Martín Abadi
Úlfar Erlingsson
ABSTRACT
Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple, and its guarantees can be established formally even with respect to powerful adversaries. Moreover, CFI enforcement is practical: it is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Engineering Methods, 2005. A preliminary version appears as Microsoft Research Technical Report MSR-TR-05-17, February 2005. Google Scholar
Digital Library
- A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: principles, techniques, tools. Addison-Wesley, 1985. Google ScholarDigital Library
- Apple Computer. Prebinding notes, 2003. http://developer.apple.com/releasenotes/DeveloperTools/Prebinding.html.Google Scholar
- D. Atkinson. Call graph extraction in the presence of function pointers. In Proceedings of the International Conference on Software Engineering Research and Practice, 2002.Google Scholar
- K. Avijit, P. Gupta, and D. Gupta. TIED, LibsafePlus: Tools for runtime buffer overflow protection. In Proceedings of the Usenix Security Symposium, pages 45--56, 2004. Google ScholarDigital Library
- S. Basu and P. Uppuluri. Proxy-annotated control flow graphs: Deterministic context-sensitive monitoring for intrusion detection. In ICDCIT: Proceedings of the International Conference on Distributed Computing and Internet Technology, pages 353--362, 2004. Google ScholarDigital Library
- S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the Usenix Security Symposium, pages 105--120, 2003. Google ScholarDigital Library
- M. Bishop and M. Dilger. Checking for race conditions in file access. Computing Systems, 9(2):131--152, 1996.Google Scholar
- D. Brumley and D. Song. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the Usenix Security Symposium, pages 57--72, 2004. Google ScholarDigital Library
- S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the Usenix Security Symposium, pages 177--192, 2005. Google ScholarDigital Library
- T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st IEEE International Conference on Distributed Computing Systems, pages 409--419, 2001. Google ScholarDigital Library
- C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the Usenix Security Symposium, 2001. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the Usenix Security Symposium, pages 91--104, 2003. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the Usenix Security Symposium, pages 63--78, 1998. Google ScholarDigital Library
- J. Crandall and F. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the International Symposium on Microarchitecture, 2004. Google ScholarDigital Library
- Ú. Erlingsson and F. Schneider. IRM enforcement of java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 246--255, 2000. Google ScholarDigital Library
- Ú. Erlingsson and F. Schneider. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop, pages 87--95, 1999. Google ScholarDigital Library
- H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 194--210, 2004.Google Scholar
- H. Feng, O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly detection using call stack information. In Proceedings of the IEEE Symposium on Security and Privacy, pages 62--77, 2003. Google ScholarDigital Library
- E. Florio. Gdiplus vuln - ms04-028 - crash test jpeg. full-disclosure at lists.netsys.com, 2004. Forum message, sent September 15.Google Scholar
- S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120--128, 1996. Google ScholarDigital Library
- M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In Proceedings of the Usenix Security Symposium, pages 55--66, 2001. Google ScholarDigital Library
- J. Giffin, S. Jha, and B. Miller. Detecting manipulated remote call streams. In Proceedings of the Usenix Security Symposium, pages 61--79, 2002. Google ScholarDigital Library
- J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In NDSS '04: Proceedings of the Network and Distributed System Security Symposium, 2004.Google Scholar
- R. Gopalakrishna, E. Spafford, and J.Vitek. Efficient intrusion detection using automaton inlining. In Proceedings of the IEEE Symposium on Security and Privacy, pages 18--31, 2005. Google ScholarDigital Library
- S. Govindavajhala and A. Appel. Using memory errors to attack a virtual machine. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154--165, 2003. Google ScholarDigital Library
- N. Hamid, Z. Shao, V. Trifonov, S. Monnier, and Z. Ni. A Syntactic Approach to Foundational Proof-Carrying Code. Technical Report YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University, New Haven, CT, 2002.Google ScholarCross Ref
- N. Hardy. The confused deputy. ACM Operating Systems Review, 22(4):36--38, 1988. Google ScholarDigital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the Usenix Security Symposium, pages 191--206, 2002. Google ScholarDigital Library
- D. Kirovski and M. Drinic. POPI --- a novel platform for intrusion prevention. In Proceedings of the International Symposium on Microarchitecture, 2004. Google ScholarDigital Library
- L. Lam and T. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In RAID '04: Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pages 1--20, 2004.Google ScholarCross Ref
- D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the Usenix Security Symposium, pages 177--190, 2001. Google ScholarDigital Library
