Skip to main content
SpringerLink
Log in
Book cover

Conference on Advanced Computer Architecture

ACA 2018: Advanced Computer Architecture pp 79–94Cite as

Stateful Forward-Edge CFI Enforcement with Intel MPX

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 908))

Abstract

This paper presents a stateful forward-edge CFI mechanism based on a novel use of the Intel Memory Protection Extensions (MPX) technology. To enforce stateful CFI policies, we protect against malicious modification of pointers on the dereference pathes of indirect jumps or function calls by saving these pointers into shadow memory. Intel MPX, which stores pointer’s bounds into shadow memory, offers the capability of managing the copy for these indirect dereferenced pointers. There are two challenges in applying MPX to forward-edge CFI enforcement. First, as MPX is designed to protect against every pointers that may incurs memory errors, MPX incurs unacceptable runtime overhead. Second, the MPX defense has holes when maintaining interoperability with legacy code. We address these challenges by only protecting the pointers on the dereference pathes of indirect function calls and jumps, and making a further check on the loaded pointer value. We have implemented our mechanism on the LLVM compiler and evaluated it on a commodity Intel Skylake machine with MPX support. Evaluation results show that our mechanism is effective in enforcing forward-edge CFI, while incurring acceptable performance overhead.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Shadow memory is a memory space paralleling the normal data space [21,22,23].

  2. 2.

    The control-transfer related pointers can be used to call functions, used as function parameters, used to load pointers and so on.

References

  1. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM 14th Conference on Computer and Communications Security (CCS 2007), pp. 552–561 (2007)

    Google Scholar 

  2. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX 18th Security Symposium (SEC2009), pp. 383–398 (2009)

    Google Scholar 

  3. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM 6th Symposium on Information, Computer and Communications Security (ASIACCS), pp. 30–40 (2011)

    Google Scholar 

  4. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE 36th Symposium on Security and Privacy (S&P 2015), pp. 745–762 (2015)

    Google Scholar 

  5. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX 23rd Security Symposium (SEC 2014), pp. 385–399 (2014)

    Google Scholar 

  6. Szekeres, L., Payer, M., Wei, T., Song, D.: SOK: eternal war in memory. In: IEEE 34th Symposium on Security and Privacy (S&P 2013), pp. 48–62 (2013)

    Google Scholar 

  7. Cowan, C., et al.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX 7th Security Symposium (SEC 1998), pp. 63–78 (1998)

    Google Scholar 

  8. LNCS Microsoft Corporation: Data Execution Prevention. https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85)

  9. Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: IEEE 22nd Symposium on Reliable Distributed Systems (SRDS 2003), pp. 260–269 (2003)

    Google Scholar 

  10. Abadi, M., Budiu, M., Erlingsson, Ú, Ligatti, J.: Control-flow integrity. In: ACM 12th Computer and Communications Security (CCS 2005), pp. 340–353 (2005)

    Google Scholar 

  11. Burow, N., et al.: Control-flow integrity: precision, security, and performance. ACM Comput. Surv. 50, 16:1–16:33 (2017)

    Google Scholar 

  12. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX 24th Conference on Security Symposium (SEC 2015), pp. 161–176 (2015)

    Google Scholar 

  13. Evans, I., et al.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 901–913 (2015)

    Google Scholar 

  14. Conti, M., et al.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 952–963 (2015)

    Google Scholar 

  15. Mashtizadeh, A. J., Bittau, A., Boneh, D., Mazières, D.: Ccfi: cryptographically enforced control flow integrity. In: ACM 22nd Conference on Computer and Communications Security (CCS 2015), pp. 941–951 (2015)

    Google Scholar 

  16. Zhang, J., Hou, R., Fan, J., Liu, K., Zhang, L., McKee, S.: Raguard: a hardware based mechanism for backward-edge control-flow integrity. In: ACM Computing Frontiers Conference (CF 2017), pp. 27–34 (2017)

    Google Scholar 

  17. Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: USENIX 22th Conference on Security (SEC 2013), pp. 337–352 (2013)

    Google Scholar 

  18. Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: IEEE 34th Symposium on Security and Privacy (S&P 2013), pp. 559–573 (2013)

    Google Scholar 

  19. Tice, C., et al.: Enforcing forward-edge control-flow integrity GCC & LLVM. In: USENIX 23rd Security Symposium (SEC 2014), pp. 941–954 (2014)

    Google Scholar 

  20. Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: IEEE 1st European Symposium on Security and Privacy (EuroS&P), pp. 179–194 (2016)

    Google Scholar 

  21. Devietti, J., Blundell, C., Martin, M.M.K., Zdancewic, S.: Hardbound: architectural support for spatial safety of the c programming language. In: ACM 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2008), pp. 103–114 (2008)

    Google Scholar 

  22. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: Softbound: highly compatible and complete spatial memory safety for C. In: ACM 30th SIGPLAN Conference on Programming Language Design and Implementation on proceedings (2009 PLDI), pp. 245–258. ACM, Dulin (2010)

    Google Scholar 

  23. Nagarakatte, S., Martin, M.M.K., Zdancewic, S.: Watchdoglite: hardware-accelerated compiler-based pointer checking. In: Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO 2014), pp. 175–184 (2014)

    Google Scholar 

  24. Intel Corporation: Intel Memory Protection Extensions Enabling Guide. https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf

  25. Intel Corporation: Intel memory ptrotection extensions. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 1, chap. 17 (2017)

    Google Scholar 

  26. Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel MPX explained: an empirical study of intel MPX and software-based bounds checking approaches. In: Arxiv CoRR, vol. abs/1702.00719 (2017)

    Google Scholar 

  27. GCC Wiki: Intel Memory Protection Extensions (Intel MPX) support in the GCC compiler. https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler

  28. gcc-mirror. https://github.com/gcc-mirror/gcc/tree/master/libmpx

  29. The LLVM Compiler Infrastructure. http://llvm.org/

  30. Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: runtime intrusion prevention evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), pp. 41–50 (2011)

    Google Scholar 

  31. SPEC CPU2006 Benchmark. http://www.spec.org/cpu2006/

  32. Linux kernel profiling with perf. https://perf.wiki.kernel.org/index.php/Tutorial

  33. Clang 7 documentation: Control Flow Integrity. https://clang.llvm.org/docs/ControlFlowIntegrity.html

  34. Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (S&P 2010), pp. 380–395 (2010)

    Google Scholar 

  35. Niu, B., Tan, G.: Modular control-flow Integrity. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (OSDI 2014), pp. 577–587 (2014)

    Google Scholar 

  36. Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 914–926 (2015)

    Google Scholar 

  37. Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8

    Chapter  Google Scholar 

  38. Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS 2015)

    Google Scholar 

  39. Elsabagh, M., Fleck, D., Stavrou, A.: Strict virtual call integrity checking for C++ binaries. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS 2015)

    Google Scholar 

  40. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX 11th Conference on Operating Systems Design and Implementation (OSDI 2014), pp. 147–163 (2014)

    Google Scholar 

  41. Davi, L., et al.: HAFIX: hardware-assisted flow integrity eXtension. In: Proceedings of the 52nd ACM/EDAC/IEEE Design Automation Conference (DAC 2015), pp. 1–6 (2015)

    Google Scholar 

  42. Sullivan, D., Arias, O., Davi, L., Larsen, P., Sadeghi, A.-R., Jin, Y.: Strategy without tactics: policy-agnostic hardware-enhanced control-flow integrity. In: Proceedings of the 53rd Annual Design Automation Conference (DAC 2016), pp. 163:1–163:6 (2016)

    Google Scholar 

  43. Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S.: HCFI: hardware-enforced Control-Flow Integrity. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016), pp. 38–49 (2016)

    Google Scholar 

  44. Intel Corporation: Control-flow enforcement technology preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

  45. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013)

    Google Scholar 

  46. van der Veen, V., et al.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 927–940 (2015)

    Google Scholar 

  47. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 1–12 (2012)

    Google Scholar 

  48. Yuan, P., Zeng, Q., Ding, X.: Hardware-assisted finegrained code-reuse attack detection. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015), pp. 66–85 (2015)

    Google Scholar 

  49. Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with intel processor trace. In: 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA 2017), pp. 529–540 (2017)

    Google Scholar 

  50. Ge, X., Cui, W., Jaeger, T.: GRIFFIN: guarding control flows using intel processor trace. In: Proceedings of the 22nd International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2017), pp. 585–598 (2017)

    Google Scholar 

  51. Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using intel processor trace. In: Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY 2017), pp. 173–184 (2017)

    Google Scholar 

  52. Tuck, N., Calder, B., Varghese, G.: Hardware and binary modification support for code pointer protection from buffer overflow. In: Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2004), pp. 209–220 (2004)

    Google Scholar 

  53. Qualcomm Technologies Inc: Pointer Authentication on ARMv8.3. file:///E:/beifeng/code%20reuse%20attack/PointerAuthentication/whitepaper-pointer-authentication-on-armv8-3.pdf

    Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for their valuable comments. This work was supported by the China National Science Fund for Outstanding Young Scholars under grant No. 61522212; National Key R&D Plan under grant No. 2017YFB1001602; Frontier Science Research Projects, Chinese Academy of Science, under grant No. QYZDB-SSW-JSC010; and National Natural Science Foundation of China (NSFC) under grant No. 61521092 and No. 61502459.

Author information

Authors and Affiliations

  1. Hubei University of Arts and Science, Xiangyang, China

    Jun Zhang

  2. State Key Laboratory of Computer Architecture, ICT, CAS, Beijing, China

    Jun Zhang, Boyan Zhao & Mingyu Chen

  3. Institute of Information Engineering, CAS, Beijing, China

    Rui Hou, Wei Song, Zhiyuan Zhan & Dan Meng

  4. University of Chinese Academy of Sciences, Beijing, China

    Jun Zhang, Zhiyuan Zhan, Boyan Zhao & Mingyu Chen

Authors
  1. Jun Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rui Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wei Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhiyuan Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Boyan Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Mingyu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Dan Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jun Zhang .

Editor information

Editors and Affiliations

  1. Shanghai Jiao Tong University, Shanghai, China

    Chao Li

  2. National University of Defense Technology, Changsha, China

    Junjie Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, J. et al. (2018). Stateful Forward-Edge CFI Enforcement with Intel MPX. In: Li, C., Wu, J. (eds) Advanced Computer Architecture. ACA 2018. Communications in Computer and Information Science, vol 908. Springer, Singapore. https://doi.org/10.1007/978-981-13-2423-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-2423-9_7

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-2422-2

  • Online ISBN: 978-981-13-2423-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation