SLIDE 1
Feel me Flow: A Review of Control-Flow Integrity Methods for User - - PowerPoint PPT Presentation
Feel me Flow: A Review of Control-Flow Integrity Methods for User - - PowerPoint PPT Presentation
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code
SLIDE 2
SLIDE 3
Rationale
SLIDE 4
Code injection attacks
SLIDE 5
Code injection attacks
Memory error
Control Flow Graph
Intended flow
SLIDE 6
Code injection attacks
Memory error
Control Flow Graph
Attacker Intended flow
SLIDE 7
Code injection attacks
Memory error
Control Flow Graph
Attacker Intended flow Actual flow Injected code
SLIDE 8
Code injection attacks
Memory error
Control Flow Graph
Attacker Code injection Intended flow Actual flow Injected code
SLIDE 9
Code injection attacks
Memory error
Control Flow Graph
Attacker Code injection Data Execution Prevention (DEP) / Write XOR Execute (W⊕E) Canaries Intended flow Actual flow Injected code
SLIDE 10
Code reuse attacks
SLIDE 11
Code reuse attacks
Memory error
Control Flow Graph
Intended flow
SLIDE 12
Memory error
Control Flow Graph
Attacker Intended flow
x0fo86 x0e58b
Code reuse attacks
SLIDE 13
Memory error
Control Flow Graph
Attacker Intended flow
x0fo86 x0e58b
Code reuse attacks
x0fo86 x0e58b
SLIDE 14
Code reuse attacks
G G
Memory error
Control Flow Graph
Attacker Code reuse Intended flow Actual flow
G
Gadget
x0fo86 x0e58b x0fo86 x0e58b
SLIDE 15
Code reuse attacks
G G
Memory error
Control Flow Graph
Attacker Code reuse Intended flow Actual flow
G
Gadget
x0fo86 x0e58b x0fo86 x0e58b
ASLR Kernel ASLR → Statistical
SLIDE 16
Code reuse attacks
G G
Memory error
Control Flow Graph
Attacker Code reuse Intended flow Actual flow
G
Gadget
x0fo86 x0e58b x0fo86 x0e58b
Control Flow Integrity (CFI)
ASLR Kernel ASLR → Statistical
SLIDE 17
Control-Flow Integrity (CFI)
Abadi et al. CCS’05
SLIDE 18
Control-Flow Integrity (CFI)
1 - Offline: CFG computation
Abadi et al. CCS’05
SLIDE 19
Control-Flow Integrity (CFI)
1 - Offline: CFG computation
Abadi et al. CCS’05
SLIDE 20
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation
Abadi et al. CCS’05
SLIDE 21
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Abadi et al. CCS’05
SLIDE 22
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Enforced CFG 1 → {2, 3} 2 → {4, 5} 3 → {6} 4 → {2} 5 → {7} 6 → {7} 7 → {∅} Abadi et al. CCS’05
SLIDE 23
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Enforced CFG 1 → {2, 3} 2 → {4, 5} 3 → {6} 4 → {2} 5 → {7} 6 → {7} 7 → {∅} 1 3 6 Execution 1 7 Abadi et al. CCS’05
SLIDE 24
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Enforced CFG 1 → {2, 3} 2 → {4, 5} 3 → {6} 4 → {2} 5 → {7} 6 → {7} 7 → {∅} 1 3 6 Execution 1 7 Abadi et al. CCS’05
SLIDE 25
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Enforced CFG 1 → {2, 3} 2 → {4, 5} 3 → {6} 4 → {2} 5 → {7} 6 → {7} 7 → {∅} 1 3 6 1 2 5 Execution 1 Execution 2 7 Abadi et al. CCS’05
SLIDE 26
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Enforced CFG 1 → {2, 3} 2 → {4, 5} 3 → {6} 4 → {2} 5 → {7} 6 → {7} 7 → {∅} 1 3 6 1 2 5 Execution 1 Execution 2 7 Abadi et al. CCS’05
SLIDE 27
Control-Flow Integrity (CFI)
Control Flow Graph (CFG) 1 2 3 4 6 5 7
1 - Offline: CFG computation 2 - Runtime: CFG enforcement
Enforced CFG 1 → {2, 3} 2 → {4, 5} 3 → {6} 4 → {2} 5 → {7} 6 → {7} 7 → {∅} 1 3 6 1 2 5 Execution 1 Execution 2 7 Abadi et al. CCS’05
SLIDE 28
Control-Flow Integrity (CFI) - II
Original CFG
Memory error Attacker Intended flow Actual flow
G
Gadget
G G
Code reuse
x0fo86 x0e58b x0fo86 x0e58b Attacker’s goal execution
SLIDE 29
Control-Flow Integrity (CFI) - II
Original CFG
Memory error Attacker Intended flow Actual flow
G
Gadget
G G x0fo86 x0e58b
SLIDE 30
Control-Flow Integrity (CFI) - II
Original CFG
Memory error Attacker Intended flow Actual flow
G
Gadget
G G x0fo86 x0e58b
Code reuse
x0fo86 x0e58b
Abort execution
SLIDE 31
CFI Internals
SLIDE 32
CFI Internals
Computation phase
Flow sensitive VS flow insensitive
SLIDE 33
CFI Internals
Computation phase
Flow sensitive VS flow insensitive 1 | obj = &x; 2 | 3 | obj = &y;
SLIDE 34
CFI Internals
Computation phase
Flow sensitive VS flow insensitive 1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
SLIDE 35
CFI Internals
Computation phase
Flow sensitive VS flow insensitive Context sensitive VS context insensitive 1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
SLIDE 36
CFI Internals
Computation phase
Flow sensitive VS flow insensitive
A B C D E Where can we return to from function C?
Context sensitive VS context insensitive 1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
SLIDE 37
CFI Internals
Computation phase
Flow sensitive VS flow insensitive
A B C D E Where can we return to from function C?
Context sensitive VS context insensitive 1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
→ B & E
Insensitive
→ B if called from B, E if called from E:
Sensitive
SLIDE 38
CFI Internals
Computation phase
Flow sensitive VS flow insensitive
Enforcement phase
Forward vs backward control-flow transfers
A B C D E Where can we return to from function C?
Context sensitive VS context insensitive 1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
→ B & E
Insensitive
→ B if called from B, E if called from E:
Sensitive
SLIDE 39
CFI Internals
Computation phase
Flow sensitive VS flow insensitive
Enforcement phase
Forward vs backward control-flow transfers
A B C D E Where can we return to from function C? A B
Context sensitive VS context insensitive
A B A B
Forward Backward Both
1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
→ B & E
Insensitive
→ B if called from B, E if called from E:
Sensitive
SLIDE 40
CFI Internals
Computation phase
Flow sensitive VS flow insensitive
Enforcement phase
Forward vs backward control-flow transfers
A B C D E Where can we return to from function C? A B
Context sensitive VS context insensitive
A B A B Which control-flow transfers do we take into account?
Forward Backward Both
1 | obj = &x; 2 | 3 | obj = &y;
- bj at 1 → {x}
- bj at 2→ {y}
Sensitive
- bj → {x, y}
Insensitive
→ B & E
Insensitive
→ B if called from B, E if called from E:
Sensitive
SLIDE 41
Comparison fields
SLIDE 42
Comparison fields
Less secure More secure Control Flow Transfers Forward Backward
SLIDE 43
Comparison fields
∅
Less secure More secure Control Flow Transfers Forward Backward
Every control flow transfer is allowed
SLIDE 44
Comparison fields
∅
Less secure More secure Equivalent classes Control Flow Transfers Forward Backward
Every control flow transfer is allowed Makes the assumption that two destinations are equivalent if they come from the same source
SLIDE 45
Comparison fields
∅
Less secure More secure Heuristics Equivalent classes Control Flow Transfers Forward Backward
Every control flow transfer is allowed Makes the assumption that two destinations are equivalent if they come from the same source May or may not work on specially crafted cases
SLIDE 46
Comparison fields
∅
Less secure More secure Heuristics Equivalent classes Control Flow Transfers Forward Backward
Every control flow transfer is allowed Makes the assumption that two destinations are equivalent if they come from the same source May or may not work on specially crafted cases
SLIDE 47
Comparison fields
∅
Less secure More secure
(Hardware) Limited Context Sensitivity
Heuristics Equivalent classes Control Flow Transfers Forward Backward
Every control flow transfer is allowed Makes the assumption that two destinations are equivalent if they come from the same source May or may not work on specially crafted cases There is some restriction on full CS
SLIDE 48
Comparison fields
∅
Less secure More secure
Context Sensitive (Hardware) Limited Context Sensitivity
Heuristics Equivalent classes Control Flow Transfers Forward Backward
Every control flow transfer is allowed Makes the assumption that two destinations are equivalent if they come from the same source May or may not work on specially crafted cases There is some restriction on full CS
SLIDE 49
Userland CFI Implementations
Original CFI, Abadi et al. CCS’05 MoCFI, Davi et al. NDSS’12 CCFIR, Zhang et al. Oakland’13 Bin-CFI, Zhang et al. Usenix Sec.’13 kBouncer, Pappas et al. Usenix Sec.’13 ROPecker, Cheng et al. NDSS’14 SafeDispatch, Jang et al. NDSS’14 MCFI, Niu & Tan. PLDI’14 RockJIT, Niu & Tan. CCS’14 O-CFI, Mohan et al. NDSS’15 PathArmor, van der Veen et al. CCS’15 VTV / IFCC, Tice et al. Usenix Sec.’15 πCFI, Niu & Tan. CCS’15 TypeArmor, van der Veen et al. Oakland’16
SLIDE 50
Userland CFI - Binary
∅ Equivalent Classes Heuristics Hardware limited CS Context Sensitive Equivalent Classes Heuristics Hardware limited CS
Backward Forward
CS: Context Sensitivity
SLIDE 51
Userland CFI - Binary
∅ Equivalent Classes Heuristics Hardware limited CS Context Sensitive Equivalent Classes TypeArmor CCFIR Bin-CFI O-CFI Original CFI MoCFI Heuristics kBouncer Hardware limited CS PathArmor
Backward Forward
CS: Context Sensitivity
SLIDE 52
Userland CFI - Source Code
∅ Equivalent Classes Limited CS Equivalent Classes Limited CS Context Sensitive
Backward Forward CS: Context Sensitivity
SLIDE 53
Userland CFI - Source Code
∅ Equivalent Classes Limited CS Equivalent Classes MCFI RockJIT Limited CS
πCFI
Context Sensitive VTV / IFCC SafeDispatch
Backward Forward CS: Context Sensitivity
SLIDE 54
Kernel space CFI Implementations
State-based CFI (SBCFI), Petroni & Hicks. CCS’07 Hypersafe, Wang & Jiang. Oakland’10 kGuard, Kemerlis et al. Usenix Sec.’12 KCoFI, Criswell et al. Oakland’14
SLIDE 55
Kernel space CFI
Exists in kernel space Equivalent Classes Limited CS Exists in kernel space Equivalent Classes Limited CS
Backward Forward CS: Context Sensitivity
SLIDE 56
Kernel space CFI
Exists in kernel space Equivalent Classes Limited CS Exists in kernel space kGuard Equivalent Classes KCoFI Limited CS Hypersafe
Backward Forward CS: Context Sensitivity
SLIDE 57
CFI - Other Schemes
SLIDE 58
CFI - Other Schemes
Userland ROPecker, Cheng et al. NDSS’14 Kernel module Heuristics for forward and backward control flow transfers Kernel space SBCFI, Petroni & Hicks. CCS’07 Virtual machine monitor Forward: compares CFGs Backward: ∅
SLIDE 59
Closing remarks
SLIDE 60
Closing remarks
CFI CFI CFI
SLIDE 61