practical control flow integrity randomization for binary
play

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY - PowerPoint PPT Presentation

Mar 06, 2024 •149 likes •584 views

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

  1. PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

  2. Outline ¨ CFI ¨ CCFIR Approach ¨ Architecture of CCFIR ¨ Evaluation ¨ Discussion ¨ Conclusion

  3. CFI Check label on function entry points ¡ Attach label to indirect call: l7 ¡ From Elias Athanasopoulos’ lecture about CS457 – Introduction to Information Systems Security

  4. ¨ Control Flow Integrity ( CFI ): Strong protection against modern control-flow hijacking attacks. However: ¡ ¨ A perception of complexity and inefficiency, ¡ ¨ Performance overhead (average/max: 7.7%/ 26.8%) and ¡ ¨ Compatibility issues ¡ limit its adoption.

  5. Outline ¨ CFI ¨ CCFIR Approach ¨ Architecture of CCFIR ¨ Evaluation ¨ Discussion ¨ Conclusion

  6. CCFIR CCFIR : ¡ New practical and realistic protection method against control flow hijacking attacks ,which enforce CFI method. ¨ Collects all legal targets of indirect control-transfer instructions ¡ ( call/jump/ret), puts them into a “Springboard section” in a random order, encodes target restrictions via code alignment and then limits indirect transfers to flow only to them ¨ Distinguishes between calls and returns ¨ Prevents unauthorized returns into sensitive functions ¡( e.g. system()) ¨ Low performance overhead ¨ Compatible with unmodified legacy binaries ¨ Does not depend on source code or debug information

  7. CCFIR Advantages ¨ Robust protection : against return-to-libc and ROP ¨ On-site randomization : randomize the order of stubs in Springboard at load-time ¨ High performance : low overhead 3.6%/8.6% (average/max) ¨ Binary only : no source code or debug symbols ¨ Progressive deployment : compatibility between protected and unprotected code

  8. CCFIR Approach CCFIR improves CFI as it separates: ¨ Function pointers ¨ Sensitive return addresses ¨ Non-sensitive return addresses This happens in the Springboard section layout without requiring separate ID values and checks. ¡ This stops the jumps that would be most useful to attackers .

  9. Assumptions ¨ ASLR and W ⊕ X (such as DEP) are in use ¨ No self-modifying code or dynamically generated code ¨ Limited information disclosure vulnerabilities ¤ attackers cannot read entire memory regions

  10. Protection Targets Control Transfer Transfer Targets Integrity Protection Method Exceptions user-defined SafeSEH exceptions handlers , W ⊕ X Direct call/jmp Targets are fixed in DEP Conditional jump(jo,jz) the code Indirect jmp/call In memory function CCFIR pointers Ret instructions On stack return CCFIR addresses, overflow (ROP , return-to-libc)

  11. Springboard Section A code section is split up into 2 sections, and all indirect control Transfers are only permitted to flow to an Aligned address in the Springboard section

  12. Distinguishable Targets Bits Executable Meaning 27 26 3 2-0 No * * * *** Non-executable section yes 1 * * *** Normal code section yes 0 * * !000 Springboard’s invalid entry yes 0 * 1 000 Springboard’s function pointer stub yes 0 1 0 000 Springboard’s sensitive return stub yes 0 0 0 000 Springboard’s normal return stub q Entries in the Springboard are all aligned. (0-2 bits) q Three kinds of stubs in Springboard q Function pointer stub entries vs. ret-stub entries (3rd bit) q sensitive vs. normal ret-stub (26th bit) ¡ q Function pointer stubs: 8-byte aligned/return address stub: 16-byte aligned. q normal ret-stubs cannot return into the middle of sensitve functions q One or two bit testng instructons are sufficient to validate its target

  13. Outline ¨ CFI ¨ CCFIR Approach ¨ Architecture of CCFIR ¨ Evaluation ¨ Discussion ¨ Conclusion

  14. Architecture of CCFIR Source: http://chao.100871.net

  15. Background: Relocation Table

  16. BitCover Source: http://chao.100871.net

  17. BitRewrite Rewriting of an indirect call and Rewriting of a direct call and return return

  18. Compatibility Issues ¨ A protected module only allows indirect control transfers whose targets are valid springboard stubs so an indirect control transfer from a protected to an unprotected module will fail ¨ If every module is rewritten the separate modules will be compatible however : ¨ Rewriting all modules is not always possible

