Value-Based Constraint Control Flow Integrity

Brent Byunghoon Kang,Dongjae Jung,Minsu Kim,Jinsoo Jang

doi:10.1109/access.2020.2980026

Brent Byunghoon Kang, Dongjae Jung + Show 2 more

Open Access

https://doi.org/10.1109/access.2020.2980026

Copy DOI

Abstract

Control flow integrity (CFI) is a generic technique that prevents a control flow hijacking attacks by verifying the legitimacy of indirect branches against a predefined set of targets. State-of-the-art CFI solutions focus on reducing the number of targets using the context of a program such as the path to the indirect branch and the origin of the code pointer. However, these solutions work with an impractical assumption that the attacker only compromises control data; non-control data such as condition data that can also be abused by attackers are not considered. To overcome these limitations, in this paper, we propose value-based constraint CFI (vCFI) to improve the effectiveness of CFI by retrieving and protecting all data that can potentially be manipulated for control flow hijacking. We first perform static analysis such as dependency, condition, and data analyses to derive all control flow-related data. Then, vCFI protects these data during runtime by instrumenting a program to be hardened. We implemented vCFI as a compiler extension and evaluated its performance using SPEC CPU2006. The performance degradation caused by adopting vCFI was reasonable, and the average overhead was 13.6%.

Highlights

Control flow is a general target for attackers attempting to compromise applications
The contributions of this paper are as follows: 1. Preventing control data attacks and non-control data attacks related to control flow: We proposed value-based constraint CFI (vCFI) as a more comprehensive and realistic method that eliminates the limitation of conventional Control flow integrity (CFI) approaches by ensuring the integrity of control-related data and condition-related data
Provided that idx is modified by the attacker, μCFI including other existing approaches cannot detect control flow bending. We argue that such an assumption is not practical, and we attempt to harden the CFI with an even stronger attack model that assumes the attacker can manipulate non-control data to deviate control flow

Summary

Introduction

Control flow is a general target for attackers attempting to compromise applications. An attacker can exploit a stack buffer overflow bug, overwrite the return address in the stack frame, and hijack the control flow of the application after the manipulated return address is used by indirect branch instructions (e.g., ret on x86). Hijacking control flow implies that the attacker has full control over the application as the attacker can execute arbitrary logic. Protecting the control flow is considered key in software security. Control flow integrity (CFI) [1] is the first approach that proposed a defensive measure to protect the control flow. A group of valid branch targets is derived by a static analysis that constructs the control flow graph (CFG). Since the proposal of CFI, a long stream of work has been conducted to enhance the efficiency and accuracy of CFI [1]–[14]

Methods

Results

Conclusion