- E. Larson and T. Austin. High coverage detection of input-related security faults. In Proceedings of the Usenix Security Symposium, pages 121--136, 2003. Google ScholarDigital Library
- S. McCamant and G. Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, MIT Laboratory for Computer Science, 2005.Google Scholar
- Microsoft Corporation. Changes to functionality in Microsoft Windows XP SP2: Memory protection technologies, 2004. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr%.mspx.Google Scholar
- G. Morrisett, D. Walker, K. Crary, and N. Glew. From system~F to typed assembly language. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages, pages 85--97, Jan. 1998. Google ScholarDigital Library
- D. Nebenzahl and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. In Proceedings of the IFIP International Information Security Conference, 2004.Google ScholarCross Ref
- G. Necula. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, pages 106--119, January 1997. Google ScholarDigital Library
- G. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages, pages 128--139, 2002. Google ScholarDigital Library
- N. Oh, P. P. Shirvani, and E. J. McCluskey. Control flow checking by software signatures. IEEE Transactions on Reliability, 51(2), 2002. Special Section on: Fault Tolerant VLSI Systems.Google Scholar
- PaX Project. The PaX project, 2004. http://pax.grsecurity.net/.Google Scholar
- J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20--27, 2004. Google ScholarDigital Library
- M. Prasad and T. Chiueh. A binary rewriting defense against stack based buffer overflow attacks. In Proceedings of the Usenix Technical Conference, pages 211--224, 2003.Google Scholar
- N. Provos. Improving host security with system call policies. In Proceedings of the Usenix Security Symposium, pages 257--272, 2003. Google ScholarDigital Library
- G. A. Reis, J. Chang, N. Vachharajani, R. Rangan, and D. I. August. SWIFT: Software implemented fault tolerance. In Proceedings of the International Symposium on Code Generation and Optimization, 2005. Google ScholarDigital Library
- O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of Network and Distributed System Security Symposium, 2004.Google Scholar
- K. Scott and J. Davidson. Safe virtual execution using software dynamic translation. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, page 209, 2002. Google ScholarDigital Library
- R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy, pages 144--155, 2001. Google ScholarDigital Library
- H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the ACM Conference on Computer and Communications Security, 2004. Google ScholarDigital Library
- C. Small. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems, 1997. Google ScholarDigital Library
- A. Sovarel, D. Evans, and N. Paul. Where's the FEEB?: The effectiveness of instruction set randomization. In Proceedings of the Usenix Security Symposium, pages 145--160, 2005. Google ScholarDigital Library
- A. Srivastava, A. Edwards, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.Google Scholar
- A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools. Technical Report WRL Research Report 94/2, Digital Equipment Corporation, 1994.Google ScholarDigital Library
- Standard Performance Evaluation Corporation. SPEC CPU2000 benchmark suite, 2000. http://www.spec.org/osg/cpu2000/.Google Scholar
- G. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85--96, 2004. Google ScholarDigital Library
- N. Tuck, B. Calder, and G. Varghese. Hardware and binary modification support for code pointer protection from buffer overflow. In Proceedings of the International Symposium on Microarchitecture, 2004. Google ScholarDigital Library
- R. Venkatasubramanian, J. P. Hayes, and B. T. Murray. Low-cost on-line fault detection using control flow assertions. In Proceedings of 9th IEEE International On-Line Testing Symposium, 2003.Google ScholarCross Ref
- D. Wagner and D. Dean. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy, pages 156--169, 2001. Google ScholarDigital Library
- D. Wagner and P. Soto. Mimicry attacks on host based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communications Security, pages 255--264, 2002. Google ScholarDigital Library
- R. Wahbe, S. Lucco, T. Anderson, and S. Graham. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, 1993. Google ScholarDigital Library
- J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium, 2003.Google Scholar
- J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In Proceedings of the Symposium on Reliable and Distributed Systems, 2003.Google Scholar
- J. Xu, Z. Kalbarczyk, S. Patel, and R. Iyer. Architecture support for defending against buffer overflow attacks, 2002.Google Scholar
Index Terms
- Control-flow integrity
Recommendations
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...
Control-flow integrity principles, implementations, and applications
Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, control-flow integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is ...
Combining control-flow integrity and static analysis for efficient and validated data sandboxing
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityIn many software attacks, inducing an illegal control-flow transfer in the target system is one common step. Control-Flow Integrity (CFI) protects a software system by enforcing a pre-determined control-flow graph. In addition to providing strong ...
Comments