It's a TRaP

Crane, Stephen; Volckaert, Stijn; Schuster, Félix; Liebchen, Christopher; Larsen, Per; Davi, Lucas; Sadeghi, Ahmad‐Reza; Holz, Thorsten; Sutter, Bjorn De; Franz, Michael

doi:10.1145/2810103.2813682

Cited by 90 publications

(13 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Usually, a complete ROP attack requires various gadgets, with each of them performing a simple operation. Defense techniques, such as modern shadow stack [25], original CFI [7], forward-edge CFI [8], CCFIR [9], MCFI [10], KCOCFI [11], FPGate [12], Bin-CFI [13], ASLR [15], and TRaP [26], can increase the difficulty of launching a successful ROP attack and therefore ensure the security of target programs.…”

Section: Code Reuse Attacksmentioning

confidence: 99%

“…TypeArmor [28] provides a binary protection mechanism, which uses use-def analysis at callees and function parameters as constraints to decrease the target functions of the indirect call site. TRaP [26] proposes a method that randomizes the address of code pointers.…”

Section: Code Reuse Attacksmentioning

confidence: 99%

“…As for the concept of these defense methods, some of them focus on constraining the transfer target of CFG into a predefined legitimate set, such as original CFI [7], forward-edge CFI [8], CCFIR [9], MCFI [10], KCoFI [11], FPGate [12], and Bin-CFI [13]. On the other hand, some works make it difficult for attackers to find usable gadgets, such as practical ASLR [15], TRaP [26], and TASR [29]. There are also mitigation methods about protecting the code pointers by putting them in hidden memory location, such as CPI [14].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

Wang

Jin

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

A cyber-physical system (CPS) is known as a mix system composed of computational and physical capabilities. The fast development of CPS brings new security and privacy requirements. Code reuse attacks that affect the correct behavior of software by exploiting memory corruption vulnerabilities and reusing existing code may also be threats to CPS. Various defense techniques are proposed in recent years as countermeasures to emerging code reuse attacks. However, they may fail to fulfill the security requirement well because they cannot protect the indirect function calls properly when it comes to dynamic code reuse attacks aiming at forward edges of control-flow graph (CFG). In this paper, we propose P-CFI, a fine-grained control-flow integrity (CFI) method, to protect CPS against memory-related attacks. We use points-to analysis to construct the legitimate target set for every indirect call cite and check whether the target of the indirect call cite is in the legitimate target set at runtime. We implement a prototype of P-CFI on LLVM and evaluate both its functionality and performance. Security analysis proves that P-CFI can mitigate the dynamic code reuse attack based on forward edges of CFG. Performance evaluation shows that P-CFI can protect CPS from dynamic code reuse attacks with trivial time overhead between 0.1% and 3.5% (

show abstract

Section: Code Reuse Attacksmentioning

confidence: 99%

Section: Code Reuse Attacksmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

Wang

Jin

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Memory Protection Extension(MPX) is adopted by O-CFI; however, MPX is not a quick approach and hits 4× slow down compared to the software approach. O-CFI can also be exploited by function-reuse attacks [85].…”

Section: Hardware-based Cfimentioning

confidence: 99%

Control-Flow Integrity: Attacks and Protections

et al. 2019

View full text Add to dashboard Cite

Despite the intense efforts to prevent programmers from writing code with memory errors, memory corruption vulnerabilities are still a major security threat. Consequently, control-flow integrity has received significant attention in the research community, and software developers to combat control code execution attacks in the presence of type of faults. Control-flow Integrity (CFI) is a large family of techniques that aims to eradicate memory error exploitation by ensuring that the instruction pointer (IP) of a running process cannot be controlled by a malicious attacker. In this paper, we assess the effectiveness of 14 CFI techniques against the most popular exploitation techniques, including code reuse attacks, return-to-user, return-to-libc, and replay attacks. We also classify these techniques based on their security, robustness, and implementation complexity. Our study indicates that the majority of the CFI techniques are primarily focused on restricting indirect branch instructions and cannot prevent all forms of vulnerability exploitation. We conclude that the performance overhead introduced, jointly with the partial attack coverage, is discouraging the industry from adopting most of them.

show abstract

“…Memory Protection Extention(MPX) is adopted by O-CFI; however, MPX is not a quick approach and hits 4x slow down compared to the software approach. O-CFI can also be exploited by function-reuse attacks [11].…”

Section: Hardware-based Cfimentioning

confidence: 99%

On the Effectiveness of Control-Flow Integrity Against Modern Attack Techniques

Sayeed

Marco-Gisbert

2019

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Memory error vulnerabilities are still widely exploited by attackers despite the various protections developed. Attackers have adopted new strategies to successfully exploit well-known memory errors bypassing mature protection techniques such us the NX, SSP, and ASLR. Those attacks compromise the execution flow to gain control over the target successfully. Control-flow Integrity (CFI) is a protection technique that aims to eradicate memory error exploitation by ensuring that the instruction pointer (IP) of a running program cannot be controlled by a malicious attacker. In this paper, we assess the effectiveness of 14 CFI techniques against the most popular exploitation techniques including code reuse attacks, return-to-user, return-to-libc and replay attacks. Surveys are conducted to classify those 14 CFI techniques based on the security robustness and implementation feasibility. Our study indicates that the majority of the CFI techniques are primarily focused on restricting indirect branch instructions and cannot prevent all forms of vulnerability exploitation. Moreover, we show that the overhead and implementation requirement make some CFI techniques impractical. We conclude that the effort required to have those techniques in real systems, the high overhead, and also the partial attack coverage is discouraging the industry from adopting CFI protections.

show abstract

It's a TRaP

Cited by 90 publications

References 31 publications

Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

Control-Flow Integrity: Attacks and Protections

On the Effectiveness of Control-Flow Integrity Against Modern Attack Techniques

Contact Info

Product

Resources

About