HCFI: Hardware-enforced control-flow integrity

CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy

Volumn , Issue , 2016, Pages 38-49

  Christoulakis, Nick ^a   Christou, George ^a   Athanasopoulos, Elias ^b   Ioannidis, Sotiris ^a  

^a INSTITUTE OF COMPUTER SCIENCE   (Greece)

^b VU UNIVERSITY AMSTERDAM   (Netherlands)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER ARCHITECTURE; DATA FLOW ANALYSIS; DATA PRIVACY; FIELD PROGRAMMABLE GATE ARRAYS (FPGA); HARDWARE; PROGRAMMABLE LOGIC CONTROLLERS; RECONFIGURABLE HARDWARE; SYSTEM-ON-CHIP;

CONTROL FLOW GRAPHS; CONTROL FLOWS; CONTROL-FLOW INTEGRITIES; FINE GRAINED; INSTRUCTION SET ARCHITECTURE; RETURN-ORIENTED PROGRAMMING; RUNTIME OVERHEADS; SECURE MEMORY;

FLOW GRAPHS;

EID: 84964896474     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2857705.2857722     Document Type: Conference Paper

References (42)

1. The SPARC Architecture Manual, Version 8. www.sparc.com/standards/V8.pdf.
2. Hardware Control Flow Integrity for an IT Ecosystem. https://github.com/iadgov/Control-Flow-Integrity/tree/master/paper, 2015.
3. Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security (2005), ACM, pp. 340-353.
4. Andersen, S., and Abella, V. Changes to functionality in microsoft windows xp service pack 2, part 3: Memory protection technologies, Data Execution Prevention. Microsoft TechNet Library, September 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.
5. Aravind Prakash, Xunchao Hu, and Heng Yin. vfguard: Strict protection for virtual function calls in cots c++ binaries. In Symposium on Network and Distributed System Security (NDSS) (2015).
6. Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., and Ioannidis, S. The devil is in the constants: Bypassing defenses in browser jit engines. In NDSS (2015), The Internet Society.
7. Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011), ACM, pp. 30-40.
8. Budiu, M., Erlingsson, U., and Abadi, M. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability (2006), ACM, pp. 42-51.
9. Burkardt, J., Puglielli, P., and Center, P. S. Matmul: An interactive matrix multiplication benchmark. degrees from BITS, Pilani. He is a Fellow of the Institution of Engineers (India), Fellow of National Academy of Engineering (FNAE), Fellow of National Academy of Sciences (FNASc), Life Member ISTE(LMISTE). Professor Kothari has published/presented 640 (1995).
10. Carlini, N., Barresi, A., Payer, M., Wagner, D., and Gross, T. R. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., Aug. 2015), USENIX Association, pp. 161-176.
11. Carlini, N., and Wagner, D. Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 385-399.
12. Chao Zhang, Chengyu Songz, Kevin Zhijie Chen, Zhaofeng Cheny, and Dawn Song. Vtint: Protecting virtual function tables' integrity. In Symposium on Network and Distributed System Security (NDSS) (2015).
13. Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. Ropecker: A generic and practical approach for defending against ROP attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2013 (2014).
14. Dang, T. H., Maniatis, P., and Wagner, D. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security, ASIACCS (2015), Vol. 15.
15. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., and Jin, Y. Hafix: hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (2015), ACM, p. 74.
16. Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 401-416.
17. EEMBC. Coremark Benchmark. https://www.eembc.org/coremark/.
18. Gaisler Research. Leon3 synthesizable processor. http://www.gaisler.com.
19. Gawlik, R., and Holz, T. Towards automated integrity protection of c++ virtual function tables in binary programs. In Proceedings of the 30th Annual Computer Security Applications Conference (New York, NY, USA, 2014), ACSAC '14, ACM, pp. 396-405.
20. Göktaş, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Security and Privacy (SP), 2014 IEEE Symposium on (2014), IEEE, pp. 575-589.
21. Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, Aug. 2014), USENIX Association, pp. 417-432.
22. Göktaş, E., Athanasopoulos, E., Portokalidis, G., and Bos, H. Shrinkwrap: Vtable protection without loose ends. In ACSAC (2015), ACM, pp. 341-350.
23. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. Ilr: Where'd my gadgets go? In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 571-585.
24. Jang, D., Tatlock, Z., and Lerner, S. Safedispatch: Securing c++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).
25. Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., and Ponomarev, D. Branch regulation: Low-overhead protection from code reuse attacks. In Computer Architecture (ISCA), 2012 39th Annual International Symposium on (2012), IEEE, pp. 94-105.
26. One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996), 365.
27. özdoganoglu, H., Vijaykumar, T., Brodley, C. E., Kuperman, B., Jalote, A., et al. Smashguard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on 55, 10 (2006), 1271-1285.
28. Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012), SP '12, IEEE Computer Society, pp. 601-615.
29. Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent rop exploit mitigation using indirect branch tracing. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) (Washington, D.C., 2013), USENIX, pp. 447-462.
30. PaX Team. Address Space Layout Randomization (ASLR), 2003. http://pax.grsecurity.net/docs/aslr.txt.
31. Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC) 15, 1 (2012), 2.
32. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c++ applications. In 36th IEEE Symposium on Security and Privacy (Oakland) (May 2015).
33. Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., and Holz, T. Evaluating the effectiveness of current anti-rop defenses. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings (2014), pp. 88-108.
34. Snow, K. Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy (May 2013).
35. Standard Performance Evaluation Corporation (SPEC). SPEC CINT2000 Benchmarks. http://www.spec.org/cpu2000/CINT2000.
36. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in gcc and llvm. In Proceedings of the 23rd USENIX Conference on Security Symposium (Berkeley, CA, USA, 2014), SEC'14, USENIX Association, pp. 941-955.
37. Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS '12, ACM, pp. 157-168.
38. Weicker, R. P. Dhrystone: a synthetic systems programming benchmark. Communications of the ACM 27, 10 (1984), 1013-1030.
39. Xilinx. ISE Simulator (ISim). http://www.xilinx.com/tools/isim.htm.
40. Xilinx. Xilinx Virtex 6 ml605 rev-e Evaluation Board. http://www.xilinx.com/support/documentation/boardsandkits/ug534.pdf, 2012.
41. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical control flow integrity and randomization for binary executables. In Security and Privacy (SP), 2013 IEEE Symposium on (2013), IEEE, pp. 559-573.
42. Zhang, M., and Sekar, R. Control flow integrity for COTS binaries. In Usenix Security (2013), pp. 337-352.