VTrust: Regaining Trust on Virtual Calls

Zhang, Chao; Song, Dawn; Carr, Scott A.; Payer, Mathias; Li, Tongxin; Ding, Yu; Song, Chengyu

doi:10.14722/ndss.2016.23164

Cited by 50 publications

(53 citation statements)

References 30 publications

(38 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CFI mechanisms work by using static analysis to create an over approximation of the control-flow graph (CFG), and then enforce at runtime that all transitions must be within the statically computed CFG. After the initial proposal, follow on research has removed the need for whole program analysis [57], [58], and specialized CFI to use additional information in C++ programs when protecting virtual calls [59], [60]. To improve the precision of the CFG construction underlying CFI, more advanced static analysis techniques have been proposed [61].…”

Section: Related Workmentioning

confidence: 99%

SoK: Shining Light on Shadow Stacks

Burow¹,

Zhang²,

Payer³

2019

2019 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations.We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios.Shadow stacks belong to the class of defense mechanisms that require metadata about the program's state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.

show abstract

Section: Related Workmentioning

confidence: 99%

SoK: Shining Light on Shadow Stacks

Burow¹,

Zhang²,

Payer³

2019

2019 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…There are numbers of defense methods that have been proposed since the attack was presented. VTrust [27] guarantees that virtual function call site invokes virtual functions with the same name and argument type list and a compatible class relationship, so that attacks cannot use random functions of the program's vtables. TypeArmor [28] provides a binary protection mechanism, which uses use-def analysis at callees and function parameters as constraints to decrease the target functions of the indirect call site.…”

Section: Code Reuse Attacksmentioning

confidence: 99%

“…Several new defense techniques aiming at protecting functions are presented immediately as countermeasures. For example, VTrust [27] and TypeArmor [28] protect the program against COOP attack by guaranteeing that the callee of every call site is legitimate. Both function pointers and virtual function calls are vulnerable indirect function calls inducing forward control-flow transfer that may be exploited to launch a code reuse attack.…”

Section: Related Workmentioning

confidence: 99%

Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

Wang

Jin

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

A cyber-physical system (CPS) is known as a mix system composed of computational and physical capabilities. The fast development of CPS brings new security and privacy requirements. Code reuse attacks that affect the correct behavior of software by exploiting memory corruption vulnerabilities and reusing existing code may also be threats to CPS. Various defense techniques are proposed in recent years as countermeasures to emerging code reuse attacks. However, they may fail to fulfill the security requirement well because they cannot protect the indirect function calls properly when it comes to dynamic code reuse attacks aiming at forward edges of control-flow graph (CFG). In this paper, we propose P-CFI, a fine-grained control-flow integrity (CFI) method, to protect CPS against memory-related attacks. We use points-to analysis to construct the legitimate target set for every indirect call cite and check whether the target of the indirect call cite is in the legitimate target set at runtime. We implement a prototype of P-CFI on LLVM and evaluate both its functionality and performance. Security analysis proves that P-CFI can mitigate the dynamic code reuse attack based on forward edges of CFG. Performance evaluation shows that P-CFI can protect CPS from dynamic code reuse attacks with trivial time overhead between 0.1% and 3.5% (

show abstract

“…We compare HCIC with recent methods [33] [55]. Security and practicality are two most important metrics to evaluate current CRA defenses.…”

Section: F Comparison Of Security and Practicalitymentioning

confidence: 99%

HCIC: Hardware-Assisted Control-Flow Integrity Checking

Zhang

Qin

et al. 2019

IEEE Internet Things J.

View full text Add to dashboard Cite

Recently, code reuse attacks (CRAs), such as returnoriented programming (ROP) and jump-oriented programming (JOP), have emerged as a new class of ingenious security threats. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Many defenses, classed into software-based and hardware-based, have been proposed. However, software-based methods are difficult to be deployed in practical systems due to high performance overhead. Hardware-based methods can reduce performance overhead but may require extending instruction set architectures (ISAs) and modifying the compiler or suffer the vulnerability of key leakage. To tackle these issues, this paper proposes a new hardware-assisted control flow checking method to resist CRAs with negligible performance overhead without extending ISAs, modifying the compiler or leaking the encryption/decryption key. The key technique involves two control flow checking mechanisms. The first one is the encrypted Hamming distances (EHDs) matching between the physical unclonable function (PUF) response and the return addresses, which prevents attackers from returning between gadgets so long as the PUF response is secret, thus resisting ROP attacks. The second one is the linear encryption/decryption operation (XOR) between the PUF response and the instructions at target addresses of call and jmp instructions to defeat JOP attacks. Advanced return-based full-function reuse attacks will be prevented with the dynamic key-updating method. Experimental evaluations on benchmarks demonstrate that the proposed method introduces negligible 0.95% runtime overhead and 0.78% binary size overhead on average.Index Terms-control flow integrity, code reuse attacks, physical unclonable function, hardware-assisted security.

show abstract

VTrust: Regaining Trust on Virtual Calls

Cited by 50 publications

References 30 publications

SoK: Shining Light on Shadow Stacks

SoK: Shining Light on Shadow Stacks

Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

HCIC: Hardware-Assisted Control-Flow Integrity Checking

Contact Info

Product

Resources

About