BeCFI: detecting hidden control flow with performance monitoring counters

Abstract

Most of existing control flow integrity efforts target keeping intended control flow in good integrity. However, they fail to expose hidden control flow that may be introduced by the execution of rootkits, ROP gadgets, etc. To overcome the challenge, we propose an innovative approach BeCFI to detect hidden control flow based on cross-view principle. Since modern processors are capable of observing the execution of all branch instructions, BeCFI obtains the hardware view with the support of performance monitoring counters (PMCs). To obtain software view, we build a software-based counter by compiler-patching and binary-overwriting, and monitor the execution of branch instructions with software-based counters. If a control transfer only appears in hardware view, BeCFI considers that it is hidden control transfer. We have developed a prototype system on Intel x86 Linux kernel. Our evaluations show BeCFI is capable of detecting the hidden control flow introduced by kernel rootkits and ROP attacks. Furthermore our performance tests demonstrate that BeCFI incurs an acceptable overhead.