Modular Control-Flow Integrity

Ben Niu, Gang Tan

Research output: Contribution to journalArticlepeer-review

45 Scopus citations

Abstract

Control-Flow Integrity (CFI) is a software-hardening technique. It inlines checks into a program so that its execution always follows a predetermined Control-Flow Graph (CFG). As a result, CFI is effective at preventing control-flow hijacking attacks. However, past fine-grained CFI implementations do not support separate compilation, which hinders its adoption.

We present Modular Control-Flow Integrity (MCFI), a new CFI technique that supports separate compilation. MCFI allows modules to be independently instrumented and linked statically or dynamically. The combined module enforces a CFG that is a combination of the individual modules' CFGs. One challenge in supporting dynamic linking in multithreaded code is how to ensure a safe transition from the old CFG to the new CFG when libraries are dynamically linked. The key technique we use is to have the CFG represented in a runtime data structure and have reads and updates of the data structure wrapped in transactions to ensure thread safety. Our evaluation on SPECCPU2006 benchmarks shows that MCFI supports separate compilation, incurs low overhead of around 5%, and enhances security. Copyright is held by the owner/author(s).

Original languageEnglish (US)
Pages (from-to)577-587
Number of pages11
JournalACM SIGPLAN Notices
Volume49
Issue number6
DOIs
StatePublished - Jun 5 2014

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Fingerprint Dive into the research topics of 'Modular Control-Flow Integrity'. Together they form a unique fingerprint.

Cite this