  19. Problem 1 ¨ An external function that is not exported by any external module can be called(through an object of an unprotected library) ¨ The check will fail in the protected module because the function pointer is not in the Springboard

  20. Problem 2 ¨ When an unprotected module calls a protected function, a false alarm is triggered by the protected function when it tries to return

  21. Solution ¨ We run BitCover on all libraries which can possibly be loaded by a protected module ¨ A hash table is built from these valid code pointers ¨ When an error happens because of a failed check, the error handler looks up the hash table as a final chance to find the target ¨ Hash table is seldom used

  22. Problem 3 ¨ Most calls to external functions are done through imported function pointers which are stored in the import address table ¨ Imported function pointers will be resolved at load time and the IAT entries are updated ¨ We can’t statically modify these entries

  23. Solution ¨ Bit Rewrite generates a read-only and non- executable wrapper to replace it

  24. ¨ Problem 4:Some dynamic libraries are loaded and linked at run-time and their function pointers are obtained by GetProcAddress . The address of a given function can only be made at runtime in this case.

  25. Solution ¡ ¨ We leave stubs in the Springboard which can be filled runtime ¨ Wrapper calls original GetProcAddress function and fills the new stub with the address ¨ Only the page containing this stub in the Springboard is writable for the time of this update

  27. Security Enforcement and Randomization ¨ For security enforcement two extra layers of protection are added: Sensitive Functions cannot be called via direct 1. calls/CCFIR raises alert in different case CCFIR introduces randomization in the order of 2. stubs

  28. BitVerify ¨ Checks whether a given binary conforms to the following rules: ¤ Any executable section whose 27 th bit is zero is ¡ in Springboard section ¤ Code stubs in Springboard section are all aligned ¤ Function pointers are rewritten and redirected to the springboard section ¤ All call instructions have been rewritten to make sure the pushed return address points to the Springboard section ¤ Dynamic checks have been inserted before all indirect instructions

  29. Outline ¨ CFI ¨ CCFIR Approach ¨ Architecture of CCFIR ¨ Evaluation ¨ Discussion ¨ Conclusion

  30. Evaluation ¨ CCFIR was tested with the SPEC CPU2000 benchmark and some browsers to evaluate overhead and protection. A.Performance ¨ CCFIR is used to automatically disassemble and rewrite 26 benchmark binaries ¨ Scripts check that the new binaries have the same behavior and output as the original ones ¨ Windows 7 32-bit and Inter Core2 Duo CPU 3.00 GHz were used for the experiments

  31. Performance Of Static Analysis

  32. Performance of Load-Time Randomization ¨ Bootstrap code is placed in the protected executable to accomplish load-time randomization ¨ Results show that load time randomization is achieved in a very small amount of time ¨ It takes about 16 milliseconds for 1M memory movement

  33. Performance overhead brought by CCFIR

  34. ¨ Above observations show that CCFIR is capable of protecting all tested binaries with a reasonable overhead

  35. B.Protection effects ¨ Randomization entropy ¤ Load time randomizations makes it hard to guess the address of a target function ¤ Makes a brute-force search infeasible as there are 2^23 possible positions in a 128 MB springboard ¨ Protection against real world exploits ¤ Some vulnerable modules(e.g xul.dll ) were hardened with CCFIR and attacks were prevented

  36. Protection against real world exploits

  37. Outline ¨ CFI ¨ CCFIR Approach ¨ Architecture of CCFIR ¨ Evaluation ¨ Discussion ¨ Conclusion

  38. Discussion A.Possible Attacks To attack CCFIR an attacker may: a) Forge a valid target(The attacker has to use a page which is writable and executable) b) Change memory pages’ protection attributes(Some APIs are disable page protections but CCFIR raises an alert if such functions are called.Even if a function makes a page executable the attacker must also penetrate the randomization) c) Jump to valid targets or chain them to launch attacks(Attackers’ abilities for this attack are greatly constrained.call/jmp flow only to valid entry points)

