Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security Practice and Experience

ISPEC 2017: Information Security Practice and Experience pp 707–726Cite as

A Formal Model for an Ideal CFI

  • Conference paper
  • First Online:

  • 2847 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10701))

Abstract

We provide a formal model to achieve a fully precise dynamic protection of the flow of execution against control flow hijacking attacks. In more than a decade since the original Control Flow Integrity the focus of all of the proposed work in the literature has been on practical implementation of CFI. This however due to the restriction that the classic CFI poses on function return has led to the solutions that relax and bend the rules used in the proof of the original work. Some of these solutions has been shown to be completely insecure and others are hard to prove using formal methods. We use Propositional Dynamic Logic that combines actions and their consequences in a formal system which allows us to clearly express the required pre and post conditions to prevent a class of exploitation. We prove the correctness of our scheme for an abstract machine as a model of modern processors.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_5

    Chapter  Google Scholar 

  2. Bulba, K.: Bypassing StackGuard and StackShield, January 2000

    Google Scholar 

  3. Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307 (2004)

    Google Scholar 

  4. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib (c). In: 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 60–69 (2009)

    Google Scholar 

  5. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 552–561. ACM (2007)

    Google Scholar 

  6. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 1–34 (2012)

    Article  Google Scholar 

  7. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27–38 (2008)

    Google Scholar 

  8. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM (2010)

    Google Scholar 

  9. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 30–40 (2011)

    Google Scholar 

  10. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10772-6_13

    Chapter  Google Scholar 

  11. Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient detection of the return-oriented programming malicious code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17714-9_11

    Chapter  Google Scholar 

  12. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-less binaries. In: Proceedings of the 26th Annual Computer Security Applications Conference, Austin, Texas, pp. 49–58. ACM (2010)

    Google Scholar 

  13. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with “return-less” kernels. In: Proceedings of the 5th European conference on Computer systems, Paris, France, pp. 195–208. ACM (2010)

    Google Scholar 

  14. Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, China, pp. 40–51. ACM (2011)

    Google Scholar 

  15. Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 601–615 (2012)

    Google Scholar 

  16. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121–141. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_7

    Chapter  Google Scholar 

  17. Lu, K., Zou, D., Wen, W., Gao, D.: Packed, printable, and polymorphic return-oriented programming. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 101–120. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_6

    Chapter  Google Scholar 

  18. Carlini, N., Wagner, D.: ROP is still dangerous: Breaking modern defenses. In: USENIX Security Symposium (2014)

    Google Scholar 

  19. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: A theory of secure control flow. In: Lau, K.-K., Banach, R. (eds.) ICFEM 2005. LNCS, vol. 3785, pp. 111–124. Springer, Heidelberg (2005). https://doi.org/10.1007/11576280_9

    Chapter  Google Scholar 

  20. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 1–40 (2009)

    Article  Google Scholar 

  21. Sadeghi, A.R., Davi, L., Larsen, P.: Securing legacy software against real-world code-reuse exploits: utopia, alchemy, or possible future? In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, Republic of Singapore, pp. 55–61. ACM (2015)

    Google Scholar 

  22. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: USENIX SEC (2015)

    Google Scholar 

  23. Burow, N., Carr, S.A., Nash, J., Larsen, P., Franz, M., Brunthaler, S., Payer, M.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50(1), 1–33 (2017)

    Article  Google Scholar 

  24. Hamid, N., Shao, Z., Trifonov, V., Monnier, S., Ni, Z.: A syntactic approach to foundational proof-carrying code. In: 2002 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, pp. 89–100 (2002)

    Google Scholar 

  25. van Benthem, J., van Ditmarsch, H., van Eijck, J., Jaspars, J.: Chapter 6: Logic and Action. In: Logic in Action, February 2014. Internet electronic book

    Google Scholar 

  26. Harel, D., Kozen, D., Tiuryn, J.: Propositional Dynamic Logic, pp. 163–190. MIT Press, Cambridge (2000)

    Google Scholar 

  27. Jang, D., Tatlock, Z., Lerner, S.: SAFEDISPATCH: securing C++ virtual calls from memory corruption attacks. In: Symposium on Network and Distributed System Security (NDSS) (2014)

    Google Scholar 

  28. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson,, Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in gcc & llvm. In: USENIX Security Symposium (2014)

    Google Scholar 

  29. Gawlik, R., Holz, T.: Towards automated integrity protection of C++ virtual function tables in binary programs. In: Proceedings of the 30th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA, pp. 396–405. ACM (2014)

    Google Scholar 

  30. Prakash, A., Hu, X., Yin, H.: vfGuard: Strict protection for virtual function calls in COTS C++ binaries. In: Symposium on Network and Distributed System Security (NDSS) (2015)

