TY - GEN
T1 - Practical control flow integrity and randomization for binary executables
AU - Zhang, Chao
AU - Wei, Tao
AU - Chen, Zhaofeng
AU - Duan, Lei
AU - Szekeres, László
AU - McCamant, Stephen
AU - Song, Dawn
AU - Zou, Wei
PY - 2013
Y1 - 2013
N2 - Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.
AB - Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.
UR - http://www.scopus.com/inward/record.url?scp=84881218812&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84881218812&partnerID=8YFLogxK
U2 - 10.1109/SP.2013.44
DO - 10.1109/SP.2013.44
M3 - Conference contribution
AN - SCOPUS:84881218812
SN - 9780769549774
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 559
EP - 573
BT - Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013
T2 - 34th IEEE Symposium on Security and Privacy, SP 2013
Y2 - 19 May 2013 through 22 May 2013
ER -