An Improved Method on Static Binary Analysis to Enhance the Context-Sensitive CFI
Control Flow Integrity (CFI) is one of the most
promising technique to defend Code-Reuse Attacks (CRAs).
Traditional CFI Systems and recent Context-Sensitive CFI use coarse
control flow graphs (CFGs) to analyze whether the control flow
hijack occurs, left vast space for attackers at indirect call-sites. Coarse
CFGs make it difficult to decide which target to execute at indirect
control-flow transfers, and weaken the existing CFI systems actually.
It is an unsolved problem to extract CFGs precisely and perfectly
from binaries now. In this paper, we present an algorithm to get a
more precise CFG from binaries. Parameters are analyzed at indirect
call-sites and functions firstly. By comparing counts of parameters
prepared before call-sites and consumed by functions, targets of
indirect calls are reduced. Then the control flow would be more
constrained at indirect call-sites in runtime. Combined with CCFI,
we implement our policy. Experimental results on some popular
programs show that our approach is efficient. Further analysis show
that it can mitigate COOP and other advanced attacks.
[1] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow
integrity,” in Proceedings of the 12th ACM conference on Computer
and communications security. ACM, 2005, pp. 340–353.
[2] V. van der Veen, D. Andriesse, E. G¨oktas¸, B. Gras, L. Sambuc,
A. Slowinska, H. Bos, and C. Giuffrida, “Practical context-sensitive cfi,”
in Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security. ACM, 2015, pp. 927–940.
[3] M. Zhang and R. Sekar, “Control flow integrity for cots binaries,” in
Presented as part of the 22nd USENIX Security Symposium (USENIX
Security 13), 2013, pp. 337–352.
[4] M. Abadi, M. Budiu, U´ . Erlingsson, and J. Ligatti, “Control-flow
integrity principles, implementations, and applications,” ACM
Transactions on Information and System Security (TISSEC), vol. 13,
no. 1, p. 4, 2009.
[5] C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant,
D. Song, and W. Zou, “Practical control flow integrity and randomization
for binary executables,” in Security and Privacy (SP), 2013 IEEE
Symposium on. IEEE, 2013, pp. 559–573.
[6] Z. Wang and X. Jiang, “Hypersafe: A lightweight approach to provide
lifetime hypervisor control-flow integrity,” in 2010 IEEE Symposium on
Security and Privacy. IEEE, 2010, pp. 380–395.
[7] M. Payer, A. Barresi, and T. R. Gross, “Fine-grained control-flow
integrity through binary hardening,” in International Conference on
Detection of Intrusions and Malware, and Vulnerability Assessment.
Springer, 2015, pp. 144–164.
[8] T. Bletsch, X. Jiang, and V. Freeh, “Mitigating code-reuse attacks with
control-flow locking,” in Proceedings of the 27th Annual Computer
Security Applications Conference. ACM, 2011, pp. 353–362.
[9] C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U´ . Erlingsson,
L. Lozano, and G. Pike, “Enforcing forward-edge control-flow integrity
in gcc & llvm,” in 23rd USENIX Security Symposium (USENIX Security
14), 2014, pp. 941–955. [10] F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and
T. Holz, “Counterfeit object-oriented programming: On the difficulty
of preventing code reuse attacks in c++ applications,” in 2015 IEEE
Symposium on Security and Privacy. IEEE, 2015, pp. 745–762.
[11] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross,
“Control-flow bending: On the effectiveness of control-flow integrity,”
in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp.
161–176.
[12] J. Kinder, F. Zuleger, and H. Veith, “An abstract interpretation-based
framework for control flow reconstruction from binaries,” in
International Workshop on Verification, Model Checking, and Abstract
Interpretation. Springer, 2009, pp. 214–228.
[13] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, “Bap: A binary
analysis platform,” in International Conference on Computer Aided
Verification. Springer, 2011, pp. 463–469.
[14] R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and
B. Thuraisingham, “Differentiating code from data in x86 binaries,”
in Joint European Conference on Machine Learning and Knowledge
Discovery in Databases. Springer, 2011, pp. 522–536.
[15] S. Designer, “Getting around non-executable stack (and fix),” 1997.
