Control-flow integrity: Precision, security, and performance

ACM Computing Surveys

Volumn 50, Issue 1, 2017, Pages

  Burow, Nathan ^a   Carr, Scott A ^a   Nash, Joseph ^b   Larsen, Per ^b   Franz, Michael ^b   Brunthaler, Stefan ^c,d   Payer, Mathias ^a  

^a PURDUE UNIVERSITY   (United States)

^b Irvine   (United States)

^c UNIVERSITY OF PADERBORN   (Germany)

^d SBA RESEARCH   (Austria)

Author keywords

Control flow hijacking; Control flow integrity; Return oriented programming; Shadow stack

Indexed keywords

CRIME; EQUIVALENCE CLASSES; OPEN SOURCE SOFTWARE; PROGRAM COMPILERS;

CONTROL FLOWS; CONTROL-FLOW INTEGRITIES; EMPIRICAL EVALUATIONS; FORWARD-AND-BACKWARD; QUANTITATIVE SECURITY EVALUATION; RETURN-ORIENTED PROGRAMMING; SECURITY VULNERABILITIES; SHADOW STACK;

C (PROGRAMMING LANGUAGE);

EID: 85017104712     PISSN: 03600300     EISSN: 15577341     Source Type: Journal    
DOI: 10.1145/3054924     Document Type: Article

References (87)

1. Martin Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005a. Control-flow integrity: Principles, implementations, and applications. In ACM Conference on Computer and Communications Security (CCS'05).
2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005b. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Methods and Software Engineering (ICFEM'05).
3. Orlando Arias, Lucas Davi, Matthias Hanreich, Yier Jin, Patrick Koeberl, Debayan Paul, Ahmad-Reza Sadeghi, and Dean Sullivan. 2015. HAFIX: Hardware-assisted flow integrity extension. In Annual Design Automation Conference (DAC'15).
4. John Aycock. 2003. A brief history of just-in-time. Computing Surveys 35, 2, 97-113.
5. David F. Bacon and Peter F. Sweeney. 1996. Fast static analysis of C++ virtual function calls. ACM SIGPLAN Notices 31, 10, 324-341.
6. James R. Bell. 1973. Threaded code. Communications of the ACM 16, 6, 370-372.
7. Tyler Bletsch, Xuxian Jiang, and Vince Freeh. 2011. Mitigating code-reuse attacks with control-flow locking. In Annual Computer Security Applications Conference (ACSAC'11). New York, NY.
8. Dimitar Bounov, Rami Kici, and Sorin Lerner. 2016. Protecting C++ dynamic dispatch through vtable interleaving. In Symposium on Network and Distributed System Security (NDSS'16).
9. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium, USENIX Security 15. Washington, D.C., August 12-14, 2015.
10. Nicholas Carlini and David Wagner. 2014. ROP is still dangerous: Breaking modern defenses. In USENIX Security Symposium.
11. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS).
12. Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, and Robert Huijie Deng. 2014. ROPecker: A generic and practical approach for defending against ROP attacks. In Symposium on Network and Distributed System Security (NDSS'14).
13. Nick Christoulakis, George Christou, Elias Athanasopoulos, and Sotiris Ioannidis. 2016. HCFI: Hardware-enforced control-flow integrity. In CODASPY'16.
14. Peter Collingbourne. 2015. LLVM - Control Flow Integrity. (2015). Retrieved March 1, 2017 from http://clang.llvm.org/docs/ControlFlowIntegrity.html.
15. Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Christopher Liebchen, Marco Negro, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing control: On the effectiveness of control-flow integrity under stack attacks. In ACM Conference on Computer and Communications Security (CCS'15).
16. John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014a. KCoFI: Complete control-flow integrity for commodity operating system kernels. In 2014 IEEE Symposium on Security and Privacy.
17. John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014b. KCoFI: Complete control-flow integrity for commodity operating system kernels. In IEEE Symposium on Security and Privacy (S&P).
18. Thurston H. Y. Dang, Petros Maniatis, and David Wagner. 2015. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security (ASI-ACCS'15).
19. Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2012. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Symposium on Network and Distributed System Security (NDSS'12).
20. Lucas Davi, Patrick Koeberl, and Ahmad-Reza Sadeghi. 2014a. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In Annual Design Automation Conference (DAC'14).
21. Lucas Davi, Daniel Lehmann, Ahmad-Reza Sadeghi, and Fabian Monrose. 2014b. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security Symposium.
22. Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of object-oriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming (ECOOP'95).
23. Eddy H. Debaere and Jan M. van Campenhout. 1990. Interpretation and Instruction Path Coprocessing. MIT Press, Cambridge, MA.
24. Isaac Evans, Samuel Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. 2015a. Missing the point: On the effectiveness of code pointer integrity. In IEEE Symposium on Security and Privacy (S&P'15).
25. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015b. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.
26. Francisco Falcon. 2015. Exploiting Adobe Flash Player in the era of Control Flow Guard. BlackHat EU'15. Retrieved March 1, 2017 from https://www.blackhat.com/docs/eu-15/materials/eu-15-Falcon-Exploiting-Adobe-Flash-Player-In-The-Era-Of-Control-Flow-Guard.pdf.
27. Ivan Fratric. 2012. ROPGuard: Runtime Prevention of Return-Oriented Programming Attacks. Retrieved March 1, 2017 from http://www.ieee.hr/-download/repository/Ivan-Fratric.pdf. (2012).
28. Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-grained control-flow integrity for kernel software. In IEEE European Symposium on Security and Privacy.
29. Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy (S&P'14).
30. David Grove and Craig Chambers. 2001. A framework for call graph construction algorithms. ACM Transactions on Programming Languages and Systems 23, 6, 685-746.
31. Brian Hackett and Alex Aiken. 2006. How is aliasing used in systems software? Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 69-80.
32. Ben Hardekopf and Calvin Lin. 2007. The ant and the grasshopper. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'07), Vol. 42. ACM Press, New York, NY, 290. DOI:http://dx.doi.org/10.1145/1250734.1250767
33. Ben Hardekopf and Calvin Lin. 2011. Flow-sensitive pointer analysis for millions of lines of code. In International Symposium on Code Generation and Optimization (CGO'11). IEEE, 289-298. DOI:http://dx.doi.org/10.1109/CGO.2011.5764696
34. Michael Hind. 2001. Pointer analysis. In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE'01). ACM Press, New York, NY, 54-61. DOI:http://dx.doi.org/10.1145/379605.379665
35. Michael Hind and Anthony Pioli. 2000. Which pointer analysis should I use? ACM SIGSOFT Software Engineering Notes 25, 5, 113-123.
36. Urs Hölzle and David Ungar. 1994. Optimizing dynamically-dispatched calls with run-time type feedback. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'94).
37. Intel Inc. 2013. Intel 64 and IA-32 Architectures. Software Developer's Manual.
38. Dongseok Jang, Zachary Tatlock, and Sorin Lerner. 2014. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Symposium on Network and Distributed System Security (NDSS'14).
39. Vladimir Kiriansky. 2013. Secure Execution Environment via Program Shepherding. Master's thesis. Massachusetts Institute of Technology, Cambridge, MA.
40. Vladimir Kiriansky, Derek Bruening, and Saman Amarasinghe. 2002. Secure execution via program shepherding. In USENIX Security Symposium.
41. Peter M. Kogge. 1982. An architectural trail to threaded-code systems. Computer 15, 3, 22-32. DOI:http://dx.doi.org/10.1109/MC.1982.1653970
42. Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated software diversity. In IEEE Symposium on Security and Privacy (S&P'14).
43. O. Lhoták and Laurie Hendren. 2006. Context-sensitive points-to analysis: Is it worth it? Compiler Construction 47-64.
44. Ali José Mashtizadeh, Andrea Bittau, Dan Boneh, and David Mazières. 2015. CCFI: Cryptographically enforced control flow integrity. In ACM Conference on Computer and Communications Security (CCS'15).
45. Bill McCarty. 2004. SELinux: NSA's Open Source Security Enhanced Linux. O'Reilly Media, Inc., Sebastopol, CA.
46. Microsoft. 2006. Data Execution Prevention (DEP). Retrieved March 1, 2017 from http://support.microsoft.com/kb/875352/EN-US/.
47. Microsoft. 2015a. Visual Studio 2015 - Compiler Options - Enable Control Flow Guard. Retrieved March 1, 2017 from https://msdn.microsoft.com/en-us/library/dn919635.aspx.
48. Microsoft. 2015b. SetProcessValidCallTargets function. Retrieved March 1, 2017 from https://msdn.microsoft.com/en-us/enus/library/windows/desktop/dn934202(v=vs.85).aspx. (2015).
49. Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2002. Parameterized object sensitivity for points-to and side-effect analyses for java. ACM SIGSOFT Software Engineering Notes 27, 4 (2002), 1.
50. Markus Mock, Manuvir Das, Craig Chambers, and Susan J. Eggers. 2001. Dynamic points-to sets. In ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE'01).
51. Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin Hamlen, and Michael Franz. 2015. Opaque control-flow integrity. In Symposium on Network and Distributed System Security (NDSS'15).
52. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'09).
53. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In ISMM'10.
54. Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer, Berlin. DOI:http://dx.doi.org/10.1007/978-3-662-03811-6
55. Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 2009. Principles of Program Analysis. Springer, New York, NY.
56. Ben Niu and Gang Tan. 2014a. Modular control-flow integrity. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'14).
57. Ben Niu and Gang Tan. 2014b. RockJIT: Securing just-in-time compilation using modular control-flow integrity. In ACM Conference on Computer and Communications Security (CCS'14).
58. Ben Niu and Gang Tan. 2015a. MCFI readme. Retrieved March 1, 2017 from https://github.com/mcfi/MCFI/blob/master/README.md.
59. Ben Niu and Gang Tan. 2015b. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, CO, October 12-6, 2015.
60. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In USENIX Security Symposium.
61. Baiju Patel. 2016. Intel releases new technology specifications to protect against ROP attacks. Retrieved March 1, 2017 from http://blogs.intel.com/evangelists/2016/06/09/intel-release-new-technology-specifications-protect-rop-attacks/.
62. PaX-Team. 2003a. PaX ASLR (Address Space Layout Randomization). Retrieved March 1, 2017 from http://pax.grsecurity.net/docs/aslr.txt.
63. PaX-Team. 2003b. PaX Future. Retrieved March 1, 2017 from https://pax.grsecurity.net/docs/pax-future.txt.
64. Mathias Payer, Antonio Barresi, and Thomas R. Gross. 2015. Fine-grained control-flow integrity through binary hardening. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'15). Milan, Italy, July 9-10, 2015.
65. Jannik Pewny and Thorsten Holz. 2013. Control-flow restrictor: Compiler-based CFI for iOS. In Annual Computer Security Applications Conference (ACSAC'13).
66. Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information System Security 15.
67. Erven Rohou, Bharath Narasimha Swamy, and André Seznec. 2015. Branch prediction and the performance of interpreters: Don't trust folklore. In IEEE/ACM International Symposium on Code Generation and Optimization (CGO'15).
68. Atanas Rountev, Scott Kagan, and Michael Gibas. 2004. Evaluating the imprecision of static analysis. In Proceedings of the ACM-SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE'04). ACM Press, New York, NY, 14. DOI:http://dx.doi.org/10.1145/996821.996829
69. Andrei Sabelfeld and A. C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1, 5-19. DOI:http://dx.doi.org/10.1109/JSAC.2002.806121
70. Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In IEEE Symposium on Security and Privacy (S&P'15).
71. Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS'07.
72. Micha Sharir and Amir Pnueli. 1981. Two approaches to interprocedural data flow analysis. In Program Flow Analysis, Steven S. Muchnick and Neil D. Jones (Eds.). Prentice Hall, Upper Saddle River, NJ.
73. Yannis Smaragdakis and George Balatsouras. 2015. Pointer analysis. Foundations and Trends in Programming Languages 2, 1, 1-69. DOI:http://dx.doi.org/10.1561/2500000014
74. Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well. ACM SIGPLAN Notices 46, 1, 17.
75. Dean Sullivan, Orlando Arias, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, and Yier Jin. 2016. Strategy without tactics: Policy-agnostic hardware-enhanced control-flow integrity. In Annual Design Automation Conference (DAC'16).
76. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy (S&P'13).
77. Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC & LLVM. In USENIX Security Symposium.
78. Frank Tip and Jens Palsberg. 2000. Scalable propagation-based call graph construction algorithms. ACM SIGPLAN Notices 35, 10, 281-293.
79. Arjan van de Ven and Ingo Molnar. 2004. Exec Shield. Retrieved March 1, 2017 from https://www.redhat.com/f/pdf/rhel/WHP0006US-Execshield.pdf. (2004).
80. Victor van der Veen, Dennis Andriesse, Enes Göktaş, Ben Gras, Lionel Sambuc, Asia Slowinska, Herbert Bos, and Cristiano Giuffrida. 2015. PathArmor: Practical ROP protection using context-sensitive CFI. In ACM Conference on Computer and Communications Security (CCS'15).
81. Zhi Wang and Xuxian Jiang. 2010. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE S&P'10.
82. David Weston and Matt Miller. 2016. Windows 10 Mitigation Improvements. BlackHat'16. Retrieved March 1, 2017 from https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf.
83. Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In IEEE/IFIP Conference on Dependable Systems and Networks (DSN'12).
84. Pinghai Yuan, Qingkai Zeng, and Xuhua Ding. 2015. Hardware-assisted fine-grained code-reuse attack detection. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID'15).
85. Chao Zhang, Chengyu Song, Kevin Zhijie Chen, Zhaofeng Chen, and Dawn Song. 2015. VTint: Defending virtual function tables' integrity. In Symposium on Network and Distributed System Security (NDSS'15).
86. Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical control flow integrity & randomization for binary executables. In IEEE Symposium on Security and Privacy (S&P'13).
87. Mingwei Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In USENIX Security Symposium.