    Google Scholar 

  31. Yu, H., Xue, J., Huo, W., Feng, X., Zhang, Z.: Level by level: making flow- and context-sensitive pointer analysis scalable for millions of lines of code. In: Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization, Toronto, Ontario, Canada, pp. 218–229. ACM (2010)

    Google Scholar 

  32. MITRE: CVE - Download CVE

    Google Scholar 

  33. Niu, B., Tan, G.: Modular control-flow integrity. SIGPLAN Not. 49(6), 577–587 (2014)

    Article  Google Scholar 

  34. Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nrnberger, S., Sadeghi, A.R.: MoCFI: A framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)

    Google Scholar 

  35. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573 (2013)

    Google Scholar 

  36. Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 292–307 (2014)

    Google Scholar 

  37. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Usenix Security, pp. 337–352 (2013)

    Google Scholar 

  38. Davi, L., Lehmann, D., Sadeghi, A.R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Security Symposium (2014)

    Google Scholar 

  39. Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589, May 2014

    Google Scholar 

  40. Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference, Orlando, Florida, pp. 353–362. ACM (2011)

    Google Scholar 

  41. Niu, B., Tan, G.: Monitor integrity protection with space efficiency and separate compilation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & communications security, Berlin, Germany, pp. 199–210. ACM (2013)

    Google Scholar 

  42. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security, pp. 447–462 (2013)

    Google Scholar 

  43. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H.: ROPecker: A generic and practical approach for defending against ROP attack (2014)

    Google Scholar 

  44. Yuan, P., Zeng, Q., Ding, X.: Hardware-assisted fine-grained code-reuse attack detection. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 66–85. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_4

    Chapter  Google Scholar 

  45. Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K., Franz, M.: Opaque control-flow integrity. In: Symposium on Network and Distributed System Security (NDSS) (2015)

    Google Scholar 

  46. Zhang, C., Song, C., Chen, K.Z., Chen, Z., Song, D.: VTint: defending virtual function tables integrity. In: Symposium on Network and Distributed System Security (NDSS) (2015)

    Google Scholar 

  47. Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: Software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pp. 75–88 (2006)

    Google Scholar 

  48. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: 2008 IEEE Symposium on Security and Privacy, SP 2008, pp. 263–277, May 2008

    Google Scholar 

  49. Pewny, J., Holz, T.: Control-flow restrictor: compiler-based CFI for iOS. In: Proceedings of the 29th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA, pp. 309–318. ACM (2013)

    Google Scholar 

  50. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: HAFIX: hardware-assisted flow integrity extension. In: Proceedings of the 52nd Annual Design Automation Conference, San Francisco, California, pp. 1–6. ACM (2015)

    Google Scholar 

  51. Bounov, D., Kc, R.G., Lerner, S.: Protecting C++ dynamic dispatch through vtable interleaving. In: Symposium on Network and Distributed System Security (NDSS) (2016)

    Google Scholar 

  52. Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 380–395 (2010)

    Google Scholar 

  53. Niu, B., Tan, G.: RockJIT: Securing just-in-time compilation using modular control-flow integrity. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, Arizona, USA, pp. 1317–1328. ACM (2014)

    Google Scholar 

  54. Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: cryptographically enforced control flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, Colorado, USA, pp. 941–951. ACM (2015)

    Google Scholar 

  55. Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 179–194, March 2016

    Google Scholar 

  56. van der Veen, V., Andriesse, D., Goktas; E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, Colorado, USA, pp. 927–940. ACM (2015)

    Google Scholar 

  57. Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, Colorado, USA, pp. 914–926. ACM (2015)

    Google Scholar 

  58. Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8

    Chapter  Google Scholar 

  59. Theodorides, M., Wagner, D.: Breaking active-set backward-edge CFI. In: 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 85–89, May 2017

    Google Scholar 

  60. Evans, I., Long, F., Otgonbaatar, U., Shrobe, H., Rinard, M., Okhravi, H., Sidiroglou-Douskos, S.: Control Jujutsu: on the weaknesses of fine-grained control flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, Colorado, USA, pp. 901–913. ACM (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Monash University, Melbourne, Australia

    Sepehr Minagar, Balasubramaniam Srinivasan & Phu Dung Le

Authors
  1. Sepehr Minagar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Balasubramaniam Srinivasan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Phu Dung Le
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sepehr Minagar .

Editor information

Editors and Affiliations

  1. Monash University, Clayton, Victoria, Australia

    Joseph K. Liu

  2. University of Milan, Milan, Italy

    Pierangela Samarati

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Minagar, S., Srinivasan, B., Le, P.D. (2017). A Formal Model for an Ideal CFI. In: Liu, J., Samarati, P. (eds) Information Security Practice and Experience. ISPEC 2017. Lecture Notes in Computer Science(), vol 10701. Springer, Cham. https://doi.org/10.1007/978-3-319-72359-4_44

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72359-4_44

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72358-7

  • Online ISBN: 978-3-319-72359-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation