Control Flow Integrity
Recap • Buffer overflow • Mitigation techniques – WOX/DEP – Return-to-libc – RoP (Return-oriented Programming) – StackGuard (insert canaries on stack) – PointGuard (encrypt the pointers) – ASLR – CFI (Control-Flow Integrity)
The Problem • There are vulnerabilities or flaws, which can be found in software. An adversary exploits these flaws to get control over the program’s flow. • Once control over program is achieved, it is easy to change program’s flow to a particular address where malicious code is stored. • Buffer overflow is an example of such attack where return address of a procedure is overwritten and program flow is switched to an address where malicious code is present.
Control-Flow Integrity (CFI) Software execution must follow its execution path
Why CFI? • Change in execution path of a program can be used by an adversary to execute malicious code stored in memory (e.g., buffer overflow) • CFI enforces integrity of a program’s execution flow path • An undefined change in the path of execution by an adversary can be detected using CFI • CFI efficiently detects and mitigates buffer overflow, RoP, return-to-libc attacks, etc.
• CFI enforcement is practical – It is compatible with existing software – Can be done efficiently using software rewriting in commodity systems
Control-Flow Integrity • It reinforces a program to follow the path of execution defined by Control-Flow Graph • CFI enforcement guarantees that the program execution path cannot be changed by the adversary and program’s flow integrity is maintained • CFI provides a useful foundation for enforcing further security policies [Abadi et al] – Protected shadow call stack – Access control of memory regions
CFI implementation types • CFCSS: Control-Flow checking by Software Signatures • CCFIR: Compact Control-Flow Integrity and Randomization • CFLC: Control-Flow Lazily Check • CCFI: Cryptographically enforced CFI • Practical limitations: some of these do not/ cannot capture recursive function calls
CFI through Label Checking Swapnil Raut, MTech, IIT Bombay
CFI through Label Checking • This implementation consists of label checking and generating regular expression of a program, which actually represents the Control-Flow Graph (CFG) of that program. – Regular expression is derived from CFG – Label check is done to identify correct destination function when the function is called by a caller – Label is a unique random number added to the start of destination – Before jumping from caller to callee, labels are checked
Implementation Outline • All the strings generated from regular expression will be considered valid paths of program execution • Any other execution path is considered as invalid and error is produced • If labels do not match at jump, error is produced
What is CFI? Control-Flow Integrity(CFI) is one the mitigation techniques against these ❏ attacks It reinforces a program to follow the path of execution defined by ❏ Control-Flow Graph(CFG) This CFI reinforcement guarantees that program execution path can not be ❏ changed by the adversary and a program flow integrity is maintained
Stack Corruption Techniques CFI implementation can be bypassed by exploiting stack-based vulnerabilities ❏ Corrupting callee-saved registers ❏ Corrupting system call return address ❏ Disclosing the shadow stack address ❏
CFI Implementation Techniques Compact Control Flow Integrity and Randomization ❏ Cryptographically Enforced Control Flow Integrity ❏ Control Flow Checking by Software Signature ❏
CCFIR Technique It performs enforcement by redirecting control-flow transfer through new ❏ code section called "Springboard" This mitigation technique is used to secure function pointer and return ❏ address Even if adversary changes the address of target, it becomes impossible to ❏ change the execution path
CCFIR Technique
CCFIR Drawback It has compatibility issue ❏ Call from protected to unprotected module will fail ❏ Rewriting every module is not possible all the time ❏
CCFI Technique It protects function pointer and return address with the help of MAC ❏ MAC(K,pointer , class ) where K is secrete key, pointer is function pointer or ❏ return address and class is to identify whether it is function pointer or return address Whenever address is stored in memory, MAC is calculated and stored in ❏ memory. During runtime MAC is recomputed and compared with stored MAC
