C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY OF T EXAS AT D ALLAS Supported in part by: ONR award N00014-17-2995, DARPA award FA8750-19- C-0006, NSF awards #1513704 and #1834215, and an NSF I/UCRC Award from Lockheed Martin Any opinions, findings, conclusions, or recommendations expressed in this presentation are those of the author(s) and do not necessarily reflect the views of the ONR, DARPA, NSF, or Lockheed Martin.
Control-Flow Integrity [M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti ; CCS’05. ] 2 Source Compiler-based CFI code transformation CFI instrumented Compiler Control-flow binary code graph policies Binary Source-agnostic CFI code transformation
CFI Research Timeline 3 ROPecker [Cheng et al.] MoCFI [Davi et al.] CFI [Abadi et al.] KCoFI [Criswell et al.] SFI [Wahbe et al.] Reins [Wartell et al.] SafeDispatch [Jang et al.] vCFI [Li et al.] STIR [Wartell et al.] XFI [Erlingsson et al.] T-VIP [Gawlik] RAGuard [Zhang et al.] ECFI [Abbasi et al.] RockJIT [Niu & Tan] PittSFIeld [McCamant & Morrisett] VTV [Tice et al.] PT-CFI [Gu et al.] ExecShield [van de Ven & Moinar] PittyPat [Ding et al.] MCFI [Niu & Tan] NaCl [Yee et al.] Hypersafe [Wang & Jiang] IFCC [Tice et al.] OFI [Wang et al.] CFLocking [Bletsch et al.] C-CFI [Mashtizadeh et al.] CFI [Muntean et al.] vfGuard [Prakash et al.] VM-CFI [Kwon et al.] VTint [Zhang et al.] LPCFI [Barbar et al.] MIP [Niu & Tan] PathArmor [van der Veen] kBouncer [Pappas et al.] CFIXX [Burow et al.] Prog. Shepherding [Kiriansky] CFIGuard [Yuan et al.] LEA-CFI [Qiu et al.] CFRestrictor [Pewny & Holz] Microsoft CFG CCFIR [Zhang et al.] uCFI [Hu et al.] πCFI [ Niu & Tan] … LLVM CFI Lockdown [Payer et al.] VTI [Bounov et al.] Kernel CFI [Ge et al.] TypeArmor [van der Veen] VTrust [Zhang et al.] VTPin [Sarbinowski et al.] 1993 … 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 CFI: Precision, Security, and Performance [Burow et al., CSUR’17]
Scalability Gap 4 CFI Research Papers Desktop OS Market Share Windows/MacOS in mission-critical Top 10 Security Vulnerabilities (2005-2018 ) (2019-07) Exploited by Hackers in 2018 environments Windows Linux Other Windows Linux MacOS Other 600 “About 75% of control systems are on 2% 1% 4% Windows XP or other nonsupported OSes.” 9% 500 2% – Daryl Haegley, Office of Assistant Secretary of Defense for Energy, Installations and Environment 400 More than 25% of all government computers currently run an outdated Windows or 300 MacOS operating system. [BitSight, 6/1/17] 200 DHS, Coast Guard, and Secret Service currently store top secret information on 100 outdated Windows 2003 servers. [OIG-18-56, 3/1/18] 0 Hundreds of satellites run Windows 95 and/or are controlled by Windows Mobile 94% 88% devices. *Papers containing at least one experiment where at least one COMPLETE non-benchmark application for the indicated OS was rewritten & secured
Why are the limitations? C ON FIRM (CONtrol-Flow Integrity Relevance Metrics) 5 Problems Our solution: C ON FIRM Goals A set of 20 widespread classes of A systematic study for CFI Compatibility of CFI solutions are compatibility problems identified compatibility problems under-studied The first testing suite designed specifically A new testing suite designed CFI implementations are commonly for CFI solution evaluation specifically for CFI evaluation evaluated in terms of performance and security Reevaluation of 12 CFI implementations CPU benchmarks are widely adopted ◼ These CFI implementations pass 53% of C ON FIRM’s compatibility and security tests for CFI evaluation Correlation with CPU benchmarks https://github.com/SoftwareLanguagesSecurityLab/Confirm
20 Widespread Classes of CFI Compatibility Problems 6 Compatibility Problem Real-world Software Examples Function Pointers 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Callbacks 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Dynamic Linking 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Delay-Loading Adobe Reader, Calculator, Chrome, Firefox, JVM, MS Paint, MS Powerpoint , … Exporting/Importing Data Symbols 7-Zip, Apache, Calculator, Chrome, Dropbox, Firefox, MS Paint, MS Powerpoint , … Virtual Functions 7- Zip, Adobe Reader, Calculator, Chrome, Dropbox, Firefox, JVM, Notepad, … Writable Vtables programs with UI’s based on GTK+ (Linux) or COM (Windows) Tail Calls programs compiled with tail-call optimization (e.g., -O2 or /O2) Switch-Case Statements 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Returns almost every benign program Unmatched Call/Return Pairs Adobe Reader, Apache, Chrome, Firefox, JVM, MS PowerPoint, Visual Studio, … Exceptions 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Calling Conventions almost every program has functions Multithreading 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … TLS Callbacks Adobe Reader, Chrome, Firefox, MS Paint, TeXstudio, UPX Position-Independent Code 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Memory Management 7- Zip, Adobe Reader, Apache, Chrome, Dropbox, Firefox, MS PowerPoint, … JIT Code Adobe Flash, Chrome, Dropbox, Firefox, JVM, MS PowerPoint, PotPlayer , … Self-Unpacking programs decompressed by self-extractors (e.g., UPX, NSIS) Runtime API Hooking Microsoft Office, including MS Excel, MS PowerPoint, etc.
