Opaque Control-Flow Integrity

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Mohan, Vishwath ^a   Larsen, Per ^b   Brunthaler, Stefan ^b   Hamlen, Kevin W ^a   Franz, Michael ^b  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); DATA FLOW ANALYSIS; FLOW GRAPHS; RANDOM PROCESSES;

COARSE-GRAINED; CODE LAYOUT; CODE RANDOMIZATION; CODE REUSE; CONTROL-FLOW INTEGRITIES; FINE GRAINED; INTEGRITY CHECKING; MEMORY CODES; RANDOMISATION; RETURN-ORIENTED PROGRAMMING;

COMPUTER SOFTWARE REUSABILITY;

EID: 84959417310     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23271     Document Type: Conference Paper

References (50)

1. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti, “Control-flow integrity principles, implementations, and applications, ” ACM Trans. Information and System Security (TISSEC), vol. 13, no. 1, 2009.
2. M. Backes and S. Nürnberger, “Oxymoron: Making fine-grained memory randomization practical by allowing code sharing, ” in Proc. 23rd Usenix Security Sym., 2014, pp. 433-447.
3. M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny, “You can run but you can't read: Preventing disclosure exploits in executable code, ” in Proc. 21st ACM Conf. Computer and Communications Security (CCS), 2014, pp. 1342-1353.
4. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh, “Hacking blind, ” in Proc. 35th IEEE Sym. Security & Privacy (S&P), 2014, pp. 227-242.
5. T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, “Jump-oriented programming: A new class of code-reuse attack, ” in Proc. 6th ACM Sym. Information, Computer and Communications Security (ASIACCS), 2011, pp. 30-40.
6. N. Carlini and D. Wagner, “ROP is still dangerous: Breaking modern defenses, ” in Proc. 23rd Usenix Security Sym., 2014, pp. 385-399.
7. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng, “ROPecker: A generic and practical approach for defending against ROP attacks, ” in Proc. 21st Annual Network & Distributed System Security Sym. (NDSS), 2014.
8. F. Cohen, “Operating system protection through program evolution, ” Computers and Security, vol. 12, no. 6, pp. 565-584, 1993.
9. Corelan Team, “Mona, ” 2014, https://github.com/corelan/mona.
10. L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose, “Isomeron: Code randomization resilient to (just-in-time) return-oriented programming, ” in Proc. 22nd Network and Distributed Systems Security Sym. (NDSS), 2015.
11. L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose, “Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection, ” in Proc. 23rd Usenix Security Sym., 2014, pp. 401-416.
12. J. DeMott, “Bypassing EMET 4.1, ” Bromium Labs, 2014, http://labs.bromium.com/2014/02/24/bypassing-emet-4-1.
13. C. Evans, “Exploiting 64-bit Linux like a boss, ” 2013, http://scarybeastsecurity.blogspot.com/2013/02/exploiting-64-bit-linux-like-boss.html.
14. A. Fog, “Lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs, ” 2014, http://www.agner.org/optimize/instruction_tables.pdf.
15. S. Forrest, A. Somayaji, and D. H. Ackley, “Building diverse computer systems, ” in Proc. Workshop Hot Topics in Operating Systems, 1997, pp. 67-72.
16. I. Fratrić, “Runtime prevention of return-oriented programming attacks, ” University of Zagreb, 2012, http://www.ieee.hr/_download/repository/Ivan_Fratric.pdf.
17. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum, “Enhanced operating system security through efficient and fine-grained address space randomization, ” in Proc. 21st USENIX Security Sym., 2012, pp. 475-490.
18. E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis, “Out of control: Overcoming control-flow integrity, ” in Proc. 35th IEEE Sym. Security & Privacy (S&P), 2014, pp. 575-589.
19. E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis, “Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard, ” in Proc. 23rd Usenix Security Sym., 2014, pp. 417-432.
20. A. Homescu, M. Stewart, P. Larsen, S. Brunthaler, and M. Franz, “Microgadgets: Size does matter in Turing-complete return-oriented programming, ” in Proc. 6th USENIX Workshop Offensive Technologies (WOOT), 2012, pp. 64-76.
21. A. Homescu, S. Brunthaler, P. Larsen, and M. Franz, “Librando: Transparent code randomization for just-in-time compilers, ” in Proc. 20th ACM Conf. Computer and Communications Security (CCS), 2013, pp. 993-1004.
22. A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz, “Profile-guided automated software diversity, ” in Proc. 11th IEEE/ACM Int. Sym. Code Generation and Optimization (CGO), 2013, pp. 1-11.
23. R. N. Horspool and N. Marovac, “An approach to the problem of detranslation of computer programs, ” The Computer J., vol. 23, no. 3, pp. 223-229, 1980.