[16] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning,
“On the expressiveness of return-into-libc attacks,” in International
Workshop on Recent Advances in Intrusion Detection. Springer, 2011,
pp. 121–141.
[17] H. Shacham, “The geometry of innocent flesh on the bone:
Return-into-libc without function calls (on the x86),” in Proceedings of
the 14th ACM conference on Computer and communications security.
ACM, 2007, pp. 552–561.
[18] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham,
and M. Winandy, “Return-oriented programming without returns,”
in Proceedings of the 17th ACM conference on Computer and
communications security. ACM, 2010, pp. 559–572.
[19] E. G¨oktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, “Out of
control: Overcoming control-flow integrity,” in 2014 IEEE Symposium
on Security and Privacy. IEEE, 2014, pp. 575–589.
[20] L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose, “Stitching the
gadgets: On the ineffectiveness of coarse-grained control-flow integrity
protection,” in 23rd USENIX Security Symposium (USENIX Security 14),
2014, pp. 401–416.
[21] I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi,
and S. Sidiroglou-Douskos, “Control jujutsu: On the weaknesses of
fine-grained control flow integrity,” in Proceedings of the 22nd ACM
SIGSAC Conference on Computer and Communications Security. ACM,
2015, pp. 901–913.
[22] M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen,
M. Qunaibit, and A.-R. Sadeghi, “Losing control: On the effectiveness
of control-flow integrity under stack attacks,” in Proceedings of the 22nd
ACM SIGSAC Conference on Computer and Communications Security.
ACM, 2015, pp. 952–963.
[23] I. P. Disassembler, “Debugger,” 2010.
[24] Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino,
A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna,
“SoK: (State of) The Art of War: Offensive Techniques in Binary
Analysis,” in IEEE Symposium on Security and Privacy, 2016.
[1] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow
integrity,” in Proceedings of the 12th ACM conference on Computer
and communications security. ACM, 2005, pp. 340–353.
[2] V. van der Veen, D. Andriesse, E. G¨oktas¸, B. Gras, L. Sambuc,
A. Slowinska, H. Bos, and C. Giuffrida, “Practical context-sensitive cfi,”
in Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security. ACM, 2015, pp. 927–940.
[3] M. Zhang and R. Sekar, “Control flow integrity for cots binaries,” in
Presented as part of the 22nd USENIX Security Symposium (USENIX
Security 13), 2013, pp. 337–352.
[4] M. Abadi, M. Budiu, U´ . Erlingsson, and J. Ligatti, “Control-flow
integrity principles, implementations, and applications,” ACM
Transactions on Information and System Security (TISSEC), vol. 13,
no. 1, p. 4, 2009.
[5] C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant,
D. Song, and W. Zou, “Practical control flow integrity and randomization
for binary executables,” in Security and Privacy (SP), 2013 IEEE
Symposium on. IEEE, 2013, pp. 559–573.
[6] Z. Wang and X. Jiang, “Hypersafe: A lightweight approach to provide
lifetime hypervisor control-flow integrity,” in 2010 IEEE Symposium on
Security and Privacy. IEEE, 2010, pp. 380–395.
[7] M. Payer, A. Barresi, and T. R. Gross, “Fine-grained control-flow
integrity through binary hardening,” in International Conference on
Detection of Intrusions and Malware, and Vulnerability Assessment.
Springer, 2015, pp. 144–164.
[8] T. Bletsch, X. Jiang, and V. Freeh, “Mitigating code-reuse attacks with
control-flow locking,” in Proceedings of the 27th Annual Computer
Security Applications Conference. ACM, 2011, pp. 353–362.
[9] C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U´ . Erlingsson,
L. Lozano, and G. Pike, “Enforcing forward-edge control-flow integrity
in gcc & llvm,” in 23rd USENIX Security Symposium (USENIX Security
14), 2014, pp. 941–955. [10] F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and
T. Holz, “Counterfeit object-oriented programming: On the difficulty
of preventing code reuse attacks in c++ applications,” in 2015 IEEE
Symposium on Security and Privacy. IEEE, 2015, pp. 745–762.
