Static-Dynamic Control Flow Integrity

2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing Pub Date : 2014-11-08 DOI:10.1109/3PGCIC.2014.58

Xiaolong Liu, Qiang Wei, Ziwei Ye

{"title":"Static-Dynamic Control Flow Integrity","authors":"Xiaolong Liu, Qiang Wei, Ziwei Ye","doi":"10.1109/3PGCIC.2014.58","DOIUrl":null,"url":null,"abstract":"CCFIR (Compact Control Flow Integrity and Randomization) has low performance overhead as an exploit mitigation, but it is hard to mitigate exploits by hijacking virtual function pointer, which are emerging in recent years. Because of the polymorphism of virtual functions, CCFIR can't determine a unique spring board stub. We propose a new practical protection method named SDCFI (Static-Dynamic Control Flow Integrity), whose goal is to protect virtual function pointers from hijacking. Taking advantage of static analysis result of IDA and PIN dynamic instrumentation, SDCFI improves the accuracy of the disassembly and identifies indirect call target addresses at runtime. We observe that there are always double 0x90 bytes for alignment in the gap between two functions, which can be substituted by a two-byte checkmark. Using the checkmark, SDCFI can validate a target more simply and faster than traditional CFI. Based on these approaches, SDCFI can prevent control-flow hijacking attacks including ROP, because the gadgets of stack pivot can't pass the validation. We evaluate our prototype implementation for Internet Explorer8 browser on Windows XP, which faces serious security threats since April 8, 2014. SDCFI protects most indirect call instructions in msthml.dll, and has low runtime overhead of 1.48% on average. Experiments on real-world exploits for IE8 browser also show that SDCFI can effectively mitigate exploits by hijacking virtual function pointer.","PeriodicalId":395610,"journal":{"name":"2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/3PGCIC.2014.58","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

CCFIR (Compact Control Flow Integrity and Randomization) has low performance overhead as an exploit mitigation, but it is hard to mitigate exploits by hijacking virtual function pointer, which are emerging in recent years. Because of the polymorphism of virtual functions, CCFIR can't determine a unique spring board stub. We propose a new practical protection method named SDCFI (Static-Dynamic Control Flow Integrity), whose goal is to protect virtual function pointers from hijacking. Taking advantage of static analysis result of IDA and PIN dynamic instrumentation, SDCFI improves the accuracy of the disassembly and identifies indirect call target addresses at runtime. We observe that there are always double 0x90 bytes for alignment in the gap between two functions, which can be substituted by a two-byte checkmark. Using the checkmark, SDCFI can validate a target more simply and faster than traditional CFI. Based on these approaches, SDCFI can prevent control-flow hijacking attacks including ROP, because the gadgets of stack pivot can't pass the validation. We evaluate our prototype implementation for Internet Explorer8 browser on Windows XP, which faces serious security threats since April 8, 2014. SDCFI protects most indirect call instructions in msthml.dll, and has low runtime overhead of 1.48% on average. Experiments on real-world exploits for IE8 browser also show that SDCFI can effectively mitigate exploits by hijacking virtual function pointer.

查看原文本刊更多论文

静态-动态控制流完整性

CCFIR (Compact Control Flow Integrity and Randomization，紧凑控制流完整性和随机化)作为一种漏洞缓解方法具有较低的性能开销，但近年来出现的劫持虚函数指针的漏洞缓解方法较为困难。由于虚函数的多态性，CCFIR无法确定唯一的板根。本文提出了一种新的实用的保护方法SDCFI (Static-Dynamic Control Flow Integrity，静态-动态控制流完整性)，其目的是保护虚函数指针不被劫持。SDCFI利用IDA静态分析结果和PIN动态检测结果，提高了反汇编的准确性，并在运行时识别间接调用目标地址。我们观察到，在两个函数之间的间隙中总是有两个0x90字节用于对齐，可以用两个字节的复选标记代替。使用复选标记，SDCFI可以比传统CFI更简单、更快速地验证目标。基于这些方法，SDCFI可以防止包括ROP在内的控制流劫持攻击，因为堆栈支点的小部件无法通过验证。我们评估了Windows XP上Internet Explorer8浏览器的原型实现，该浏览器自2014年4月8日以来面临严重的安全威胁。SDCFI保护mmsml .dll中的大多数间接调用指令，并且具有平均1.48%的低运行时开销。对IE8浏览器的实际漏洞利用实验也表明，SDCFI可以通过劫持虚拟函数指针有效地缓解漏洞利用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing

自引率

0.00%

发文量