enforcing un unique code target property for control flow
play

Enforcing Un Unique Code Target Property for Control-Flow Integrity - PowerPoint PPT Presentation

Sep 02, 2023 •361 likes •692 views

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

  1. Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris ∗ , Taesoo Kim, Wenke Lee * 1

  2. Control-flow attack • Control-flow: the order of instruction execution • Attackers use bugs to divert control flow • indirect control-flow transfer (ICT): • call *%rax, jmp *%rax, ret • func_ptr/ret_addr ==> &shellcode/&ROP_gadgets • the most common exploit method 2

  3. Control-flow attack is getting harder • Control-flow integrity (CFI) Defenses De • Statically build control-flow graph (CFG) CCFIR • Dynamically check with CFG · · · binCFI · · · MCFI check · · · piCFI · · · TypeArmor · · · PittyPat · · · static CFG run-time 3

  4. Control-flow attack is still possible Defenses De Atta ttacks • Advanced attacks bypassing CFI • Out-of-control (oakland’14), CCFIR • COOP (oakland’15), · · · Out-of-control binCFI · · · • Control-flow bending (usenix’15), · · · Stitch-gadgets • Code jujutsu (ccs’15) MCFI · · · • |allowed flow| ≫ |real valid flow| · · · COOP piCFI · · · • The end of the story? · · · CF bending TypeArmor · · · • |allowed flow| = 1 · · · Control Jujutsu <=> ∀ ICT, |allowed target| = 1 PittyPat · · · · · · ? 4

  5. Our solution – uCFI • Enforce unique code target property • only one valid target is allowed at runtime • Efficient enforcement • 8% on SPEC CPU 2006 • 4% on nginx • 1% on vsftpd 5

  6. Example: control-flow attack 5,6, 7,8 1 typedef void (*FP)(); 2 void A(); void B(); void C(); void D(); void E(); 3 10 9 4 void handleRequest(int id, char * input) { 5 FP arr[3] = {&A, &B, &C}; 11 6 FP unused = &D; 7 FP fun = NULL; 12 14 8 char buf[20]; 9 if (id < 0 || id > 2) 15 10 return; system 11 if (id == 0) strcpy 12 fun = arr[0]; mprotect 13 else 16 exec 14 fun = arr[id]; 15 strcpy(buf, input); fun fun setuid 16 (*fun)(); unknown before run 17 } 17 6

  7. Example: control-flow integrity • Identify valid target set S S for each ICT • For a run-time target t : : t ∊ S S ? continue: abort • Larger | S | => more attack Method S (id = 1) | S | no CFI * ∞ 5 FP arr[3] = {&A, &B, &C}; 6 FP unused = &D; Type-based CFI A, B, C, D, E 5 7 FP fun = NULL; Static CFI A, B, C 3 9 if (id < 0 || id > 2) 10 return; piCFI A, B, C, D 4 11 if (id == 0) 12 fun = arr[0]; PittyPat B, C 2 13 else 14 fun = arr[id]; uCFI B 1 16 (*fun)(); 7

  8. Unique code target property • UCT property: 5 FP arr[3] = {&A, &B, &C}; • for each invocation of an ICT, 7 FP fun = NULL; 8 char buf[20]; • on one and on only on one allowed target 9 if (id < 0 || id > 2) 10 return; 11 if (id == 0) • Enforcement: 12 fun = arr[0]; 13 else • collect necessary runtime info to 14 fun = arr[id]; 15 strcpy(buf, input); infer the unique target 16 (*fun)(); • PittyPat [1] uses the same methodology, • but fa fails to enforce UCT property 8

  9. Challenges with Intel PT • Intel PT only delivers control-data 5 FP arr[3] = {&A, &B, &C}; • TNT: branch taken / non-taken 7 FP fun = NULL; • TIP: ICT target 8 char buf[20]; 9 if (id < 0 || id > 2) • C1: unique target 10 return; 11 if (id == 0) • line 14: id = 1 or 2 ? | S | = 2 12 fun = arr[0]; 13 else • | S | = 479 for gobmk 14 fun = arr[id]; 15 strcpy(buf, input); • C2: efficient analysis 16 (*fun)(); • path reconstruction from PT trace is slow! • 30x slow down for sjeng (based on our simple implementation) • 9

  10. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; strcpy(buf, input); (*fun)(); 10