ConFIRM: Control-Flow Integrity Relevance Metrics 7
A Compatibility Problem Example — Returns 8 Source Code Assembly Code CFI Hardened Assembly Code 1 _authenticate: 1 void authenticate() { 2 … … 2 3 call _f f(); 3 4 mov [authenticated], 1 authenticated = 1; 4 5 … … 5 6 _print_prompt: 6 } 7 … 7 void print_prompt() { 8 call _f … 8 9 … f(); 9 10 _f: … 10 11 … 11 } if (!is_valid_target([esp])) ret 12 void f() { 12 12 jmp security_abort … 13 13 return ; 14 14 15 }
Another Compatibility Problem Example — Unmatched Call/Return Pairs 9 Source Code Stack Shadow Stack EIP int main() { int main() { f(); Some shadow stack return 0; } Stack implementations are POLICY VIOLATION: based on traditional void f() { void f() { unwinding return address on the stack try { call/return matching ≠ return address on the g(); } shadow stack catch ( int e) { // Exception handler code } return; return ; Return address from h to g Return address from h to g } Return address from g to f Return address from g to f void g() { void g() { h(); Return address from f to main return ; Return address from f to main } Return address to previous function TOP Return address to previous function TOP void h() { void h() { throw 3; throw 3; … … return ; }
20 Widespread Classes of CFI Compatibility Problems 10 Compatibility Metric Real-world Software Examples Function Pointers 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Callbacks 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Dynamic Linking 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Delay-Loading Adobe Reader, Calculator, Chrome, Firefox, JVM, MS Paint, MS Powerpoint , … Exporting/Importing Data Symbols 7-Zip, Apache, Calculator, Chrome, Dropbox, Firefox, MS Paint, MS Powerpoint , … Virtual Functions 7- Zip, Adobe Reader, Calculator, Chrome, Dropbox, Firefox, JVM, Notepad, … Writable Vtables programs with UI’s based on GTK+ (Linux) or COM (Windows) Tail Calls programs compiled with tail-call optimization (e.g., -O2 or /O2) Switch-Case Statements 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Returns almost every benign program Unmatched Call/Return Pairs Adobe Reader, Apache, Chrome, Firefox, JVM, MS PowerPoint, Visual Studio, … Exceptions 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Calling Conventions almost every program has functions Multithreading 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … TLS Callbacks Adobe Reader, Chrome, Firefox, MS Paint, TeXstudio, UPX Position-Independent Code 7- Zip, Adobe Reader, Apache, Calculator, Chrome, Dropbox, Firefox, JVM, … Memory Management 7- Zip, Adobe Reader, Apache, Chrome, Dropbox, Firefox, MS PowerPoint, … JIT Code Adobe Flash, Chrome, Dropbox, Firefox, JVM, MS PowerPoint, PotPlayer , … Self-Unpacking programs decompressed by self-extractors (e.g., UPX, NSIS) Runtime API Hooking Microsoft Office, including MS Excel, MS PowerPoint, etc.
Cross-Thread Stack-Smashing Attack 11 Thread 1 (malicious) Thread 2 (CFI instrumented) 1 while (1) { 1 _f: 2 … // smash thread 2’s 2 3 if (!is_valid_target([esp])) // return address TOCTOU 3 4 jmp security_abort window *p = 0xDEADBEEF 4 5 ret 5 }
ConFIRM: Control-Flow Integrity Relevance Metrics 12
CFI Performance Measurement Problems 13
Recommend
More recommend
