Controlling your control flow graph

Abstract

Code Reuse Attacks (CRAs) are software exploits in which an attacker directs program control flow through existing code without injecting malicious code to achieve his objective. In this paper, we propose Dynamic Sequence Checker (DSC), a framework to verify the validity of control flow between basic blocks in the program. Unique codes are assigned to every basic block in the program at compile time in such a way that the Hamming distance between two legally connected basic blocks is a known constant. At runtime, Hamming distance between the codes assigned to the source and destination basic blocks are calculated and compared against the known constant, to verify the control flow. Execution is aborted if the Hamming distance comparison does not match. We implemented DSC on a cycle-accurate x86 simulator. DSC has been able to detect all the CRA gadgets reported by the ROPGadget tool. The average performance overhead is 4.7% over a baseline processor.