  11. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; ret FP new_ptr = BASE_PTR + id; ret TIP assert(inBound(new_ptr)); ret (*new_ptr)(); ret strcpy(buf, input); … (*fun)(); 11

  12. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; int read_data() { ret FP new_ptr = BASE_PTR + id; int packet = getPTPacket(); ret TIP assert(inBound(new_ptr)); int id = packet – BASE_PTR; ret (*new_ptr)(); return id; ret strcpy(buf, input); } … (*fun)(); • Restore non-control data in monitor process 12

  13. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; int read_data() { ret FP new_ptr = BASE_PTR + id; int packet = getPTPacket(); ret TIP write_data(id); assert(inBound(new_ptr)); int id = packet – BASE_PTR; ret (*new_ptr)(); return id; ret strcpy(buf, input); } … (*fun)(); • Restore non-control data in monitor process • write_data(x): • log arbitrary non-control-data into PT trace • enable analysis for unique target • current setting: 4M ret instrs ==> [-1024, 4M-1024] 13

  14. Which data is necessary? Constraining data: non-control-data affecting control-flow 1. Control-data : (similar to CPI [5] ) • a code pointer / a pointer of a known control-data • recursive data-flow analysis 2. Control-instruction : • Instructions operating on control-data 3. Constraining-data : • non-control data used in control-instructions • like, array index, condition in cmov 14

  15. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; write_data(ID2); FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)(); 15

  16. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; • assign an ID to each control-instruction write_data(ID2); • write_data(ID) into PT trace FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)(); 16

  17. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; • assign an ID to each control-instruction write_data(ID2); • write_data(ID) into PT trace FP fun = NULL; char buf[20]; • Ignore all TNT packets if (id < 0 || id > 2) return; • Analysis if (id == 0) { write_data(ID3); while(ID = decode_data()) fun = arr[0]; switch(ID) } else { case ID1: pts[arr+0] = A; pts[arr+1] = B; write_data(ID4); pts[arr+2] = C; break; case ID2: pts[fun] = NULL; break; fun = arr[id]; case ID3: pts[fun] = pts[arr+0]; break; } case ID4: id = decode_data(); strcpy(buf, input); pts[fun] = pts[arr+id]; break; write_data(ID5); case ID5: if(pts[fun] != PT_packet) (*fun)(); abort(); 17

  18. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; • assign an ID to each control-instruction write_data(ID2); basic block w/ some control-instrs • write_data(ID) into PT trace FP fun = NULL; char buf[20]; • Ignore all TNT packets if (id < 0 || id > 2) return; efficien ef ently • Analysis if (id == 0) { write_data(ID3); while(ID = decode_data()) fun = arr[0]; switch(ID) } else { case ID1: pts[arr+0] = A; pts[arr+1] = B; write_data(ID4); pts[arr+2] = C; break; case ID2: pts[fun] = NULL; break; fun = arr[id]; case ID3: pts[fun] = pts[arr+0]; break; } case ID4: id = decode_data(); strcpy(buf, input); pts[fun] = pts[arr+id]; break; write_data(ID5); case ID5: if(pts[fun] != PT_packet) (*fun)(); abort(); 18

  19. uCFI overview • uCFI compiler uCFI compiler • identify constraining data constraining constraining basic block data detector data encoder ID encoder source • encode constraining data code • encode basic block ID exeutable LLVM IR ID2BB uCFI monitor points-to update analyzor query execution points-to BBID table process trace decoder user space kernel PT driver space PT CPU Intel PT trace 19

  20. uCFI overview • uCFI monitor uCFI compiler • decode basic block ID constraining constraining basic block data detector data encoder ID encoder source • decode constraining data code • perform points-to analysis exeutable LLVM IR ID2BB • perform CFI check uCFI monitor • sy sync with execution on critical system calls points-to update analyzor query execution points-to BBID table process trace decoder user space kernel PT driver space PT CPU Intel PT trace 20

  21. Implementation • x86_64 system • uCFI compiler (1,652 SLOC) – based on LLVM 3.6 • uCFI monitor (4,310 SLOC) • PT driver – based on Griffin [2] code • IP filtering • 1 return instruction • 1 indirect call instruction 21

  22. Evaluation – set up • Benchmark • SPEC CPU 2006 (-O2) • nginx & vsftpd (default compilation script) • Environment: • 8-core Intel i7-7740X CPU (4.30GHz), 32GB RAM • 64-bit Ubuntu 16.04 system 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code cs5363 1 Intermediate Code Generation Intermediate language between source and target Multiple machines can be targeted Attaching a

