Skip to main content
SpringerLink
Log in

Feel Me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space

  • Conference paper
  • First Online:
International Joint Conference SOCO’16-CISIS’16-ICEUTE’16 (SOCO 2016, CISIS 2016, ICEUTE 2016)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 527))

  • 1896 Accesses

Abstract

Attackers have evolved classic code-injection attacks, such as those caused by buffer overflows to sophisticated Turing-complete code-reuse attacks. Control-Flow Integrity (CFI) is a defence mechanism to eliminate control-flow hijacking attacks caused by common memory errors. CFI relies on static analysis for the creation of a program’s control-flow graph (CFG), then at runtime CFI ensures that the program follows the legitimate path. Thereby, when an attacker tries to execute malicious shellcode, CFI detects an unintended path and aborts execution. CFI heavily relies on static analysis for the accurate generation of the control-flow graph, and its security depends on how strictly the CFG is generated and enforced.

This paper reviews the CFI schemes proposed over the last ten years and assesses their security guarantees against advanced exploitation techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations and applications. In: CCS (2005)

    Google Scholar 

  2. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Security & Privacy (2008)

    Google Scholar 

  3. AMD: AMD64 Architecture Programmer’s Manual: System Programming, vol.2 (2013). http://developer.amd.com/wordpress/media/2012/10/24593_APM_v21.pdf

  4. Andersen, S., Abella, V.: Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies (2004)

    Google Scholar 

  5. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: CCS (2011)

    Google Scholar 

  6. Bosman, E., Bos, H.: Framing signals-a return to portable shellcode. In: Security & Privacy (2014)

    Google Scholar 

  7. Bounov, D., Kıcı, R.G., Lerner, S.: Protecting C++ dynamic dispatch through vtable interleaving. In: NDSS (2016)

    Google Scholar 

  8. Burow, N., Carr, S.A., Brunthaler, S., Payer, M., Nash, J., Larsen, P., Franz, M.: Control-flow integrity: precision, security, and performance. arXiv preprint arXiv:1602.04056 (2016)

  9. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security (2015)

    Google Scholar 

  10. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security (2014)

    Google Scholar 

  11. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: OSDI (2006)

    Google Scholar 

  12. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS (2010)

    Google Scholar 

  13. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security (2005)

    Google Scholar 

  14. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H., R.: ROPecker: a generic and practical approach for defending against ROP attack. In: NDSS (2014)

    Google Scholar 

  15. Conti, M., Crane, S., Davi, L., Franz, M., Larsen, P., Negro, M., Liebchen, C., Qunaibit, M., Sadeghi, A.R.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: CCS (2015)

    Google Scholar 

  16. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security (1998)

    Google Scholar 

  17. Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Security & Privacy (2014)

    Google Scholar 

  18. Criswell, J., Lenharth, A., Dhurjati, D., Adve, V.: Secure virtual architecture: a safe execution environment for commodity operating systems. In: ACM SIGOPS Operating Systems Review (2007)

    Google Scholar 

  19. Dang, T.H.Y., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: ASIACCS (2015)

    Google Scholar 

  20. Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)

    Google Scholar 

  21. Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Security (2014)

    Google Scholar 

  22. Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security (2012)

    Google Scholar 

  23. Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Security & Privacy (2014)

    Google Scholar 

  24. Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: USENIX Security (2014)

    Google Scholar 

  25. Hardekopf, B., Lin, C.: Semi-sparse flow-sensitive pointer analysis. In: ACM SIGPLAN Notices (2009)

    Google Scholar 

  26. Hind, M.: Pointer analysis: haven’t we solved this problem yet?. In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (2001)

    Google Scholar 

  27. Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: USENIX Security (2015)

    Google Scholar 

  28. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: Security & Privacy (2016)

    Google Scholar 

  29. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Security & Privacy (2013)

    Google Scholar 

  30. Intel: Intel 64 and IA-32 Architectures Software Developer’s Manual: Basic Architecture, vol. 1 (2016). https://www-ssl.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

  31. Intel: Intel 64 and IA-32 Architectures Software Developer’s Manual: System Programming Guide, vol. 3B, Part 2 (2016). https://www-ssl.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-3b-part-2-manual.html

