Combining Control-Flow Integrity and static analysis for efficient and validated data sandboxing

Bin Zeng, Gang Tan, Greg Morrisett

Research output: Chapter in Book/Report/Conference proceedingConference contribution

51 Scopus citations

Abstract

In many software attacks, inducing an illegal control-flow transfer in the target system is one common step. Control-Flow Integrity (CFI [1]) protects a software system by enforcing a pre-determined control-flow graph. In addition to providing strong security, CFI enables static analysis on low-level code. This paper evaluates whether CFI-enabled static analysis can help build efficient and validated data sandboxing. Previous systems generally sandbox memory writes for integrity, but avoid protecting confidentiality due to the high overhead of sandboxing memory reads. To reduce overhead, we have implemented a series of optimizations that remove sandboxing instructions if they are proven unnecessary by static analysis. On top of CFI, our system adds only 2.7% runtime overhead on SPECint2000 for sandboxing memory writes and adds modest 19% for sandboxing both reads and writes. We have also built a principled data-sandboxing verifier based on range analysis. The verifier checks the safety of the results of the optimizer, which removes the need to trust the rewriter and optimizer. Our results show that the combination of CFI and static analysis has the potential of bringing down the cost of general inlined reference monitors, while maintaining strong security.

Original languageEnglish (US)
Title of host publicationCCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security
Pages29-39
Number of pages11
DOIs
StatePublished - Nov 14 2011
Event18th ACM Conference on Computer and Communications Security, CCS'11 - Chicago, IL, United States
Duration: Oct 17 2011Oct 21 2011

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other18th ACM Conference on Computer and Communications Security, CCS'11
CountryUnited States
CityChicago, IL
Period10/17/1110/21/11

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Zeng, B., Tan, G., & Morrisett, G. (2011). Combining Control-Flow Integrity and static analysis for efficient and validated data sandboxing. In CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security (pp. 29-39). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2046707.2046713