feel me flow a review of control flow integrity methods
play

Feel me Flow: A Review of Control-Flow Integrity Methods for User - PowerPoint PPT Presentation

May 06, 2023 •250 likes •865 views

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

  1. Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Díez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es

  2. Rationale

  3. Rationale

  4. Code injection attacks

  5. Code injection attacks Control Flow Graph Intended flow Memory error

  6. Code injection attacks Control Flow Graph Intended flow Memory error Attacker

  7. Code injection attacks Control Flow Graph Intended flow Memory error Injected code Actual flow Attacker

  8. Code injection attacks Code injection Control Flow Graph Intended flow Memory error Injected code Actual flow Attacker

  9. Code injection attacks Code injection Data Execution Prevention (DEP) / Write XOR Execute (W ⊕ E) Canaries Control Flow Graph Intended flow Memory error Injected code Actual flow Attacker

  10. Code reuse attacks

  11. Code reuse attacks Control Flow Graph Intended flow Memory error

  12. Code reuse attacks x0fo86 x0e58b Control Flow Graph Intended flow Memory error Attacker

  13. Code reuse attacks x0fo86 x0e58b x0e58b x0fo86 Control Flow Graph Intended flow Memory error Attacker

  14. Code reuse attacks x0fo86 x0e58b x0e58b Code reuse G G x0fo86 Control Flow Graph Intended flow Memory error G Gadget Actual flow Attacker

  15. Code reuse attacks x0fo86 x0e58b x0e58b Code reuse G ASLR Kernel ASLR G → Statistical x0fo86 Control Flow Graph Intended flow Memory error G Gadget Actual flow Attacker

  16. Code reuse attacks x0fo86 x0e58b x0e58b Code reuse G ASLR Kernel ASLR G → Statistical x0fo86 Control Flow Integrity (CFI) Control Flow Graph Intended flow Memory error G Gadget Actual flow Attacker

  17. Control-Flow Integrity (CFI) Abadi et al. CCS’05

  18. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 - Offline: CFG computation

  19. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 - Offline: CFG computation

  20. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 2 3 4 5 6 7 Control Flow Graph (CFG) 1 - Offline: CFG computation

  21. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 2 3 4 5 6 7 Control Flow Graph (CFG) 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  22. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 5 → {7} 4 5 6 6 → {7} 7 → { ∅ } 7 Control Flow Graph (CFG) Enforced CFG 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  23. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 Control Flow Graph (CFG) Enforced CFG 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  24. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 Control Flow Graph (CFG) Enforced CFG 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  25. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 1 Control Flow Graph (CFG) Enforced CFG 2 Execution 2 5 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  26. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 1 Control Flow Graph (CFG) Enforced CFG 2 Execution 2 5 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  27. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 1 Control Flow Graph (CFG) Enforced CFG 2 Execution 2 5 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  28. Control-Flow Integrity (CFI) - II x0fo86 x0e58b x0e58b Code reuse G G x0fo86 Attacker’s goal execution Original CFG Intended flow Memory error Gadget G Actual flow Attacker

  29. Control-Flow Integrity (CFI) - II x0e58b G G x0fo86 Original CFG Intended flow Memory error Gadget G Actual flow Attacker

  30. Control-Flow Integrity (CFI) - II x0fo86 x0e58b x0e58b Code reuse G G x0fo86 Abort execution Original CFG Intended flow Memory error Gadget G Actual flow Attacker

  31. CFI Internals

  32. CFI Internals Computation phase Flow sensitive VS flow insensitive

  33. CFI Internals Computation phase Flow sensitive VS flow insensitive 1 | obj = &x; 2 | 3 | obj = &y;

  34. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive

  35. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive

  36. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive A B C D E Where can we return to from function C?

  37. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive → B & E A B C Insensitive → B if called from B, D E E if called from E: Sensitive Where can we return to from function C?

  38. CFI Internals Computation phase Enforcement phase Flow sensitive VS flow insensitive Forward vs backward control-flow transfers obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive → B & E A B C Insensitive → B if called from B, D E E if called from E: Sensitive Where can we return to from function C?

  39. CFI Internals Computation phase Enforcement phase Flow sensitive VS flow insensitive Forward vs backward control-flow transfers obj at 1 → {x} obj → {x, y} 1 | obj = &x; Forward Backward obj at 2→ {y} 2 | 3 | obj = &y; A B A B Insensitive Sensitive Both Context sensitive VS context insensitive A B → B & E A B C Insensitive → B if called from B, D E E if called from E: Sensitive Where can we return to from function C?

  40. CFI Internals Computation phase Enforcement phase Flow sensitive VS flow insensitive Forward vs backward control-flow transfers obj at 1 → {x} obj → {x, y} 1 | obj = &x; Forward Backward obj at 2→ {y} 2 | 3 | obj = &y; A B A B Insensitive Sensitive Both Context sensitive VS context insensitive A B → B & E A B C Insensitive Which control-flow → B if called from B, D E transfers do we E if called from E: take into account? Sensitive Where can we return to from function C?

  41. Comparison fields

  42. Comparison fields Control Flow Transfers Less secure Backward Forward More secure

  43. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed More secure

  44. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source More secure

  45. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases More secure

  46. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases More secure

  47. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases ( Hardware) Limited There is some restriction on full CS Context Sensitivity More secure

  48. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases (Hardware) Limited There is some restriction on full CS Context Sensitivity Context Sensitive More secure

Recommend

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program

961 views • 72 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

584 views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides

More recommend