CCFI Drawback If adversary changes stack return ❏ address, old and new MAC will not match and it indicates error However if adversary knows old ❏ value of MAC and function pointer, control-flow will jump to adversary function
CFISS Technique This mitigation technique uses software signature ❏ Program is divided into nodes(blocks) and all nodes are assigned random ❏ unique number signature is XOR of source and destination block and stores at compile time ❏ During runtime this signature is calculated and compared with stored ❏ signature of node
OUR APPROACH OF CFI IMPLEMENTATION Our CFI implementation mainly includes label checking to check for correct ❏ destination and generating regular expression of program to validate path of execution During runtime complete path or history of execution is maintained ❏ Undefined change in the path of execution by adversary can be detected with ❏ the help of regular expression
CFI Implementation Deriving Control Flow Graph(CFG) of program ❏ Label checking for CFI ❏ Deriving regular expression of CFG ❏ Checking for CFI violation ❏
Deriving CFG of program egypt-tool version 1.1.0 is for deriving graph from program ❏ It delegates the source code analysis to GCC ❏ Its perl script ❏ gengraph -o graph -t png main.c ❏
Deriving CFG of program
Processing DOT file digraph call graph { "main" -> "f" [ style = solid ]; "main" -> "g" [ style = solid ]; "f" -> "m" [ style = solid ]; }
Label checking for CFI Labels are used to identify correct destination function ❏ We consider three new instructions for CFI instrumentation. ❏ Label ID ❏ Call ID DST ❏ ❏ ret ID
Label checking for CFI
Deriving regex of CFG Brzozowski’s algorithm is used to generate regular expression from Control ❏ Flow Graph Algorithm is divided into two parts: one is to convert CFG to Deterministic ❏ Finite Automata(DFA) and second part is to convert DFA to regular expression
Checking for CFI violation Control Flow Integrity enforces control flow of program to follow CFG defined ❏ path CFI violation can be defined as undefined change in the control-flow of ❏ execution or calling a function which is not a part of program Execution path which is not a part of regular expression is consider as invalid ❏ path of control flow. We have used Regular expression to detect CFI violation ❏
Checking for CFI violation Function call jump CFI violation Function return jump CFI violation
Future Work We will analyse the performance of our CFI implementation. Performance ❏ analysis is the key factor of any CFI implementation We will check our system with various attacks. Strength of CFI technique is ❏ depend on how well it tackles the attacks We have seen various CFI Implementation techniques. We will try to integrate ❏ our approach of CFI with CCFIR CFI Implementation technique in order Strengthen it
Assumptions • Unique IDs: ID conflict may create problem while label checking therefore IDs used in CFI must be unique. • Non writable code: If code memory is writable, CFI implementation code can be corrupted therefore Code memory must not be writable. • Non executable DATA: If data section is executable, the adversary can add executable malicious code to data section.
Concept • We consider three new instruction for CFI instrumentation . 1) Label ID 2) call ID DST 3)ret ID • call ID DST calls Destination which has Label ID at start of it’s code . ret ID is used to return to caller
CFG and CFI Instrumentation • CFG in which dash lines represent direct call, solid lines represent call from source instruction, and dotted lines represent return to caller. • Destinations are belong to equivalent class if they have edge from same source. we assign unique label to each equivalent class of destination
CFG and CFI Instrumentation
CFG and CFI Instrumentation • Label 10, 20, and 30 are assigned to procedure1(), procedure2(), and procedure3() respectively. • When call 30 R is executed, Label at destination that is 30 and Label present in call instruction is compared. If comparison fails, it indicates cfi-failure
CFI Instrumentation
CFI Instrumentation • At source, ecx register contains destination address. • Destination ID data is retrieved from ecx and compared with Source ID data. • Jump instruction is executed only if both ID data are matched
CFI Instrumentation
CFI AND STACK CORRUPTION TECHNIQUES • Corrupting Callee-Saved Registers • Corrupting System call Return Address • Disclosing the Shadow stack Address
Recommend
More recommend