24. Intel, “Introduction to intel memory protection extensions, ” https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, 2013.
25. D. Jang, Z. Tatlock, and S. Lerner, “SafeDispatch: Securing C++ virtual calls from memory corruption attacks, ” in Proc. 21st Annual Network & Distributed System Security Sym. (NDSS), 2014.
26. N. Joly, “Advanced exploitation of Internet Explorer 10/Windows 8 overflow (Pwn2Own 2013), ” VUPEN Vulnerability Research Team (VRT), 2013, http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php.
27. P. Larsen, A. Homescu, S. Brunthaler, and M. Franz, “SoK: Automated software diversity, ” in Proc. 35th IEEE Sym. Security & Privacy (S&P), 2014, pp. 276-291.
28. A. Majumdar and C. Thomborson, “Securing mobile agents control flow using opaque predicates, ” in Proc. 9th Int. Conf. Knowledge-based Intelligent Information and Engineering Systems, vol. 3, 2005, pp. 1065-1071.
29. S. McCamant and G. Morrisett, “Evaluating SFI for a CISC architecture, ” in Proc. 15th USENIX Security Sym., 2006.
30. Microsoft, “Enhanced mitigation experience toolkit, ” https://www.microsoft.com/emet, 2014.
31. V. Mohan and K. W. Hamlen, “Frankenstein: Stitching malware from benign binaries, ” in Proc. 6th USENIX Workshop Offensive Technologies (WOOT), 2012, pp. 77-84.
32. B. Niu and G. Tan, “RockJIT: Securing just-in-time compilation using modular control-flow integrity, ” in Proc. 21st ACM Conf. Computer and Communications Security (CCS), 2014, pp. 1317-1328.
33. V. Pappas, M. Polychronakis, and A. D. Keromytis, “Transparent ROP exploit mitigation using indirect branch tracing, ” in Proc. 22nd USENIX Security Sym., 2013, pp. 447-462.
34. E. J. Schwartz, T. Avgerinos, and D. Brumley, “Q: Exploit hardening made easy, ” in Proc. 20th USENIX Security Sym., 2011.
35. J. Seibert, H. Okhravi, and E. Söderström, “Information leaks without memory disclosures: Remote side channel attacks on diversified code, ” in Proc. 21st ACM Conf. Computer and Communications Security (CCS), 2014, pp. 54-65.
36. F. J. Serna, “The info leak era on software exploitation, ” Black Hat USA, 2012.
37. F. J. Serna, “CVE-2012-0769, the case of the perfect info leak, ” Google Security Team, 2012, http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf.
38. H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), ” in Proc. 14th ACM Conf. Computer and Communications Security (CCS), 2007, pp. 552-561.
39. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, “On the effectiveness of address-space randomization, ” in Proc. 11th ACM Conf. Computer and Communications Security (CCS), 2004, pp. 298-307.
40. K. Z. Snow, F. Monrose, L. V. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, “Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, ” in Proc. 34th IEEE Sym. Security & Privacy (S&P), 2013, pp. 574-588.
41. A. Sotirov, “Heap feng shui in JavaScript, ” Black Hat Europe, 2007, https://www.blackhat.com/presentations/bh-europe07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf.
42. R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter, “Breaking the memory secrecy assumption, ” in Proc. 2nd European Workshop System Security (EUROSEC), 2009, pp. 1-8.
43. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike, “Enforcing forward-edge control-flow integrity in GCC & LLVM, ” in Proc. 23rd USENIX Security Sym., 2014.
44. C. Wang, J. Hill, J. Knight, and J. Davidson, “Software tamper resistance: Obstructing static analysis of programs, ” University of Virginia Charlottesville, Tech. Rep., 2000.
45. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, “Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code, ” in Proc. 19th ACM Conf. Computer and Communications Security (CCS), 2012, pp. 157-168.
46. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, “Securing untrusted code via compiler-agnostic binary rewriting, ” in Proc. 28th Annual Computer Security Applications Conf. (ACSAC), 2012, pp. 299-308.
47. R. Wartell, Y. Zhou, K. W. Hamlen, and M. Kantarcioglu, “Shingled graph disassembly: Finding the undecidable path, ” in Proc. 18th Pacific-Asia Conf. Knowledge Discovery and Data Mining (PAKDD), 2014, pp. 273-285.
48. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, “Native Client: A sandbox for portable, untrusted x86 native code, ” in Proc. 30th IEEE Sym. Security & Privacy (S&P), 2009, pp. 79-93.
49. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity and randomization for binary executables, ” in Proc. 34th IEEE Sym. Security & Privacy (S&P), 2013, pp. 559-573.
50. M. Zhang and R. Sekar, “Control flow integrity for COTS binaries, ” in Proc. 22nd USENIX Security Sym., 2013, pp. 337-352.