τCFI: Type-assisted control flow integrity for x86-64 binaries

Paul Muntean; Matthias Fischer; Gang Tan; Zhiqiang Lin; Jens Grossklags; Claudia Eckert

doi:10.1007/978-3-030-00470-5_20

τCFI: Type-assisted control flow integrity for x86-64 binaries

Paul Muntean, Matthias Fischer, Gang Tan, Zhiqiang Lin, Jens Grossklags, Claudia Eckert

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

12 Scopus citations

Abstract

Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

Original language	English (US)
Title of host publication	Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings
Editors	Michael Bailey, Sotiris Ioannidis, Manolis Stamatogiannakis, Thorsten Holz
Publisher	Springer Verlag
Pages	423-444
Number of pages	22
ISBN (Print)	9783030004699
DOIs	https://doi.org/10.1007/978-3-030-00470-5_20
State	Published - 2018
Event	21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018 - Heraklion, Greece Duration: Sep 10 2018 → Sep 12 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11050 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018
Country/Territory	Greece
City	Heraklion
Period	9/10/18 → 9/12/18

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-00470-5_20

Cite this

Muntean, P., Fischer, M., Tan, G., Lin, Z., Grossklags, J., & Eckert, C. (2018). τCFI: Type-assisted control flow integrity for x86-64 binaries. In M. Bailey, S. Ioannidis, M. Stamatogiannakis, & T. Holz (Eds.), Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings (pp. 423-444). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11050 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-00470-5_20

Muntean, Paul ; Fischer, Matthias ; Tan, Gang ; Lin, Zhiqiang ; Grossklags, Jens ; Eckert, Claudia. / τCFI : Type-assisted control flow integrity for x86-64 binaries. Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. editor / Michael Bailey ; Sotiris Ioannidis ; Manolis Stamatogiannakis ; Thorsten Holz. Springer Verlag, 2018. pp. 423-444 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{5288c9a1d7c54ac9a168245dbc65a90b,

title = "τCFI: Type-assisted control flow integrity for x86-64 binaries",

abstract = "Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.",

author = "Paul Muntean and Matthias Fischer and Gang Tan and Zhiqiang Lin and Jens Grossklags and Claudia Eckert",

note = "Funding Information: Acknowledgement. We thank the anonymous reviewers for their feedback, which helped to considerably improve the quality of this paper. Jens Grossklags{\textquoteright} research is supported by the German Institute for Trust and Safety on the Internet (DIVSI). Gang Tan is supported by US NSF grants CCF-1723571 and CNS-1624126, the Defense Advanced Research Projects Agency (DARPA) under agreement number N6600117C4052, and Office of Naval Research (ONR) under agreement number N00014-17-1-2539. Zhiqiang Lin is partially supported by US NSF grant CNS-1812553 and CNS-1834215, AFOSR award FA9550-14-1-0119, and ONR award N00014-17-1-2995. Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2018.; 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018 ; Conference date: 10-09-2018 Through 12-09-2018",

year = "2018",

doi = "10.1007/978-3-030-00470-5_20",

language = "English (US)",

isbn = "9783030004699",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "423--444",

editor = "Michael Bailey and Sotiris Ioannidis and Manolis Stamatogiannakis and Thorsten Holz",

booktitle = "Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings",

address = "Germany",

}

Muntean, P, Fischer, M, Tan, G, Lin, Z, Grossklags, J & Eckert, C 2018, τCFI: Type-assisted control flow integrity for x86-64 binaries. in M Bailey, S Ioannidis, M Stamatogiannakis & T Holz (eds), Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11050 LNCS, Springer Verlag, pp. 423-444, 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018, Heraklion, Greece, 9/10/18. https://doi.org/10.1007/978-3-030-00470-5_20

τCFI : Type-assisted control flow integrity for x86-64 binaries. / Muntean, Paul; Fischer, Matthias; Tan, Gang; Lin, Zhiqiang; Grossklags, Jens; Eckert, Claudia.

Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. ed. / Michael Bailey; Sotiris Ioannidis; Manolis Stamatogiannakis; Thorsten Holz. Springer Verlag, 2018. p. 423-444 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11050 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - τCFI

T2 - 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018

AU - Muntean, Paul

AU - Fischer, Matthias

AU - Tan, Gang

AU - Lin, Zhiqiang

AU - Grossklags, Jens

AU - Eckert, Claudia

N1 - Funding Information: Acknowledgement. We thank the anonymous reviewers for their feedback, which helped to considerably improve the quality of this paper. Jens Grossklags’ research is supported by the German Institute for Trust and Safety on the Internet (DIVSI). Gang Tan is supported by US NSF grants CCF-1723571 and CNS-1624126, the Defense Advanced Research Projects Agency (DARPA) under agreement number N6600117C4052, and Office of Naval Research (ONR) under agreement number N00014-17-1-2539. Zhiqiang Lin is partially supported by US NSF grant CNS-1812553 and CNS-1834215, AFOSR award FA9550-14-1-0119, and ONR award N00014-17-1-2995. Publisher Copyright: © Springer Nature Switzerland AG 2018.

PY - 2018

Y1 - 2018

N2 - Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

AB - Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

UR - http://www.scopus.com/inward/record.url?scp=85053896531&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85053896531&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-00470-5_20

DO - 10.1007/978-3-030-00470-5_20

M3 - Conference contribution

AN - SCOPUS:85053896531

SN - 9783030004699

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 423

EP - 444

BT - Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings

A2 - Bailey, Michael

A2 - Ioannidis, Sotiris

A2 - Stamatogiannakis, Manolis

A2 - Holz, Thorsten

PB - Springer Verlag

Y2 - 10 September 2018 through 12 September 2018

ER -

Muntean P, Fischer M, Tan G, Lin Z, Grossklags J, Eckert C. τCFI: Type-assisted control flow integrity for x86-64 binaries. In Bailey M, Ioannidis S, Stamatogiannakis M, Holz T, editors, Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. Springer Verlag. 2018. p. 423-444. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-00470-5_20

τCFI: Type-assisted control flow integrity for x86-64 binaries

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this