Enforcing Un Unique Code Target Property for Control-Flow Integrity - - PowerPoint PPT Presentation

enforcing un unique code target property for control flow
SMART_READER_LITE
LIVE PREVIEW

Enforcing Un Unique Code Target Property for Control-Flow Integrity - - PowerPoint PPT Presentation

Sep 02, 2023 361 likes •694 views

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

slide-1
SLIDE 1

Enforcing Un Unique Code Target Property for Control-Flow Integrity

Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris∗, Taesoo Kim, Wenke Lee

*

1

slide-2
SLIDE 2

Control-flow attack

  • Control-flow: the order of instruction execution
  • Attackers use bugs to divert control flow
  • indirect control-flow transfer (ICT):
  • call *%rax, jmp *%rax, ret
  • func_ptr/ret_addr ==> &shellcode/&ROP_gadgets
  • the most common exploit method

2

slide-3
SLIDE 3

Control-flow attack is getting harder

  • Control-flow integrity (CFI)
  • Statically build control-flow graph (CFG)
  • Dynamically check with CFG

static CFG run-time check De Defenses

CCFIR · · · binCFI · · · MCFI · · · piCFI · · · TypeArmor · · · PittyPat · · ·

3

slide-4
SLIDE 4

Control-flow attack is still possible

  • Advanced attacks bypassing CFI
  • Out-of-control (oakland’14),
  • COOP (oakland’15),
  • Control-flow bending (usenix’15),
  • Code jujutsu (ccs’15)
  • |allowed flow|≫|real valid flow|
  • The end of the story?
  • |allowed flow| = 1

<=> ∀ICT, |allowed target| = 1

?

De Defenses

CCFIR · · · binCFI · · · MCFI · · · piCFI · · · TypeArmor · · · PittyPat · · ·

Atta ttacks

Out-of-control · · · Stitch-gadgets · · · COOP · · · CF bending · · · Control Jujutsu · · ·

4

slide-5
SLIDE 5

Our solution – uCFI

  • Enforce unique code target property
  • only one valid target is allowed at runtime
  • Efficient enforcement
  • 8% on SPEC CPU 2006
  • 4% on nginx
  • 1% on vsftpd

5

slide-6
SLIDE 6

Example: control-flow attack

1 typedef void (*FP)(); 2 void A(); void B(); void C(); void D(); void E(); 3 4 void handleRequest(int id, char * input) { 5 FP arr[3] = {&A, &B, &C}; 6 FP unused = &D; 7 FP fun = NULL; 8 char buf[20]; 9 if (id < 0 || id > 2) 10 return; 11 if (id == 0) 12 fun = arr[0]; 13 else 14 fun = arr[id]; 15 strcpy(buf, input); 16 (*fun)(); 17 }

5,6, 7,8 9 10 11 12 14 15 strcpy 16 fun 17 system mprotect exec setuid

unknown before run

fun

6

slide-7
SLIDE 7

Example: control-flow integrity

  • Identify valid target set S

S for each ICT

  • For a run-time target t:

: t ∊ S S ? continue: abort

  • Larger |S| => more attack

5 FP arr[3] = {&A, &B, &C}; 6 FP unused = &D; 7 FP fun = NULL; 9 if (id < 0 || id > 2) 10 return; 11 if (id == 0) 12 fun = arr[0]; 13 else 14 fun = arr[id]; 16 (*fun)();

Method S (id = 1) |S| no CFI * ∞ Type-based CFI A, B, C, D, E 5 Static CFI A, B, C 3 piCFI A, B, C, D 4 PittyPat B, C 2 uCFI B 1

7

slide-8
SLIDE 8

Unique code target property

  • UCT property:
  • for each invocation of an ICT,
  • on
  • ne and on
  • nly on
  • ne allowed target
  • Enforcement:
  • collect necessary runtime info to

infer the unique target

  • PittyPat[1] uses the same methodology,
  • but fa

fails to enforce UCT property

5 FP arr[3] = {&A, &B, &C}; 7 FP fun = NULL; 8 char buf[20]; 9 if (id < 0 || id > 2) 10 return; 11 if (id == 0) 12 fun = arr[0]; 13 else 14 fun = arr[id]; 15 strcpy(buf, input); 16 (*fun)();

