$$\tau $$ CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries

Abstract

Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose \(\tau {\textsc {CFI}}\), an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, \(\tau {\textsc {CFI}}\) can be used to harden legacy applications for which source code may not be available. We have evaluated \(\tau {\textsc {CFI}}\) on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that \(\tau {\textsc {CFI}}\) is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, \(\tau {\textsc {CFI}}\) achieves higher forward-edge caller-callee matching precision.