  39. Discussion B.Race condition of return address ¨ CCFIR checks value of esp and then executes ret in the next instruction ¨ Return address is stored in memory in the interim and it can be modified by another thread ¨ The time window is so small that the odds of a successful attack is extremely small

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Prac%cal Control Flow Integrity & Randomiza%on for Binary

Prac%cal Control Flow Integrity & Randomiza%on for Binary

Title Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Lei Duan Chao Zhang Tao Wei Zhaofeng Chen Peking University Peking University Peking University Peking University UC

701 views • 46 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides
Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook

Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook

Control Flow Integrity (CFI) in the Linux kernel Kees (Case) Cook @kees_cook keescook@chromium.org Linux Conf AU 2020 https://outflux.net/slides/2020/lca/cfi.pdf Acknowledgment of Country Jingeri! We meet today on the traditional lands

624 views • 44 slides
Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern exploit techniques Introduction to Computer Security Announcements intermission Day 7: Defensive programming and design, part 1 Saltzer &

579 views • 15 slides
Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State

Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State

Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State Univ. At International Workshop on Modularity Across the System Stack (MASS) Mar 14 th , 2016, Malaga, Spain Cyber Insecurity 2 Blame the

804 views • 54 slides
Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline

Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline

31 st IEEE Symposium on Security & Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline Motivation

328 views • 29 slides
Incremental Computation of Warranted Arguments in Dynamic Defeasible Argumentation: The Rule

Incremental Computation of Warranted Arguments in Dynamic Defeasible Argumentation: The Rule

Introduction Background Incremental Computation Implementation & Experiments Conclusions and future work Incremental Computation of Warranted Arguments in Dynamic Defeasible Argumentation: The Rule Addition Case Gianvincenzo Alfano 1 ,

440 views • 27 slides
Geo replication and disaster recovery for cloud object storage with Ceph rados gateway Orit

Geo replication and disaster recovery for cloud object storage with Ceph rados gateway Orit

Geo replication and disaster recovery for cloud object storage with Ceph rados gateway Orit Wasserman Senior Software engineer owasserm@redhat.com Vault 2017 AGENDA What is Ceph? Rados Gateway (radosgw) architecture Geo

744 views • 45 slides
Software processes that are: Incremental (small software releases with rapid cycles)

Software processes that are: Incremental (small software releases with rapid cycles)

Agile Processes Software processes that are: Incremental (small software releases with rapid cycles) Cooperative (customer and developer working together with close communication) Straightforward (method is easy to learn and modify)

517 views • 18 slides
Inverse Optimization with Online Data and Multiobjectives: Models, Insights and Algorithms Bo

Inverse Optimization with Online Data and Multiobjectives: Models, Insights and Algorithms Bo

Inverse Optimization with Online Data and Multiobjectives: Models, Insights and Algorithms Bo Zeng Department of Industrial Engineering, University of Pittsburgh Joint work with Chaosheng Dong, currently at Amazon November 13, 2020, Texas

1.48k views • 92 slides
Inversion in optimal control. Principles and examples Nicolas Petit Centre Automatique et

Inversion in optimal control. Principles and examples Nicolas Petit Centre Automatique et

Inversion in optimal control. Principles and examples Nicolas Petit Centre Automatique et Systmes cole des Mines de Paris Knut Graichen Franois Chaplais Outline 1. Receding horizon control (RHC - MPC) 2. Efficient trajectory

578 views • 47 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Control Part 4 Other control

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Control Part 4 Other control

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Control Part 4 Other control strategies These slides are devoted to two advanced control approaches, namely Operational space control Interaction control The

916 views • 58 slides
Chapter 12 CPU Structure and Function Contents Processor organization Register

Chapter 12 CPU Structure and Function Contents Processor organization Register

Chapter 12 CPU Structure and Function Contents Processor organization Register organization Instruction cycle Instruction pipelining Pentium processor PowerPC processor 12.1 Processor Organization Requirements

905 views • 66 slides
Mexico City 24 oct - 5 nov International Business Tour 2019 What is the International Business

Mexico City 24 oct - 5 nov International Business Tour 2019 What is the International Business

Mexico City 24 oct - 5 nov International Business Tour 2019 What is the International Business Tour Visit a major city or country Formal Activities Cultural Activities Other Activities History of Mexico Pre-colonial period

651 views • 31 slides

More recommend