enforcing un unique code target property for control flow
play

Enforcing Un Unique Code Target Property for Control-Flow Integrity - PowerPoint PPT Presentation

Sep 02, 2023 •361 likes •692 views

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

  1. Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris ∗ , Taesoo Kim, Wenke Lee * 1

  2. Control-flow attack • Control-flow: the order of instruction execution • Attackers use bugs to divert control flow • indirect control-flow transfer (ICT): • call *%rax, jmp *%rax, ret • func_ptr/ret_addr ==> &shellcode/&ROP_gadgets • the most common exploit method 2

  3. Control-flow attack is getting harder • Control-flow integrity (CFI) Defenses De • Statically build control-flow graph (CFG) CCFIR • Dynamically check with CFG · · · binCFI · · · MCFI check · · · piCFI · · · TypeArmor · · · PittyPat · · · static CFG run-time 3

  4. Control-flow attack is still possible Defenses De Atta ttacks • Advanced attacks bypassing CFI • Out-of-control (oakland’14), CCFIR • COOP (oakland’15), · · · Out-of-control binCFI · · · • Control-flow bending (usenix’15), · · · Stitch-gadgets • Code jujutsu (ccs’15) MCFI · · · • |allowed flow| ≫ |real valid flow| · · · COOP piCFI · · · • The end of the story? · · · CF bending TypeArmor · · · • |allowed flow| = 1 · · · Control Jujutsu <=> ∀ ICT, |allowed target| = 1 PittyPat · · · · · · ? 4

  5. Our solution – uCFI • Enforce unique code target property • only one valid target is allowed at runtime • Efficient enforcement • 8% on SPEC CPU 2006 • 4% on nginx • 1% on vsftpd 5

  6. Example: control-flow attack 5,6, 7,8 1 typedef void (*FP)(); 2 void A(); void B(); void C(); void D(); void E(); 3 10 9 4 void handleRequest(int id, char * input) { 5 FP arr[3] = {&A, &B, &C}; 11 6 FP unused = &D; 7 FP fun = NULL; 12 14 8 char buf[20]; 9 if (id < 0 || id > 2) 15 10 return; system 11 if (id == 0) strcpy 12 fun = arr[0]; mprotect 13 else 16 exec 14 fun = arr[id]; 15 strcpy(buf, input); fun fun setuid 16 (*fun)(); unknown before run 17 } 17 6

  7. Example: control-flow integrity • Identify valid target set S S for each ICT • For a run-time target t : : t ∊ S S ? continue: abort • Larger | S | => more attack Method S (id = 1) | S | no CFI * ∞ 5 FP arr[3] = {&A, &B, &C}; 6 FP unused = &D; Type-based CFI A, B, C, D, E 5 7 FP fun = NULL; Static CFI A, B, C 3 9 if (id < 0 || id > 2) 10 return; piCFI A, B, C, D 4 11 if (id == 0) 12 fun = arr[0]; PittyPat B, C 2 13 else 14 fun = arr[id]; uCFI B 1 16 (*fun)(); 7

  8. Unique code target property • UCT property: 5 FP arr[3] = {&A, &B, &C}; • for each invocation of an ICT, 7 FP fun = NULL; 8 char buf[20]; • on one and on only on one allowed target 9 if (id < 0 || id > 2) 10 return; 11 if (id == 0) • Enforcement: 12 fun = arr[0]; 13 else • collect necessary runtime info to 14 fun = arr[id]; 15 strcpy(buf, input); infer the unique target 16 (*fun)(); • PittyPat [1] uses the same methodology, • but fa fails to enforce UCT property 8

  9. Challenges with Intel PT • Intel PT only delivers control-data 5 FP arr[3] = {&A, &B, &C}; • TNT: branch taken / non-taken 7 FP fun = NULL; • TIP: ICT target 8 char buf[20]; 9 if (id < 0 || id > 2) • C1: unique target 10 return; 11 if (id == 0) • line 14: id = 1 or 2 ? | S | = 2 12 fun = arr[0]; 13 else • | S | = 479 for gobmk 14 fun = arr[id]; 15 strcpy(buf, input); • C2: efficient analysis 16 (*fun)(); • path reconstruction from PT trace is slow! • 30x slow down for sjeng (based on our simple implementation) • 9

