Abstract
Over the last decade, many exploit mitigations based on Control Flow Integrity (CFI) have been developed to secure programs from being hijacked by attackers. However, most of them only abort the protected application after attack detection, producing no further information for attack analysis. Solely restarting the application leaves it open for repeated attack attempts. We propose Resilient CFI, a compiler-based CFI approach that utilizes dynamic taint analysis to detect code pointer overwrites and trace attacks back to their origin. Gained insights can be used to identify attackers and exclude them from further communication with the application. We implemented our approach as extension to LLVM’s Dataflow Sanitizer, an actively maintained data-flow tracking engine. Our results show that control-flow hijacking attempts can be reliably detected. Compared to previous approaches based on Dynamic Binary Instrumentation, our compiler-based static instrumentation introduces less run-time overhead: on average 3.52x for SPEC CPU2017 benchmarks and 1.56x for the real-world web server NginX.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
ReCFI source code published here: https://github.com/Fraunhofer-AISEC/ReCFI.
- 2.
- 3.
- 4.
As realized by Electric Fence (https://linux.die.net/man/3/efence) or LLVM’s Address Sanitizer (https://clang.llvm.org/docs/AddressSanitizer.html).
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
References
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. CCS 2005, Association for Computing Machinery, NY (2005)
Banerjee, S., Devecsery, D., Chen, P.M., Narayanasamy, S.: Iodine: fast dynamic taint tracking using rollback-free optimistic hybrid analysis. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 490–504. IEEE, San Francisco, CA (2019)
Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50(1), 16:1–16:33 (2017)
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium, pp. 161–176 (2015)
Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 378–387 (2005)
Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: efficient flow tracing with dynamic binary rewriting. In: 11th IEEE Symposium on Computers and Communications (ISCC 2006), pp. 749–754 (2006)
Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206. ISSTA 2007, Association for Computing Machinery, NY (2007)
Dalton, M., Kannan, H., Kozyrakis, C.: Raksha: a flexible information flow architecture for software security. In: Proceedings of the 34th Annual International Symposium on Computer Architecture, pp. 482–493. ISCA 2007, Association for Computing Machinery, NY (2007)
Devecsery, D., Chen, P.M., Flinn, J., Narayanasamy, S.: Optimistic hybrid analysis: accelerating dynamic analysis through predicated static analysis. ACM SIGPLAN Not. 53(2), 348–362 (2018)
Katsunuma, S., et al.: Base address recognition with data flow tracking for injection attack detection. In: 2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC 2006), pp. 165–172 (2006)
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: practical dynamic data flow tracking for commodity systems. ACM SIGPLAN Not. 47(7), 121–132 (2012)
Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Not. 40(6), 190–200 (2005)
Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: intermediate language and tools for analysis and transformation of C programs. In: Horspool, R.N. (ed.) CC 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45937-5_16
Newsome, J., Song, D.: Dynamic taint analysis: automatic detection, analysis, and signature generation of exploit attacks on commodity software. In: Proceedings of the 12th Network and Distributed Systems Security Symposium (2005)
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 85–96. ASPLOS XI, Association for Computing Machinery, Boston, MA (2004)
Tice, C., et al.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: 23rd USENIX Security Symposium, pp. 941–955 (2014)
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: 15th USENIX Security Symposium (2006)
Acknowledgments
This work is partially funded by the Bavarian Ministry of Economic Affairs, Regional Development and Energy.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Braunsdorf, O., Sessinghaus, S., Horsch, J. (2022). Compiler-based Attack Origin Tracking with Dynamic Taint Analysis. In: Park, J.H., Seo, SH. (eds) Information Security and Cryptology – ICISC 2021. ICISC 2021. Lecture Notes in Computer Science, vol 13218. Springer, Cham. https://doi.org/10.1007/978-3-031-08896-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-08896-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08895-7
Online ISBN: 978-3-031-08896-4
eBook Packages: Computer ScienceComputer Science (R0)