Control Flow Integrity Recap Buffer overflow Mitigation techniques - - PowerPoint PPT Presentation

Control Flow Integrity

Recap

• Buffer overflow
• Mitigation techniques

– WOX/DEP – Return-to-libc – RoP (Return-oriented Programming) – StackGuard (insert canaries on stack) – PointGuard (encrypt the pointers) – ASLR – CFI (Control-Flow Integrity)

The Problem

• There are vulnerabilities or flaws, which can be

found in software. An adversary exploits these flaws to get control over the program’s flow.

• Once control over program is achieved, it is easy

to change program’s flow to a particular address where malicious code is stored.

• Buffer overflow is an example of such attack

where return address of a procedure is

• verwritten and program flow is switched to an

address where malicious code is present.

Control-Flow Integrity (CFI)

Software execution must follow its execution path

Why CFI?

• Change in execution path of a program can be

used by an adversary to execute malicious code stored in memory (e.g., buffer overflow)

• CFI enforces integrity of a program’s execution

flow path

• An undefined change in the path of execution

by an adversary can be detected using CFI

• CFI efficiently detects and mitigates buffer
• verflow, RoP, return-to-libc attacks, etc.

• CFI enforcement is practical

– It is compatible with existing software – Can be done efficiently using software rewriting in commodity systems

Control-Flow Integrity

• It reinforces a program to follow the path of

execution defined by Control-Flow Graph

• CFI enforcement guarantees that the program

execution path cannot be changed by the adversary and program’s flow integrity is maintained

• CFI provides a useful foundation for enforcing

further security policies [Abadi et al]

– Protected shadow call stack – Access control of memory regions

CFI implementation types

• CFCSS: Control-Flow checking by Software

Signatures

• CCFIR: Compact Control-Flow Integrity and

Randomization

• CFLC: Control-Flow Lazily Check
• CCFI: Cryptographically enforced CFI
• Practical limitations: some of these do not/

cannot capture recursive function calls

CFI through Label Checking

Swapnil Raut, MTech, IIT Bombay

CFI through Label Checking

• This implementation consists of label checking

and generating regular expression of a program, which actually represents the Control-Flow Graph (CFG) of that program.

– Regular expression is derived from CFG – Label check is done to identify correct destination function when the function is called by a caller – Label is a unique random number added to the start

• f destination

– Before jumping from caller to callee, labels are checked

Implementation Outline

• All the strings generated from regular

expression will be considered valid paths of program execution

• Any other execution path is considered as

invalid and error is produced

• If labels do not match at jump, error is

produced

What is CFI?

❏ Control-Flow Integrity(CFI) is one the mitigation techniques against these attacks ❏ It reinforces a program to follow the path of execution defined by Control-Flow Graph(CFG) ❏ This CFI reinforcement guarantees that program execution path can not be changed by the adversary and a program flow integrity is maintained

Stack Corruption Techniques

❏ CFI implementation can be bypassed by exploiting stack-based vulnerabilities ❏ Corrupting callee-saved registers ❏ Corrupting system call return address ❏ Disclosing the shadow stack address

CFI Implementation Techniques

❏ Compact Control Flow Integrity and Randomization ❏ Cryptographically Enforced Control Flow Integrity ❏ Control Flow Checking by Software Signature

CCFIR Technique

❏ It performs enforcement by redirecting control-flow transfer through new code section called "Springboard" ❏ This mitigation technique is used to secure function pointer and return address ❏ Even if adversary changes the address of target, it becomes impossible to change the execution path

CCFIR Technique

CCFIR Drawback

❏ It has compatibility issue ❏ Call from protected to unprotected module will fail ❏ Rewriting every module is not possible all the time

CCFI Technique

❏ It protects function pointer and return address with the help of MAC ❏ MAC(K,pointer , class ) where K is secrete key, pointer is function pointer or return address and class is to identify whether it is function pointer or return address ❏ Whenever address is stored in memory, MAC is calculated and stored in

• memory. During runtime MAC is recomputed and compared with stored MAC

CCFI Drawback

❏ If adversary changes stack return address, old and new MAC will not match and it indicates error ❏ However if adversary knows old value of MAC and function pointer, control-flow will jump to adversary function

CFISS Technique

❏ This mitigation technique uses software signature ❏ Program is divided into nodes(blocks) and all nodes are assigned random unique number ❏ signature is XOR of source and destination block and stores at compile time ❏ During runtime this signature is calculated and compared with stored signature of node