  10. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; strcpy(buf, input); (*fun)(); 10

  11. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; ret FP new_ptr = BASE_PTR + id; ret TIP assert(inBound(new_ptr)); ret (*new_ptr)(); ret strcpy(buf, input); … (*fun)(); 11

  12. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; int read_data() { ret FP new_ptr = BASE_PTR + id; int packet = getPTPacket(); ret TIP assert(inBound(new_ptr)); int id = packet – BASE_PTR; ret (*new_ptr)(); return id; ret strcpy(buf, input); } … (*fun)(); • Restore non-control data in monitor process 12

  13. uCFI – enforce unique target • Encode non-control data in some ICT fun = arr[id]; int read_data() { ret FP new_ptr = BASE_PTR + id; int packet = getPTPacket(); ret TIP write_data(id); assert(inBound(new_ptr)); int id = packet – BASE_PTR; ret (*new_ptr)(); return id; ret strcpy(buf, input); } … (*fun)(); • Restore non-control data in monitor process • write_data(x): • log arbitrary non-control-data into PT trace • enable analysis for unique target • current setting: 4M ret instrs ==> [-1024, 4M-1024] 13

  14. Which data is necessary? Constraining data: non-control-data affecting control-flow 1. Control-data : (similar to CPI [5] ) • a code pointer / a pointer of a known control-data • recursive data-flow analysis 2. Control-instruction : • Instructions operating on control-data 3. Constraining-data : • non-control data used in control-instructions • like, array index, condition in cmov 14

  15. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; write_data(ID2); FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)(); 15

  16. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; • assign an ID to each control-instruction write_data(ID2); • write_data(ID) into PT trace FP fun = NULL; char buf[20]; if (id < 0 || id > 2) return; if (id == 0) { write_data(ID3); fun = arr[0]; } else { write_data(ID4); fun = arr[id]; } strcpy(buf, input); write_data(ID5); (*fun)(); 16

  17. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; • assign an ID to each control-instruction write_data(ID2); • write_data(ID) into PT trace FP fun = NULL; char buf[20]; • Ignore all TNT packets if (id < 0 || id > 2) return; • Analysis if (id == 0) { write_data(ID3); while(ID = decode_data()) fun = arr[0]; switch(ID) } else { case ID1: pts[arr+0] = A; pts[arr+1] = B; write_data(ID4); pts[arr+2] = C; break; case ID2: pts[fun] = NULL; break; fun = arr[id]; case ID3: pts[fun] = pts[arr+0]; break; } case ID4: id = decode_data(); strcpy(buf, input); pts[fun] = pts[arr+id]; break; write_data(ID5); case ID5: if(pts[fun] != PT_packet) (*fun)(); abort(); 17

  18. uCFI – perform efficient analysis path reconstruction from PT trace is slow! • Avoid (most) path reconstruction write_data(ID1); FP arr[3] = {&A, &B, &C}; • assign an ID to each control-instruction write_data(ID2); basic block w/ some control-instrs • write_data(ID) into PT trace FP fun = NULL; char buf[20]; • Ignore all TNT packets if (id < 0 || id > 2) return; efficien ef ently • Analysis if (id == 0) { write_data(ID3); while(ID = decode_data()) fun = arr[0]; switch(ID) } else { case ID1: pts[arr+0] = A; pts[arr+1] = B; write_data(ID4); pts[arr+2] = C; break; case ID2: pts[fun] = NULL; break; fun = arr[id]; case ID3: pts[fun] = pts[arr+0]; break; } case ID4: id = decode_data(); strcpy(buf, input); pts[fun] = pts[arr+id]; break; write_data(ID5); case ID5: if(pts[fun] != PT_packet) (*fun)(); abort(); 18