  32. Jang, D., Tatlock, Z., Lerner, S.: SafeDispatch: securing C++ virtual calls from memory corruption attacks. In: NDSS (2014)

    Google Scholar 

  33. Kemerlis, V.P., Portokalidis, G., Keromytis, A.D.: kGuard: lightweight kernel protection against return-to-user attacks. In: USENIX Security (2012)

    Google Scholar 

  34. Kiriansky, V., Bruening, D., Amarasinghe, S.P., et al.: Secure execution via program shepherding. In: USENIX Security (2002)

    Google Scholar 

  35. Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: NDSS (2015)

    Google Scholar 

  36. Nergal: The advanced return-into-lib(c) exploits: pax case study. Phrack Mag. 58(4), 54 (2001)

    Google Scholar 

  37. Niu, B., Tan, G.: Modular control-flow integrity. In: PLDI (2014)

    Google Scholar 

  38. Niu, B., Tan, G.: Rockjit: securing just-in-time compilation using modular control-flow integrity. In: CCS (2014)

    Google Scholar 

  39. Niu, B., Tan, G.: Per-input control-flow integrity. In: CCS (2015)

    Google Scholar 

  40. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: USENIX Security (2013)

    Google Scholar 

  41. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: CCS (2007)

    Google Scholar 

  42. Prakash, A., Hu, X., Yin, H.: vfGuard: Strict protection for virtual function calls in COTS C++ binaries. In: NDSS (2015)

    Google Scholar 

  43. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: Security & Privacy (2015)

    Google Scholar 

  44. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS (2007)

    Google Scholar 

  45. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Security & Privacy (2013)

    Google Scholar 

  46. Song, C., Lee, B., Lu, K., Harris, W., Kim, T., Lee, W.: Enforcing Kernel security invariants with data flow integrity. In: NDSS (2016)

    Google Scholar 

  47. Team, P.: Address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt

  48. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security (2014)

    Google Scholar 

  49. van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: CCS (2015)

    Google Scholar 

  50. van der Veen, V., Göktas, E., Contag, M., Pawlowski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E., Giuffrida, C.: A Tough call: mitigating advanced code-reuse attacks at the binary level. In: Security & Privacy (2016)

    Google Scholar 

  51. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Security & Privacy (2010)

    Google Scholar 

  52. Wilson, R.P., Lam, S., M.: Efficient context-sensitive pointer analysis for C programs. In: PLDI (1995)

    Google Scholar 

  53. Zhang, C., Carr, S.A., Li, T., Ding, Y., Song, C., Payer, M., Song, D.: VTrust: regaining trust on virtual calls. In: NDSS (2016)

    Google Scholar 

  54. Zhang, C., Song, C., Chen, K.Z., Chen, Z., Song, D.: VTint: protecting virtual function tables’ integrity. In: NDSS (2015)

    Google Scholar 

  55. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: Security & Privacy (2013)

    Google Scholar 

  56. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DeustoTech, University of Deusto, Bilbao, Spain

    Irene Díez-Franco & Igor Santos

Authors
  1. Irene Díez-Franco
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Igor Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Irene Díez-Franco .

Editor information

Editors and Affiliations

  1. Computational Intelligence Group, University of the Basque Country (UPV/EHU), San Sebastian, Spain

    Manuel Graña

  2. University of the Basque Country, Vitoria, Spain

    José Manuel López-Guede

  3. Computational Intelligence Group, University of the Basque Country (UPV/EHU), San Sebastian, Spain

    Oier Etxaniz

  4. Department of Civil Engineering, University of Burgos, Burgos, Spain

    Álvaro Herrero

  5. University of Salamanca, Salamanca, Spain

    Héctor Quintián

  6. University of Salamanca, Salamanca, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Díez-Franco, I., Santos, I. (2017). Feel Me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space. In: Graña, M., López-Guede, J.M., Etxaniz, O., Herrero, Á., Quintián, H., Corchado, E. (eds) International Joint Conference SOCO’16-CISIS’16-ICEUTE’16. SOCO CISIS ICEUTE 2016 2016 2016. Advances in Intelligent Systems and Computing, vol 527. Springer, Cham. https://doi.org/10.1007/978-3-319-47364-2_46

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47364-2_46

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47363-5

  • Online ISBN: 978-3-319-47364-2

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation