TUM Logo

CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries

Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries

Research in Attacks, Intrusions, and Defenses - 21st International Symposium, {RAID} 2018, Heraklion, Crete, Greece, September 10-12,2018, Proceedings

Authors: Paul Muntean, Gang Tan, Zhiqiang Lin, Jens Grossklags, and Claudia Eckert
Year/month: 2018/9
Booktitle: Research in Attacks, Intrusions, and Defenses - 21st International Symposium, {RAID} 2018, Heraklion, Crete, Greece, September 10-12,2018, Proceedings
Pages: 423--444
Fulltext: click here

Abstract

Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

Bibtex:

@inproceedings { DBLP:conf/raid/MunteanFTLGE18,
author = { Paul Muntean and Gang Tan and Zhiqiang Lin and Jens Grossklags and Claudia Eckert},
title = { CFI: Type-Assisted Control Flow Integrity for x86-64 Binaries },
year = { 2018 },
month = { September },
booktitle = { Research in Attacks, Intrusions, and Defenses - 21st International Symposium, {RAID} 2018, Heraklion, Crete, Greece, September 10-12,2018, Proceedings },
pages = { 423--444 },
url = { https://doi.org/10.1007/978-3-030-00470-5_20 },

}