Analyzing control flow integrity with LLVM-CFI

Paul Muntean, Matthias Neumayer, Zhiqiang Lin, Gang Tan, Jens Grossklags, Claudia Eckert

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availability. Further, tool comparison is underdeveloped or not possible at all. CFI has proven to be one of the most promising protections against control flow hijacking attacks, thus many efforts have been made to improve CFI in various ways. However, there is a lack of systematic assessment of existing CFI protections. In this paper, we present LLVM-CFI, a static source code analysis framework for analyzing state-of-the-art static CFI protections based on the Clang/LLVM compiler framework. LLVM-CFI works by precisely modeling a CFI policy and then evaluating it within a unified approach. LLVM-CFI helps determine the level of security offered by different CFI protections, after the CFI protections were deployed, thus providing an important step towards exploit creation/prevention and stronger defenses. We have used LLVM-CFI to assess eight state-of-the-art static CFI defenses on real-world programs such as Google Chrome and Apache Httpd. LLVM-CFI provides a precise analysis of the residual attack surfaces, and accordingly ranks CFI policies against each other. LLVM-CFI also successfully paves the way towards construction of COOP-like code reuse attacks and elimination of the remaining attack surface by disclosing protected calltargets under eight restrictive CFI policies.

Original languageEnglish (US)
Title of host publicationProceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019
PublisherAssociation for Computing Machinery
Pages584-597
Number of pages14
ISBN (Electronic)9781450376280
DOIs
StatePublished - Dec 9 2019
Event35th Annual Computer Security Applications Conference, ACSAC 2019 - San Juan, United States
Duration: Dec 9 2019Dec 13 2019

Publication series

NameACM International Conference Proceeding Series

Conference

Conference35th Annual Computer Security Applications Conference, ACSAC 2019
CountryUnited States
CitySan Juan
Period12/9/1912/13/19

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Analyzing control flow integrity with LLVM-CFI'. Together they form a unique fingerprint.

  • Cite this

    Muntean, P., Neumayer, M., Lin, Z., Tan, G., Grossklags, J., & Eckert, C. (2019). Analyzing control flow integrity with LLVM-CFI. In Proceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019 (pp. 584-597). (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3359789.3359806