[11] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross,
“Control-flow bending: On the effectiveness of control-flow integrity,”
in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp.
161–176.
[12] J. Kinder, F. Zuleger, and H. Veith, “An abstract interpretation-based
framework for control flow reconstruction from binaries,” in
International Workshop on Verification, Model Checking, and Abstract
Interpretation. Springer, 2009, pp. 214–228.
[13] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, “Bap: A binary
analysis platform,” in International Conference on Computer Aided
Verification. Springer, 2011, pp. 463–469.
[14] R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and
B. Thuraisingham, “Differentiating code from data in x86 binaries,”
in Joint European Conference on Machine Learning and Knowledge
Discovery in Databases. Springer, 2011, pp. 522–536.
[15] S. Designer, “Getting around non-executable stack (and fix),” 1997.
[16] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning,
“On the expressiveness of return-into-libc attacks,” in International
Workshop on Recent Advances in Intrusion Detection. Springer, 2011,
pp. 121–141.
[17] H. Shacham, “The geometry of innocent flesh on the bone:
Return-into-libc without function calls (on the x86),” in Proceedings of
the 14th ACM conference on Computer and communications security.
ACM, 2007, pp. 552–561.
[18] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham,
and M. Winandy, “Return-oriented programming without returns,”
in Proceedings of the 17th ACM conference on Computer and
communications security. ACM, 2010, pp. 559–572.
[19] E. G¨oktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, “Out of
control: Overcoming control-flow integrity,” in 2014 IEEE Symposium
on Security and Privacy. IEEE, 2014, pp. 575–589.
[20] L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose, “Stitching the
gadgets: On the ineffectiveness of coarse-grained control-flow integrity
protection,” in 23rd USENIX Security Symposium (USENIX Security 14),
2014, pp. 401–416.
[21] I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi,
and S. Sidiroglou-Douskos, “Control jujutsu: On the weaknesses of
fine-grained control flow integrity,” in Proceedings of the 22nd ACM
SIGSAC Conference on Computer and Communications Security. ACM,
2015, pp. 901–913.
[22] M. Conti, S. Crane, L. Davi, M. Franz, P. Larsen, M. Negro, C. Liebchen,
M. Qunaibit, and A.-R. Sadeghi, “Losing control: On the effectiveness
of control-flow integrity under stack attacks,” in Proceedings of the 22nd
ACM SIGSAC Conference on Computer and Communications Security.
ACM, 2015, pp. 952–963.
[23] I. P. Disassembler, “Debugger,” 2010.
[24] Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino,
A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna,
“SoK: (State of) The Art of War: Offensive Techniques in Binary
Analysis,” in IEEE Symposium on Security and Privacy, 2016.
@article{"International Journal of Information, Control and Computer Sciences:75961", author = "Qintao Shen and Lei Luo and Jun Ma and Jie Yu and Qingbo Wu and Yongqi Ma and Zhengji Liu", title = "An Improved Method on Static Binary Analysis to Enhance the Context-Sensitive CFI", abstract = "Control Flow Integrity (CFI) is one of the most
promising technique to defend Code-Reuse Attacks (CRAs).
Traditional CFI Systems and recent Context-Sensitive CFI use coarse
control flow graphs (CFGs) to analyze whether the control flow
hijack occurs, left vast space for attackers at indirect call-sites. Coarse
CFGs make it difficult to decide which target to execute at indirect
control-flow transfers, and weaken the existing CFI systems actually.
It is an unsolved problem to extract CFGs precisely and perfectly
from binaries now. In this paper, we present an algorithm to get a
more precise CFG from binaries. Parameters are analyzed at indirect
call-sites and functions firstly. By comparing counts of parameters
prepared before call-sites and consumed by functions, targets of
indirect calls are reduced. Then the control flow would be more
constrained at indirect call-sites in runtime. Combined with CCFI,
we implement our policy. Experimental results on some popular
programs show that our approach is efficient. Further analysis show
that it can mitigate COOP and other advanced attacks.", keywords = "Contex-sensitive, CFI, binary analysis, code reuse
attack.", volume = "11", number = "7", pages = "848-7", }
