect jumps that CFI rules out For CFI: nearly all of them -

  6. Call Graph bool'lt(int'x,'int'y)'{' sort2(int'a[],'int'b[],'int'len)' ''return'x<y;' {' }' ''sort(a,'len,'lt);' bool'gt(int'x,'int'y)'{' ''sort(b,'len,'gt);' ''return'x>y;' } } sort2 lt sort gt Which functions call other functions

  7. Control Flow Graph bool'lt(int'x,'int'y)'{' sort2(int'a[],'int'b[],'int'len)' ''return'x<y;' {' }' ''sort(a,'len,'lt);' bool'gt(int'x,'int'y)'{' ''sort(b,'len,'gt);' ''return'x>y;' } } sort2 lt sort gt Break into basic blocks Distinguish calls from returns

  8. CFI: Compliance with CFG • Compute the call/return CFG in advance • During compilation, or from the binary • Monitor the control flow of the program and ensure that it only follows paths allowed by the CFG • Observation: Direct calls need not be monitored • Assuming the code is immutable, the target address cannot be changed • Therefore: monitor only indirect calls • jmp , call , ret with non-constant targets

  9. Control Flow Graph bool'lt(int'x,'int'y)'{' sort2(int'a[],'int'b[],'int'len)' ''return'x<y;' {' }' ''sort(a,'len,'lt);' bool'gt(int'x,'int'y)'{' ''sort(a,'len,'gt);' ''return'x>y;' } } sort2 lt sort gt Direct calls (always the same target)

  10. Control Flow Graph bool'lt(int'x,'int'y)'{' sort2(int'a[],'int'b[],'int'len)' ''return'x<y;' {' }' ''sort(a,'len,'lt);' bool'gt(int'x,'int'y)'{' ''sort(a,'len,'gt);' ''return'x>y;' } } sort2 lt sort gt Indirect transfer ( call via register, or ret )

  11. In-line Monitor • Implement the monitor in-line, as a program transformation • Insert a label just before the target address of an indirect transfer • Insert code to check the label of the target at each indirect transfer • Abort if the label does not match • The labels are determined by the CFG

  12. Simplest labeling sort2 label L lt sort label L label L label L gt label L Use the same label at all targets

  13. Simplest labeling sort2 label L lt sort label L label L label L gt label L ok… system Use the same label at all targets Blocks return to the start of direct-only call targets but not incorrect ones

  14. Detailed labeling sort2 label M lt sort label L label N label M gt label L ok… Constraints: • return sites from calls to sort must share a label ( L ) • call targets gt and lt must share a label ( M ) • remaining label unconstrained ( N ) Still permits call from site A to return to site B

  15. Classic CFI instrumentation Check target label Check target label

  16. Can we defeat CFI? • Inject code that has a legal label • Won’t work because we assume non-executable data • Modify code labels to allow the desired control flow • Won’t work because the code is immutable • Modify stack during a check , to make it seem to succeed • Won’t work because adversary cannot change registers into which we load relevant data No time-of-check, time-of-use bug (TOCTOU) -

  17. CFI Assurances • CFI defeats control flow-modifying attacks • Remote code injection, ROP/return-to-libc, etc. • But not manipulation of control-flow that is allowed by the labels /graph • Called mimicry attacks • The simple, single-label CFG is susceptible to these • Nor data leaks or corruptions void func(char *arg1) { • Heartbleed would not be prevented int authenticated = 0; char buffer[4]; • Nor the authenticated overflow strcpy(buffer, str); Control modification is allowed by graph - if(authenticated) { … }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Behavior-Based Detection The old way match syntactic signatures: One-to- one &lt; 50%

Behavior-Based Detection The old way match syntactic signatures: One-to- one &lt; 50%

Behavior-Based Detection The old way match syntactic signatures: One-to- one &lt; 50% detection The new way examine underlying behavior: One-to- many 1 Specifying Behaviors NtOpenKey \CurrentVersion\Run NtDeleteValueKey

1.58k views • 102 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow analysis Loops Identifying loops using dominators Reducibility Using loop identification to identify induction

270 views • 15 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

584 views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides
Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook

Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook

Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook keescook@chromium.org Linux Conf AU 2020 https://outflux.net/slides/2020/lca/cfi.pdf Acknowledgment of Country Jingeri! We meet today on the traditional lands

624 views • 44 slides
CFA Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides?

CFA Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides?

CFA Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides? Problems with H0? Any problem? CFA Outline Why do we need Control Flow Analysis? Basic blocks and instructions Control flow graph Let

1.05k views • 67 slides
CS 251 Fall 2019 CS 240 Principles of Programming Languages Foundations of Computer Systems

CS 251 Fall 2019 CS 240 Principles of Programming Languages Foundations of Computer Systems

CS 251 Fall 2019 CS 240 Principles of Programming Languages Foundations of Computer Systems Ben Wood x86 Control Flow ( Part A , Part B) Condition codes, comparisons, and tests [Un]Conditional jumps and conditional moves Translating if-else

655 views • 38 slides
CMSC 430 Introduction to Compilers Fall 2018 Data Flow Analysis Applications and

CMSC 430 Introduction to Compilers Fall 2018 Data Flow Analysis Applications and

CMSC 430 Introduction to Compilers Fall 2018 Data Flow Analysis Applications and Implementations Data Flow Analysis A framework for proving facts about programs Reasons about lots of little facts Little or no interaction between

387 views • 12 slides
CS406: Compilers Spring 2020 Week 13: Control Flow Graphs (Slides courtesy: Prof. Milind

CS406: Compilers Spring 2020 Week 13: Control Flow Graphs (Slides courtesy: Prof. Milind

CS406: Compilers Spring 2020 Week 13: Control Flow Graphs (Slides courtesy: Prof. Milind Kulkarni) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

535 views • 15 slides
Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and

Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and

Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and control flow graphs local optimizations global optimizations 1 EECS 665 Compiler Construction Compiler Optimizations Compiler

454 views • 24 slides
System-on-Chip Design Analysis of Control Data Flow Hao Zheng Comp Sci &amp; Eng U of South

System-on-Chip Design Analysis of Control Data Flow Hao Zheng Comp Sci &amp; Eng U of South

System-on-Chip Design Analysis of Control Data Flow Hao Zheng Comp Sci &amp; Eng U of South Florida 1 Overview DF models describe concurrent computa=on at a very high level Each actor describes non-trivial computa=on. Each actor is

684 views • 30 slides
Enhancing Control Flow Graph Based Binary Function Identification Clemens Jonischkeit Chair for

Enhancing Control Flow Graph Based Binary Function Identification Clemens Jonischkeit Chair for

Enhancing Control Flow Graph Based Binary Function Identification Clemens Jonischkeit Chair for IT Security 23. November 2017 C. Jonischkeit 1 / 13 Motivation Technische Universitt Mnchen I just wasted 3 hours of my life. . . . .

539 views • 29 slides
TDT4205 Lecture 29 2 Where we are We have a handful of different analysis instances

TDT4205 Lecture 29 2 Where we are We have a handful of different analysis instances

1 Control flow and loop detection TDT4205 Lecture 29 2 Where we are We have a handful of different analysis instances None of them are optimizations, in and of themselves The objective now is to Show how loop detection is

343 views • 15 slides

More recommend