  19. uCFI overview • uCFI compiler uCFI compiler • identify constraining data constraining constraining basic block data detector data encoder ID encoder source • encode constraining data code • encode basic block ID exeutable LLVM IR ID2BB uCFI monitor points-to update analyzor query execution points-to BBID table process trace decoder user space kernel PT driver space PT CPU Intel PT trace 19

  20. uCFI overview • uCFI monitor uCFI compiler • decode basic block ID constraining constraining basic block data detector data encoder ID encoder source • decode constraining data code • perform points-to analysis exeutable LLVM IR ID2BB • perform CFI check uCFI monitor • sy sync with execution on critical system calls points-to update analyzor query execution points-to BBID table process trace decoder user space kernel PT driver space PT CPU Intel PT trace 20

  21. Implementation • x86_64 system • uCFI compiler (1,652 SLOC) – based on LLVM 3.6 • uCFI monitor (4,310 SLOC) • PT driver – based on Griffin [2] code • IP filtering • 1 return instruction • 1 indirect call instruction 21

  22. Evaluation – set up • Benchmark • SPEC CPU 2006 (-O2) • nginx & vsftpd (default compilation script) • Environment: • 8-core Intel i7-7740X CPU (4.30GHz), 32GB RAM • 64-bit Ubuntu 16.04 system 22

Recommend

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code cs5363 1 Intermediate Code Generation Intermediate language between source and target Multiple machines can be targeted Attaching a

400 views • 19 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique range of access control technology &amp; temporary physical security products : - Keysafes Locking Bar Void security doors &amp; screens

368 views • 21 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION FLOW Prof. R.K Shyamasundar CONTROL Todays Talk Background and Motivation. Possible attack in a system without IFC. Our solution using

381 views • 16 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
ONPAR Unique Target Market Advertising golf advertising ONPAR Unique Target Market

ONPAR Unique Target Market Advertising golf advertising ONPAR Unique Target Market

ONPAR Unique Target Market Advertising golf advertising ONPAR Unique Target Market Advertising golf advertising On Par has partnered with select golf clubs across the country to provide local and national business a direct and measurable

426 views • 13 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
12/22/2016 Control Flow Computers execute instructions in sequence. Except when we change the

12/22/2016 Control Flow Computers execute instructions in sequence. Except when we change the

12/22/2016 Control Flow Computers execute instructions in sequence. Except when we change the flow of control Jump and Call instructions Controlling Program Flow Unconditional jump Direct jump: jmp Label Jump target is specified

359 views • 11 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow

x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow

x86 PROCEDURES (FUNCTIONS) CONTROL FLOW Recall: Two ways to change program control flow Jump instructions Call instructions Function A unit of code we can call Similar to a jump, except it can return Must

2.43k views • 50 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University

Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University

Reconstructing Control Flow from Predicated Assembly Code Bjrn Decker, Saarland University Daniel Kstner, AbsInt GmbH Motivation Many contemporary microprocessors use instruction-level parallelism to achieve high performance.

612 views • 29 slides
HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control &amp; Data Flow I ECE 522 Control and Data Edges C programs (and pseudo-code) are often used as prototypes because they represent high-level descriptions of system behavior However, C is sequential and cannot

572 views • 15 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
1 Control-Flow Profiles Code Motion Using Control Flow Profiles Commonly gather two types of

1 Control-Flow Profiles Code Motion Using Control Flow Profiles Commonly gather two types of

Profile-Guided Optimizations Motivation for Profiling Recall Limitations of static analysis Instruction scheduling Compilers can analyze possible paths but must behave conservatively List scheduling Frequency information

339 views • 5 slides
Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State

Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State

Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State Univ. At International Workshop on Modularity Across the System Stack (MASS) Mar 14 th , 2016, Malaga, Spain Cyber Insecurity 2 Blame the

804 views • 54 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security &amp; Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides

More recommend