skip to main content
10.1145/3029806.3029830acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article
Public Access

PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace

Published: 22 March 2017 Publication History

Abstract

This paper presents PT-CFI, a new backward-edge control flow violation detection system based on a novel use of a recently introduced hardware feature called Intel Processor Trace (PT). Designed primarily for offline software debugging and performance analysis, PT offers the capability of tracing the entire control flow of a running program. In this paper, we explore the practicality of using PT for security applications, and propose to build a new control flow integrity (CFI) model that enforces a backward-edge CFI policy for native COTS binaries based on the traces from Intel PT. By exploring the intrinsic properties of PT with a system call based synchronization primitive and a deep inspection capability, we have addressed a number of technical challenges such as how to make sure the backward edge CFI policy is both sound and complete, how to make PT enforce our CFI policy, and how to balance the performance overhead. We have implemented PT-CFI and evaluated with a number of programs including SPEC2006 and HTTP daemons. Our experimental results show that PT-CFI can enforce a perfect backward-edge CFI with only small overhead for the protected program.

References

[1]
Httperf, http://www.labs.hpe.com/research/linux/httperf/.
[2]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS '05, pages 340--353. ACM, 2005.
[3]
S. Andersen and V. Abella. Data execution prevention. changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies, 2004.
[4]
N. Balakrishnan, T. Bytheway, L. Carata, O. R. A. Chick, J. Snee, S. Akoush, R. Sohan, M. Seltzer, and A. Hopper. Recent advances in computer architecture: The opportunities and challenges for provenance. In 7th USENIX Workshop on the Theory and Practice of Provenance (TaPP 15), Edinburgh, Scotland, July 2015. USENIX Association.
[5]
A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking blind. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 227--242. IEEE, 2014.
[6]
T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 353--362. ACM, 2011.
[7]
T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 30--40. ACM, 2011.
[8]
E. Bosman and H. Bos. Framing signals -- return to portable exploits. (working title, subject to change.). In Security & Privacy (Oakland), San Jose, CA, USA, May 2014. IEEE.
[9]
N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15), pages 161--176, Washington, D.C., Aug. 2015. USENIX Association.
[10]
N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15), pages 161--176, 2015.
[11]
N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 385--399, Berkeley, CA, USA, 2014. USENIX Association.
[12]
S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 559--572, New York, NY, USA, 2010. ACM.
[13]
P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. Drop: Detecting return-oriented programming malicious code. In Proceedings of the 5th International Conference on Information Systems Security, ICISS '09, pages 163--177, Berlin, Heidelberg, 2009. Springer-Verlag.
[14]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14. USENIX Association, 2005.
[15]
Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A generic and practical approach for defending against ROP attack. In Proceedings of the 2014 Network and Distributed System Security Symposium, NDSS'14, 2014.
[16]
C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Usenix Security, volume 98, pages 63--78, 1998.
[17]
L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In 19th Annual Network & Distributed System Security Symposium (NDSS), Feb. 2012.
[18]
L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, Berkeley, CA, USA, 2014. USENIX Association.
[19]
L. Davi, A.-R. Sadeghi, and M. Winandy. Ropdefender: A detection tool to defend against return-oriented programming attacks. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 40--51. ACM, 2011.
[20]
U. Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Ithaca, NY, USA, 2004. AAI3114521.
[21]
Y. Fu and Z. Lin. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In Proceedings of the Ninth Annual International Conference on Virtual Execution Environments, Houston, TX, March 2013.
[22]
X. Ge, W. Cui, and T. Jaeger. Griffin: Guarding control flows using intel processor trace. In Proceedings of the 22nd ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Apr. 2017.
[23]
E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium, pages 417--432, San Diego, CA, Aug. 2014. USENIX Association.
[24]
H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic generation of data-oriented exploits. In 24th USENIX Security Symposium, pages 177--192, Washington, D.C., Aug. 2015. USENIX Association.
[25]
H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-oriented programming: On the expressiveness of non-control data attacks. In 2016 IEEE Symposium on Security and Privacy. IEEE, 2016.
[26]
B. Kasikci, B. Schubert, C. Pereira, G. Pokam, and G. Candea. Failure sketching: A technique for automated root cause diagnosis of in-production failures. In Proceedings of the 25th Symposium on Operating Systems Principles, SOSP '15, pages 344--360, New York, NY, USA, 2015. ACM.
[27]
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation, pages 147--163, Broomfield, CO, Oct. 2014. USENIX Association.
[28]
Y. Lee, I. Heo, D. Hwang, K. Kim, and Y. Paek. Towards a practical solution to detect code reuse attacks on arm mobile devices. In Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy, HASP '15. ACM, 2015.
[29]
Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. Transparent and efficient cfi enforcement with intel processor trace. In The 23rd IEEE Symposium on High Performance Computer Architecture, 2017.
[30]
C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '05, pages 190--200, New York, NY, USA, 2005. ACM.
[31]
A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazières. CCFI: Cryptographically enforced control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 941--951. ACM, 2015.
[32]
V. Mohan, P. Larsen, S. Brunthaler, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In Proceedings of the 2015 Network and Distributed System Security Symposium, NDSS'15, 2015.
[33]
B. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 577--587. ACM, 2014.
[34]
B. Niu and G. Tan. Rockjit: Securing just-in-time compilation using modular control-flow integrity. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1317--1328. ACM, 2014.
[35]
B. Niu and G. Tan. Per-input control-flow integrity. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 914--926. ACM, 2015.
[36]
A. One. Smashing the stack for fun and profit. Phrack magazine, 7(49):14--16, 1996.
[37]
V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 447--462, Berkeley, CA, USA, 2013. USENIX Association.
[38]
M. Payer, A. Barresi, and T. R. Gross. Fine-grained control-flow integrity through binary hardening. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 144--164. Springer, 2015.
[39]
F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c+ applications. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 745--762. IEEE, 2015.
[40]
F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the effectiveness of current anti-ROP defenses. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses. Springer International Publishing, 2014.
[41]
E. J. Schwartz, T. Avgerinos, and D. Brumley. Q: Exploit hardening made easy. In USENIX Security Symposium, pages 25--41, 2011.
[42]
H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of CCS 2007, pages 552--61. ACM Press, Oct. 2007.
[43]
X. Shu, D. Yao, and N. Ramakrishnan. Unearthing stealthy program attacks buried in extremely long execution paths. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 401--413, New York, NY, USA, 2015. ACM.
[44]
K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574--588. IEEE, 2013.
[45]
L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 48--62. IEEE Computer Society, 2013.
[46]
P. Team. Pax address space layout randomization (aslr). 2003.
[47]
J. Thalheim, P. Bhatotia, and C. Fetzer. Inspector: A data provenance library for multithreaded programs, 2016. https://arxiv.org/abs/1605.00498.
[48]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In 23rd USENIX Security Symposium, pages 941--955, San Diego, CA, Aug. 2014. USENIX Association.
[49]
V. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive CFI. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 927--940. ACM, 2015.
[50]
V. van der Veen, E. Goktas, M. Contag, A. Pawlowski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A tough call: Mitigating advanced code-reuse attacks at the binary level. In Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, USA, May 2016. IEEE.
[51]
M. Wang, H. Yin, A. V. Bhaskar, P. Su, and D. Feng. Binary code continent: Finer-grained control flow integrity for stripped binaries. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 331--340. ACM, 2015.
[52]
R. Wojtczuk. The advanced return-into-lib (c) exploits: Pax case study. Phrack Magazine, Volume 0x0b, Issue 0x3a, Phile# 0x04 of 0x0e, 2001.
[53]
Y. Xia, Y. Liu, H. Chen, and B. Zang. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN '12, Washington, DC, USA, 2012. IEEE Computer Society.
[54]
P. Yuan, Q. Zeng, and X. Ding. Hardware-assisted fine-grained code-reuse attack detection. In Proceedings of 18th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID'15. Springer International Publishing, 2015.
[55]
B. Zeng, G. Tan, and Ú. Erlingsson. Strato: A retargetable framework for low-level inlined-reference monitors. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 369--382, Washington, D.C., 2013. USENIX.
[56]
J. Zeng, Y. Fu, and Z. Lin. Automatic uncovering of tap points from kernel executions. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'16), Paris, France, September 2016.
[57]
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In 2013 IEEE Symposium on Security and Privacy, pages 559--573, May 2013.
[58]
M. Zhang and R. Sekar. Control flow integrity for cots binaries. In Proceedings of the 22nd USENIX Security Symposium, pages 337--352. USENIX, 2013.