8

slide-9
SLIDE 9

Challenges with Intel PT

  • Intel PT only delivers control-data
  • TNT: branch taken / non-taken
  • TIP: ICT target
  • C1: unique target
  • line 14: id = 1 or 2 ? |S| = 2
  • |S| = 479 for gobmk
  • C2: efficient analysis
  • path reconstruction from PT trace is slow!
  • 30x slow down for sjeng
  • (based on our simple implementation)

5 FP arr[3] = {&A, &B, &C}; 7 FP fun = NULL; 8 char buf[20]; 9 if (id < 0 || id > 2) 10 return; 11 if (id == 0) 12 fun = arr[0]; 13 else 14 fun = arr[id]; 15 strcpy(buf, input); 16 (*fun)();

9

slide-10
SLIDE 10

uCFI – enforce unique target

  • Encode non-control data in some ICT

fun = arr[id]; strcpy(buf, input); (*fun)();

10

slide-11
SLIDE 11

uCFI – enforce unique target

  • Encode non-control data in some ICT

fun = arr[id]; FP new_ptr = BASE_PTR + id; assert(inBound(new_ptr)); (*new_ptr)(); strcpy(buf, input); (*fun)();

ret ret ret ret … TIP

11

slide-12
SLIDE 12

uCFI – enforce unique target

  • Encode non-control data in some ICT
  • Restore non-control data in monitor process

fun = arr[id]; FP new_ptr = BASE_PTR + id; assert(inBound(new_ptr)); (*new_ptr)(); strcpy(buf, input); (*fun)(); int read_data() { int packet = getPTPacket(); int id = packet – BASE_PTR; return id; }

ret ret ret ret … TIP

12

slide-13
SLIDE 13

uCFI – enforce unique target

  • Encode non-control data in some ICT
  • Restore non-control data in monitor process
  • write_data(x):
  • log arbitrary non-control-data into PT trace
  • enable analysis for unique target
  • current setting: 4M ret instrs ==> [-1024, 4M-1024]

fun = arr[id]; FP new_ptr = BASE_PTR + id; assert(inBound(new_ptr)); (*new_ptr)(); strcpy(buf, input); (*fun)();

write_data(id);

int read_data() { int packet = getPTPacket(); int id = packet – BASE_PTR; return id; }

ret ret ret ret … TIP

13

slide-14
SLIDE 14

Constraining data: non-control-data affecting control-flow

  • 1. Control-data: (similar to CPI[5])
  • a code pointer / a pointer of a known control-data
  • recursive data-flow analysis
  • 2. Control-instruction:
  • Instructions operating on control-data
  • 3. Constraining-data:
  • non-control data used in control-instructions
  • like, array index, condition in cmov

Which data is necessary?

14

slide-15
SLIDE 15

uCFI – perform efficient analysis

  • Avoid (most) path reconstruction

write_data(ID1); FP arr[3] = {&A, &B, &C}; write_data(ID2); FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)();

path reconstruction from PT trace is slow!

15

slide-16
SLIDE 16

uCFI – perform efficient analysis

  • Avoid (most) path reconstruction
  • assign an ID to each control-instruction
  • write_data(ID) into PT trace

write_data(ID1); FP arr[3] = {&A, &B, &C}; write_data(ID2); FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)();

path reconstruction from PT trace is slow!

16

slide-17
SLIDE 17

uCFI – perform efficient analysis

  • Avoid (most) path reconstruction
  • assign an ID to each control-instruction
  • write_data(ID) into PT trace
  • Ignore all TNT packets
  • Analysis

while(ID = decode_data()) switch(ID) case ID1: pts[arr+0] = A; pts[arr+1] = B; pts[arr+2] = C; break; case ID2: pts[fun] = NULL; break; case ID3: pts[fun] = pts[arr+0]; break; case ID4: id = decode_data(); pts[fun] = pts[arr+id]; break; case ID5: if(pts[fun] != PT_packet) abort();

write_data(ID1); FP arr[3] = {&A, &B, &C}; write_data(ID2); FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)();

path reconstruction from PT trace is slow!

17

slide-18
SLIDE 18

uCFI – perform efficient analysis

  • Avoid (most) path reconstruction
  • assign an ID to each control-instruction
  • write_data(ID) into PT trace
  • Ignore all TNT packets
  • Analysis

while(ID = decode_data()) switch(ID) case ID1: pts[arr+0] = A; pts[arr+1] = B; pts[arr+2] = C; break; case ID2: pts[fun] = NULL; break; case ID3: pts[fun] = pts[arr+0]; break; case ID4: id = decode_data(); pts[fun] = pts[arr+id]; break; case ID5: if(pts[fun] != PT_packet) abort();

write_data(ID1); FP arr[3] = {&A, &B, &C}; write_data(ID2); FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)();

path reconstruction from PT trace is slow!

basic block w/ some control-instrs

ef efficien ently

18

slide-19
SLIDE 19

uCFI overview

  • uCFI compiler
  • identify constraining data
  • encode constraining data
  • encode basic block ID

user space kernel space PT driver CPU Intel PT

uCFI compiler uCFI monitor

source code constraining data detector constraining data encoder basic block ID encoder LLVM IR

execution process

points-to analyzor trace decoder PT trace ID2BB points-to table

update query

BBID exeutable

19

slide-20
SLIDE 20

uCFI overview

  • uCFI monitor
  • decode basic block ID
  • decode constraining data
  • perform points-to analysis
  • perform CFI check
  • sy

sync with execution on critical system calls

user space kernel space PT driver CPU Intel PT

uCFI compiler uCFI monitor

source code constraining data detector constraining data encoder basic block ID encoder LLVM IR

execution process

points-to analyzor trace decoder PT trace ID2BB points-to table

update query

BBID exeutable

20

slide-21
SLIDE 21

Implementation

  • x86_64 system
  • uCFI compiler (1,652 SLOC) – based on LLVM 3.6
  • uCFI monitor (4,310 SLOC)
  • PT driver – based on Griffin[2] code
  • IP filtering
  • 1 return instruction
  • 1 indirect call instruction

21

slide-22
SLIDE 22

Evaluation – set up

  • Benchmark
  • SPEC CPU 2006 (-O2)
  • nginx & vsftpd (default compilation script)
  • Environment:
  • 8-core Intel i7-7740X CPU (4.30GHz), 32GB RAM
  • 64-bit Ubuntu 16.04 system

22

slide-23
SLIDE 23

Security – enforcing unique target

  • Successfully enforce 1 target for tested programs
  • gobmk: 479/1, sjeng: 7/1, h264ref: 10/1

typedef int (*EVALFUNC)(int sq, int c); static EVALFUNC evalRoutines[7] = { ErrorIt, Pawn, Knight, King, Rook, Queen, Bishop }; int std_eval (int alpha, int beta) { ... for (j = 1, a = 1; (a <= piece_count); j++) { i = pieces [j]; ... score += (*(evalRoutines[piecet(i)]))(i,pieceside(i)); } }

23

slide-24
SLIDE 24

Security – preventing attacks

Prog Source Type Exploit PiCFI PittyPat uCFI ffmpeg CVE-2016-10191 Heap overflow Code pointer ✔ ✔ ✔ CVE-2016-10190 Heap overflow Code pointer ✔ ✔ ✔ php CVE-2015-8617 Format string Code pointer ✔ ✔ ✔ nginx CVE-2013-2028 Stack overflow Pointer of code pointer ✔ ✔ ✔ sudo CVE-2012-0809 Format string Code pointer ✔ ✔ ✔ COOP PoC PittyPat Stack overflow Pointer of C++

  • bject

✔ ✔ sjeng synthesized

  • Code pointer

✔ gobmk synthesized

  • Code pointer

24

slide-25
SLIDE 25

Efficiency – performance overhead

  • 5%

5% 15% 25% 35% 45%

PittyPat uCFI

protected exec vs.

