Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

Get BibTex-formatted data

Author

Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross

Entry type

inproceedings

Abstract

Control-Flow Integrity (CFI) is a defense which prevents control-flow hijacking attacks. While recent research has shown that coarse-grained CFI does not stop attacks, fine-grained CFI is believed to be secure. We argue that assessing the effectiveness of practical CFI implementations is non-trivial and that common evaluation metrics fail to do so. We then evaluate fully-precise static CFI --- the most restrictive CFI policy that does not break functionality --- and reveal limitations in its security. Using a generalization of non-control-data attacks which we call Control-Flow Bending (CFB), we show how an attacker can leverage a memory corruption vulnerability to achieve Turing-complete computation on memory using just calls to the standard library. We use this attack technique to evaluate fully-precise static CFI on six real binaries and show that in five out of six cases, powerful attacks are still possible. Our results suggest that CFI may not be a reliable defense against memory corruption vulnerabilities. We further evaluate shadow stacks in combination with CFI and find that their presence for security is necessary: deploying shadow stacks removes arbitrary code execution capabilities of attackers in three of six cases.

Date

2015 – 8 – 12

URL

http://nebelwelt.net/publications/15SEC/

Booktitle

SEC'15: 24th Usenix Security Symposium

Key alpha

carlini

Publication Date

2015-08-12

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Inproceedings{ carlini,
	title = "Control-Flow Bending: On the Effectiveness of Control-Flow Integrity",
	author = "Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross",
	year = "2015",
	month = "8",
	booktitle = "SEC'15: 24th Usenix Security Symposium",
	day = "12",
	abstract = "Control-Flow Integrity (CFI) is a defense which prevents control-flow hijacking attacks. While recent research has shown that coarse-grained CFI does not stop attacks, fine-grained CFI is believed to be secure.

We argue that assessing the effectiveness of practical CFI implementations is non-trivial and that common evaluation metrics fail to do so. We then evaluate fully-precise static CFI --- the most restrictive CFI policy that does not break functionality --- and reveal limitations in its security. Using a generalization of non-control-data attacks which we call Control-Flow Bending (CFB), we show how an attacker can leverage a memory corruption vulnerability to achieve Turing-complete computation on memory using just calls to the standard library. We use this attack technique to evaluate fully-precise static CFI on six real binaries and show that in five out of six cases, powerful attacks are still possible. Our results suggest that CFI may not be a reliable defense against memory corruption vulnerabilities.

We further evaluate shadow stacks in combination with CFI and find that their presence for security is necessary: deploying shadow stacks removes arbitrary code execution capabilities of attackers in three of six cases.",
	url = "http://nebelwelt.net/publications/15SEC/",
}