τCFI: Type-assisted control flow integrity for x86-64 binaries

Paul Muntean; Matthias Fischer; Gang Tan; Zhiqiang Lin; Jens Grossklags; Claudia Eckert

doi:10.1007/978-3-030-00470-5_20

τCFI: Type-assisted control flow integrity for x86-64 binaries

Paul Muntean, Matthias Fischer, Gang Tan, Zhiqiang Lin, Jens Grossklags, Claudia Eckert

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

Original language	English (US)
Title of host publication	Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings
Editors	Michael Bailey, Sotiris Ioannidis, Manolis Stamatogiannakis, Thorsten Holz
Publisher	Springer Verlag
Pages	423-444
Number of pages	22
ISBN (Print)	9783030004699
DOIs	https://doi.org/10.1007/978-3-030-00470-5_20
State	Published - Jan 1 2018
Event	21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018 - Heraklion, Greece Duration: Sep 10 2018 → Sep 12 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11050 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018
Country	Greece
City	Heraklion
Period	9/10/18 → 9/12/18

Fingerprint

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Cite this

Muntean, P., Fischer, M., Tan, G., Lin, Z., Grossklags, J., & Eckert, C. (2018). τCFI: Type-assisted control flow integrity for x86-64 binaries. In M. Bailey, S. Ioannidis, M. Stamatogiannakis, & T. Holz (Eds.), Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings (pp. 423-444). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11050 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-00470-5_20

Muntean, Paul ; Fischer, Matthias ; Tan, Gang ; Lin, Zhiqiang ; Grossklags, Jens ; Eckert, Claudia. / τCFI : Type-assisted control flow integrity for x86-64 binaries. Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. editor / Michael Bailey ; Sotiris Ioannidis ; Manolis Stamatogiannakis ; Thorsten Holz. Springer Verlag, 2018. pp. 423-444 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{5288c9a1d7c54ac9a168245dbc65a90b,

title = "τCFI: Type-assisted control flow integrity for x86-64 binaries",

abstract = "Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.",

author = "Paul Muntean and Matthias Fischer and Gang Tan and Zhiqiang Lin and Jens Grossklags and Claudia Eckert",

year = "2018",

month = jan,

day = "1",

doi = "10.1007/978-3-030-00470-5_20",

language = "English (US)",

isbn = "9783030004699",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "423--444",

editor = "Michael Bailey and Sotiris Ioannidis and Manolis Stamatogiannakis and Thorsten Holz",

booktitle = "Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings",

address = "Germany",

note = "21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018 ; Conference date: 10-09-2018 Through 12-09-2018",

}

Muntean, P, Fischer, M, Tan, G, Lin, Z, Grossklags, J & Eckert, C 2018, τCFI: Type-assisted control flow integrity for x86-64 binaries. in M Bailey, S Ioannidis, M Stamatogiannakis & T Holz (eds), Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11050 LNCS, Springer Verlag, pp. 423-444, 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018, Heraklion, Greece, 9/10/18. https://doi.org/10.1007/978-3-030-00470-5_20

τCFI : Type-assisted control flow integrity for x86-64 binaries. / Muntean, Paul; Fischer, Matthias; Tan, Gang; Lin, Zhiqiang; Grossklags, Jens; Eckert, Claudia.

Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. ed. / Michael Bailey; Sotiris Ioannidis; Manolis Stamatogiannakis; Thorsten Holz. Springer Verlag, 2018. p. 423-444 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11050 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - τCFI

T2 - 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018

AU - Muntean, Paul

AU - Fischer, Matthias

AU - Tan, Gang

AU - Lin, Zhiqiang

AU - Grossklags, Jens

AU - Eckert, Claudia

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

AB - Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in need of a thorough solution. In this paper, we propose τCFI, an extended control flow integrity (CFI) model that uses both the types and numbers of function parameters to enforce forward- and backward-edge control flow transfers. At a high level, it improves the precision of existing forward-edge recognition approaches by considering the type information of function parameters, which are directly extracted from the application binaries. Therefore, τCFI can be used to harden legacy applications for which source code may not be available. We have evaluated τCFI on real-world binaries including Nginx, NodeJS, Lighttpd, MySql and the SPEC CPU2006 benchmark and demonstrate that τCFI is able to effectively protect these applications from forward- and backward-edge corruptions with low runtime overhead. In direct comparison with state-of-the-art tools, τCFI achieves higher forward-edge caller-callee matching precision.

UR - http://www.scopus.com/inward/record.url?scp=85053896531&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85053896531&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-00470-5_20

DO - 10.1007/978-3-030-00470-5_20

M3 - Conference contribution

AN - SCOPUS:85053896531

SN - 9783030004699

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 423

EP - 444

BT - Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings

A2 - Bailey, Michael

A2 - Ioannidis, Sotiris

A2 - Stamatogiannakis, Manolis

A2 - Holz, Thorsten

PB - Springer Verlag

Y2 - 10 September 2018 through 12 September 2018

ER -

Muntean P, Fischer M, Tan G, Lin Z, Grossklags J, Eckert C. τCFI: Type-assisted control flow integrity for x86-64 binaries. In Bailey M, Ioannidis S, Stamatogiannakis M, Holz T, editors, Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings. Springer Verlag. 2018. p. 423-444. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-00470-5_20

Access to Document

10.1007/978-3-030-00470-5_20