OUR APPROACH OF CFI IMPLEMENTATION

❏ Our CFI implementation mainly includes label checking to check for correct destination and generating regular expression of program to validate path of execution ❏ During runtime complete path or history of execution is maintained ❏ Undefined change in the path of execution by adversary can be detected with the help of regular expression

CFI Implementation

❏ Deriving Control Flow Graph(CFG) of program ❏ Label checking for CFI ❏ Deriving regular expression of CFG ❏ Checking for CFI violation

Deriving CFG of program

❏ egypt-tool version 1.1.0 is for deriving graph from program ❏ It delegates the source code analysis to GCC ❏ Its perl script ❏ gengraph -o graph -t png main.c

Deriving CFG of program

Processing DOT file

digraph call graph { "main" -> "f" [ style = solid ]; "main" -> "g" [ style = solid ]; "f" -> "m" [ style = solid ]; }

Label checking for CFI

❏ Labels are used to identify correct destination function ❏ We consider three new instructions for CFI instrumentation.

❏ Label ID ❏ Call ID DST ❏ ret ID

Label checking for CFI

Deriving regex of CFG

❏ Brzozowski’s algorithm is used to generate regular expression from Control Flow Graph ❏ Algorithm is divided into two parts: one is to convert CFG to Deterministic Finite Automata(DFA) and second part is to convert DFA to regular expression

Checking for CFI violation

❏ Control Flow Integrity enforces control flow of program to follow CFG defined path ❏ CFI violation can be defined as undefined change in the control-flow of execution or calling a function which is not a part of program ❏ Execution path which is not a part of regular expression is consider as invalid path of control flow. ❏ We have used Regular expression to detect CFI violation

Checking for CFI violation

Function call jump CFI violation Function return jump CFI violation

Future Work

❏ We will analyse the performance of our CFI implementation. Performance analysis is the key factor of any CFI implementation ❏ We will check our system with various attacks. Strength of CFI technique is depend on how well it tackles the attacks ❏ We have seen various CFI Implementation techniques. We will try to integrate

• ur approach of CFI with CCFIR CFI Implementation technique in order

Strengthen it

Assumptions

• Unique IDs: ID conflict may create problem while

label checking therefore IDs used in CFI must be unique.

• Non writable code: If code memory is writable,

CFI implementation code can be corrupted therefore Code memory must not be writable.

• Non executable DATA: If data section is

executable, the adversary can add executable malicious code to data section.

Concept

• We consider three new instruction for CFI

instrumentation . 1) Label ID 2) call ID DST 3)ret ID

• call ID DST calls Destination which has Label ID at

start of it’s code. ret ID is used to return to caller

CFG and CFI Instrumentation

• CFG in which dash lines represent direct call,

solid lines represent call from source instruction, and dotted lines represent return to caller.

• Destinations are belong to equivalent class if

they have edge from same source. we assign unique label to each equivalent class of destination

CFG and CFI Instrumentation

CFG and CFI Instrumentation

• Label 10, 20, and 30 are assigned to

procedure1(), procedure2(), and procedure3() respectively.

• When call 30 R is executed, Label at

destination that is 30 and Label present in call instruction is compared. If comparison fails, it indicates cfi-failure

CFI Instrumentation

CFI Instrumentation

• At source, ecx register contains destination

address.

• Destination ID data is retrieved from ecx and

compared with Source ID data.

• Jump instruction is executed only if both ID

data are matched

CFI Instrumentation

CFI AND STACK CORRUPTION TECHNIQUES

• Corrupting Callee-Saved Registers
• Corrupting System call Return Address
• Disclosing the Shadow stack Address

References & Reading

• Stack smashing

http://insecure.org/stf/smashstack.html

• return-to-libc

http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Return_to_libc/Return_to_libc.pdf http://blog.fkraiem.org/2013/10/26/return-to-libc/ http://cseweb.ucsd.edu/~hovav/papers/s07.html

• ROP (return oriented programming)

https://www.blackhat.com/presentations/bh-usa- 08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf https://cseweb.ucsd.edu/~hovav/dist/rop.pdf http://www.scs.stanford.edu/brop/

• https://www.microsoft.com/en-us/research/publication/control-flow-integrity/
• Using Control-Flow Techniques in a Security Context: A Survey on Common Prototypes and their

Common Weakness http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=5948809&tag=1