Using Static Data-Flow Analysis for Precise Control-Flow Integrity

Description

Memory corruptions are still one of the most prevalent and severe security vulnerabilities in today’s programs. For this reason, several techniques for mitigating software vulnerabilities exist and are used in production systems. An important mitigation involves the prevention of invalid control flow transfers. This includes the protection of return addresses on the stack (backward-edges), as well as the protection of function pointers typically stored on the heap (forward-edges). Whereas stack-based mitigations of backward-edges are already widely employed in production code (e.g. stack canaries), protection of forward-edges is less common. Therefore, attackers often corrupt vtables or function pointers to subvert a forward-edge. Forward-edges can be protected using Control-Flow Integrity (CFI), for which practical implementations already exist. However, current CFI implementations are often imprecise, meaning that more control flow transfers than necessary are allowed. This often leaves sufficient leeway for an attacker to successfully exploit a program. This thesis presents Static Analysis Control-Flow Integrity (SA-CFI), which offers precise forward-edge CFI protection using a static data-flow analysis for determining valid forward-edges. SA-CFI is the umbrella term for three different CFI mechanisms, each one implemented as an LLVM compiler pass. All three CFI mechanisms use the Static Value-Flow (SVF) framework for performing the same static data-flow analysis. The analysis offers higher precision than conventional heuristic-based approaches. Each SA-CFI variant processes the results from the analysis differently to achieve different precision and performance objectives. To show that SA-CFI can successfully be applied to large projects and achieve precise results, this thesis provides an evaluation of the SA-CFI variants for benchmarks from SPEC CPU 2017. The highest overhead measured for any benchmark and any SA-CFI variant is 5.4%. For the performance-optimized variant, the maximum performance overhead is 1.4%.