  • riginal exec
  • 7.9% for SPEC
  • 4.1% for nginx
  • 0.8% for vsftpd
  • perlbench
  • multiple process

creation

25

slide-26
SLIDE 26

Efficiency – memory&code overhead

  • 10%

0% 10% 20% 30% 40% 50% 60% 0% 5% 10% 15% 20% 25% 30% 35%

Memory Code Sensitive-BB

Memory overhead

  • 0.8% for SPEC
  • 5.6% for nginx
  • 4.8% for vsftpd

Code size overhead

  • 4.0% for SPEC
  • 20.3% for nginx
  • 17.3% for vsftpd

Strongly related to sensitive-BB%

26

slide-27
SLIDE 27

Efficiency – trace size reduction

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

TNT TIP BBID Return c-data

27

slide-28
SLIDE 28

Discussion – backward-edge CFI

  • uCFI does not protect return address
  • Integration with parallel shadow stack[7]
  • For compatibility checking only
  • 58 SLOC code in LLVM X86 backend
  • 2.07% extra overhead (SPEC), <1% overhead (nginx & vsftpd)
  • Alternatives:
  • SafeStack (available in clang)
  • Intel CET (in the future)

28

slide-29
SLIDE 29

Conclusion: uCFI

Security:

  • Enforce Unique Code Target Property

Efficiency:

  • (HW) Intel PT for control data
  • (SW) write_data for non-control data

PT PTWrite instruction is available!

==> more efficiency

29

Open source: https://github.com/uCFI-GATech

slide-30
SLIDE 30

Related Work

1. 1. Ef Efficient Pr Protection of

  • f Pa

Path-Se Sensitive Co Control Se

  • Security. Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris,

Taesoo Kim, and Wenke Lee. USENIX 2017. 2. 2. GR GRIFFIN: Gu Guarding Co Control Fl Flows Us Using In Intel Pr Processor Tr

  • Trace. Xinyang Ge, Weidong Cui, and Trent Jaeger.

ASPLOS 2017. 3. 3. Pe Per-In Input Co Control-Fl Flow In Integrity.Ben Niu and Gang Tan. CCS 2015. 4. 4. Pr Practical Co Context-Se Sensitive CF

  • CFI. Victor van der Veen, Dennis Andriesse, Enes Göktaş, Ben Gras, Lionel

Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. CCS 2015. 5. 5. Co Code-Po Pointer In

  • Integrity. Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and

Dawn Song. OSDI 2014. 6. 6. Pr Practical Co Control Fl Flow In Integrity an and Ra Randomization fo for Bi Binary Exe

  • Executables. Chao Zhang, Tao Wei, Zhaofeng

Chen, Lei Duan, LaszloSzekeres, Stephen McCamant, Dawn Song, and Wei Zou. Oakland 2013. 7. 7. Th The Pe Performance Co Cost of

  • f Sh

Shadow St Stacks an and St Stack Ca

  • Canaries. Thurston H.Y. Dang, Petros Maniatis, and David
  • Wagner. AsiaCCS 2015.

8. 8. Co Counterfeit Ob Object-Or Oriented Pr Programming: On On th the Di Difficulty of

  • f Pr

Preventing Co Code Re Reuse At Attacks in in C+ C++ Ap

  • Applications. Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and

Thorsten Holz. Oakland 2015. 9. 9. Co Control-Fl Flow Be Bending: On On th the Ef Effectiveness of

  • f Co

Control-Fl Flow In

  • Integrity. Nicolas Carlini, Antonio Barresi,

Mathias Payer,David Wagner,and Thomas R. Gross. USENIX Security 2015.

30

slide-31
SLIDE 31

Discussion – difference from CPI

Pl Platform Pr Protect Stage Bl Blocked Bu Bugs Is Isolation Sa Safe? CPI x86 prevention spatial process ✔ x86_64 information hiding ✗ uCFI x86_64 detection spatial & temporal process ✔

31