400 views • 19 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique range of access control technology &amp; temporary physical security products : - Keysafes Locking Bar Void security doors &amp; screens

368 views • 21 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION FLOW Prof. R.K Shyamasundar CONTROL Todays Talk Background and Motivation. Possible attack in a system without IFC. Our solution using

381 views • 16 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
ONPAR Unique Target Market Advertising golf advertising ONPAR Unique Target Market

ONPAR Unique Target Market Advertising golf advertising ONPAR Unique Target Market

ONPAR Unique Target Market Advertising golf advertising ONPAR Unique Target Market Advertising golf advertising On Par has partnered with select golf clubs across the country to provide local and national business a direct and measurable

426 views • 13 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
12/22/2016 Control Flow Computers execute instructions in sequence. Except when we change the

12/22/2016 Control Flow Computers execute instructions in sequence. Except when we change the

12/22/2016 Control Flow Computers execute instructions in sequence. Except when we change the flow of control Jump and Call instructions Controlling Program Flow Unconditional jump Direct jump: jmp Label Jump target is specified

359 views • 11 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow

x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow

x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow Jump instructions Call instructions Function A unit of code we can call Similar to a jump, except it can return Must

2.43k views • 50 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University

Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University

Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University Daniel Kstner, AbsInt GmbH Motivation Many contemporary microprocessors use instruction-level parallelism to achieve high performance.

612 views • 29 slides
Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1

Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1

Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1 Conditionals and Control Flow Familiar C constructs l if else l while l do while l for l break l continue Two key pieces 1. Comparisons and tests:

809 views • 50 slides
25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian Lekies, Ben Stock , Martin Johns Agenda XSS &amp; Attacker Scenario WebSec guys: wake up once you see a cat Motivation Our contributions

619 views • 34 slides
4 Creeping Flow Equation 4 Creeping Flow Equation 4 Stream Function 4 Stream Function 4

4 Creeping Flow Equation 4 Creeping Flow Equation 4 Stream Function 4 Stream Function 4

4 Creeping Flow Equation 4 Creeping Flow Equation 4 Stream Function 4 Stream Function 4 Boundary Conditions 4 Boundary Conditions 4 Pressure Variations 4 Pressure Variations 4 Stokes Drag 4 Stokes Drag 4 Oseen 4 Oseen Drag Drag 4 4

383 views • 5 slides
Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Example How many registers do we need a := 0 1 for the program on the right? L1: b := a + 1 2

408 views • 12 slides
Ohio AAP Brush, Book, Bed: Program Implementation Guidance CME Disclaimer I have no personal

Ohio AAP Brush, Book, Bed: Program Implementation Guidance CME Disclaimer I have no personal

Ohio AAP Brush, Book, Bed: Program Implementation Guidance CME Disclaimer I have no personal financial relationships in any commercial interest related to this CME. I do not plan to reference off label/unapproved uses of drugs or devices.

221 views • 19 slides
Magic Fluorine Chemistry for Medicinal Chemistry Applications Wei Zhang University of

Magic Fluorine Chemistry for Medicinal Chemistry Applications Wei Zhang University of

NEACT 72 nd Annual Summer Conference St. Josephs College, Maine. August 1-4, 2011 Magic Fluorine Chemistry for Medicinal Chemistry Applications Wei Zhang University of Massachusetts Boston wei2.zhang@umb.edu Presentation Outline

3.48k views • 57 slides
Healthy People 2020: Who s Leading the Leading Health Indicators? Carter Blakey Deputy

Healthy People 2020: Who s Leading the Leading Health Indicators? Carter Blakey Deputy

Healthy People 2020: Who s Leading the Leading Health Indicators? Carter Blakey Deputy Director Office of Disease Prevention and Health Promotion Whos Leading the Leading Health Indicators? Leading Health Indicators are: Critical

369 views • 34 slides
L&quot; Effectiveness of fluoride varnish application as cariostatic and desensitizing agent

L&quot; Effectiveness of fluoride varnish application as cariostatic and desensitizing agent

L&quot; Effectiveness of fluoride varnish application as cariostatic and desensitizing agent &quot; in irradiated head and neck cancer patients Dr Kanchan Dholam Prof. &amp; Head, Dental &amp; Prosthetic Surgery, Tata Memorial Hospital, India

219 views • 3 slides

More recommend