Go With the FLOW: Fine-Grained Control-Flow Integrity for the Kernel

  • João Moreira UNICAMP
  • Sandro Rigo UNICAMP

Resumo


This paper describes FLOW: a fine-grained control-flow integrity (CFI) implementation that focuses on protecting the Linux kernel. By combining source-code and binary analysis, FLOW maps valid execution paths into a fine-grained control-flow graph, which is later used to instrument the kernel with label-based CFI checks that prevent control-flow hijacking attacks. FLOW induces an average overhead of 17% on system call latency and 5% on I/O throughput, while its impact on real-world applications is ≈ 1%.

Referências

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. (2005). Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS ’05, New York, NY, USA. ACM.

Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. (2011). Jump-oriented programming: A new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, pages 30–40, New York, NY, USA. ACM.

Carlini, N., Barresi, A., Payer, M., Wagner, D., and Gross, T. R. (2015). Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C. USENIX Association.

Carlini, N. and Wagner, D. (2014). Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA. USENIX Association.

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, New York, NY, USA. ACM.

Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. (2014). Ropecker: A generic and practical approach for defending against rop attacks. In NDSS. The Internet Society.

Criswell, J., Dautenhahn, N., and Adve, V. (2014). Kcofi: Complete control-flow integrity for commodity operating system kernels. In 2014 IEEE Symposium on Security and Privacy.

Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. (2014). Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA. USENIX Association.

Evans, I., Long, F., Otgonbaatar, U., Shrobe, H., Rinard, M., Okhravi, H., and Sidiroglou-Douskos, S. (2015). Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, New York, NY, USA. ACM.

Ge, X., Talele, N., Payer, M., and Jaeger, T. (2016). Fine-grained control-flow integrity for kernel software. In IEEE European Symposium on Security and Privacy 2016, Euro S&P, Washington, USA. IEEE Computer Society.

Göktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. (2014). Out of control: Overcoming control-flow integrity. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14, Washington, DC, USA. IEEE Computer Society.

Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA. USENIX Association.

Henning, J. L. (2006). SPECCPU 2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34(4).

Kemerlis, V. P., Polychronakis, M., and Keromytis, A. D. (2014). ret2dir: Rethinking Kernel Isolation. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA. USENIX Association.

Lattner, C. and Adve, V. (2004). LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization, CGO ’04, Washington, USA. IEEE Computer Society.

Lattner, C., Lenharth, A., and Adve, V. (2007). Making Context-Sensitive Points-to Analysis with Heap Cloning Practical For The Real World. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07), San Diego, California.

Linux Foundation. LLVMLinux. http://llvm.linuxfoundation.org/. Accessed 2016-05-22.

Mashtizadeh, A. J., Bittau, A., Boneh, D., and Mazières, D. (2015). Ccfi: Cryptographically enforced control flow integrity. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, New York, NY, USA. ACM.

McVoy, L. and Staelin, C. (1996). Lmbench: Portable tools for performance analysis. In Proceedings of the 1996 Annual Conference on USENIX Annual Technical Conference, ATEC ’96, Berkeley, CA, USA. USENIX Association.

Mingwei, Z. and Sekar, R. (2013). Control flow integrity for cots binaries. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, D.C. USENIX.

One, A. (1996). Smashing the stack for fun and profit. Phrack, 7(49).

Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, D.C. USENIX.

Rubens, E., Tymburibá, M., and Pereira, F. (2015). Inferência estática da frequência méxima de instruções de retorno para detecção de ataques rop. In Simpsósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, SBSEG XV.

Scut and Teso, T. (2001). Exploiting format string vulnerabilities. http://julianor.tripod.com/bc/formatstring-1.2.pdf. Accessed 2016-05-22.

Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, New York, NY, USA. ACM.

Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., and Pike, G. (2014). Enforcing forward-edge control-flow integrity in gcc & llvm. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA. USENIX Association.

Wang, Z. and Jiang, X. (2010). Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In 2010 IEEE Symposium on Security and Privacy.

Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. (2013). Practical control flow integrity and randomization for binary executables. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13, Washington, DC, USA. IEEE Computer Society.
Publicado
07/11/2016
Como Citar

Selecione um Formato
MOREIRA, João; RIGO, Sandro. Go With the FLOW: Fine-Grained Control-Flow Integrity for the Kernel. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 16. , 2016, Niterói. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2016 . p. 394-407. DOI: https://doi.org/10.5753/sbseg.2016.19322.

Artigos mais lidos do(s) mesmo(s) autor(es)