Cited By

View all
  • (2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
  • (2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
  • (2024)Armor: Protecting Software Against Hardware Tracing TechniquesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337281619(4247-4262)Online publication date: 2024
  • Show More Cited By

Index Terms

  1. PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy
    March 2017
    382 pages
    ISBN:9781450345231
    DOI:10.1145/3029806
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 22 March 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Intel PT
    2. control flow integrity
    3. return oriented programming
    4. shadow stack

    Qualifiers

    • Research-article

    Funding Sources

    • NSF Award
    • AFOSR

    Conference

    CODASPY '17
    Sponsor:

    Acceptance Rates

    CODASPY '17 Paper Acceptance Rate 21 of 134 submissions, 16%;
    Overall Acceptance Rate 149 of 789 submissions, 19%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)201
    • Downloads (Last 6 weeks)33
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
    • (2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
    • (2024)Armor: Protecting Software Against Hardware Tracing TechniquesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337281619(4247-4262)Online publication date: 2024
    • (2024)Trusted Execution Environments in Embedded and IoT Systems: A CactiLab Perspective2024 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED61283.2024.00020(96-106)Online publication date: 16-May-2024
    • (2024)InsectACIDE: Debugger-Based Holistic Asynchronous CFI for Embedded System2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00036(360-372)Online publication date: 13-May-2024
    • (2024)HyperTEE: A Decoupled TEE Architecture with Secure Enclave Management2024 57th IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO61859.2024.00018(105-120)Online publication date: 2-Nov-2024
    • (2024)A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracingScientific Reports10.1038/s41598-024-65374-w14:1Online publication date: 26-Jun-2024
    • (2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
    • (2023)Protect the System Call, Protect (Most of) the World with BASTIONProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582066(528-541)Online publication date: 25-Mar-2023
    • (2023)Hardware-Based Software Control Flow Integrity: Review on the State-of-the-Art Implementation TechnologyIEEE Access10.1109/ACCESS.2023.333704311(133255-133280)Online publication date: 2023
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media