HexCFI: Fully Context Sensitive Control-Flow Integrity
Primary Investigator:
Mathias Payer
Nathan Burow
Abstract
Despite deployed defenses such as DEP, stack canaries, and ASLR, attackers are still able to use control-flow hijacks to gain control of systems. Control-flow hijacks overwrite code pointers, e.g., return addresses, function pointers, and virtual table pointers, to gain control over applications. Control-Flow Integrity (CFI) is a new defense policy that attempts to mitigate control-flow hijack attacks and is being deployed in practice, e.g., Chrome and Edge are shipped with CFI. CFI protects indirect function calls, i.e., calls through a function pointer or virtual calls, by statically computing a set of allowed targets. The allowed target set is based off an analysis of the control-flow graph of the program, and due to the limitations of static analysis (alias analysis) is fundamentally over approximated. The more over-approximate the target sets are, the easier it is for attackers to use techniques like control-flow bending to bypass CFI.
We present a novel technique, called HexCFI, that does not rely on static analysis to compute the target sets and thus is not over approximate. Instead of statically computing the target sets, HexCFI instruments the program to record the targets of each indirect callsite. The program is then run under benign input from, e.g., developer test suites. The program is then recompiled, and the observed targets sets for each indirect callsite are used by the enforcement mechanism. Our target sets are thus the minimal possible size while still allowing correct execution of the program.