Citation Context

...e register values that it must preserve during its execution. In our prototype implementation of Readactor, we use function permutation [37], register allocation randomization, and callee-saved register save slot reordering [49]. We selected these transformations because they permute the code layout effectively, have low performance impact, and make the dataflow between gadgets unpredictable. Our prototype implementation performs fine-grained code randomization at compile-time. With additional implementation effort, we can make the compiler emit binaries that randomize themselves at load-time [8, 44, 65]. Self-randomizing binaries eliminate the need to generate and distribute multiple distinct binaries, which improves the practicality of diversity. However, the security properties of compile-time and load-time solutions are largely similar. Hence, we focus on how to randomize programs and how to protect the code from disclosure irrespective of when randomization happens. B. Code and Data Separation To increase efficiency, compilers sometimes intersperse code and data. Since Readactor enforces execute-only permissions for code pages, we must prevent the compiler from embedding data in the code...

Citation Context

...allow enough valid transfers to enable an attacker to build a malicious payload [20]. As a result of the attacks on coarse-grained variants of CFI, researchers have focused on fine-grained, yet still practical enforcement of CFI. For example, forward-edge CFI [53] enforces a finegrained CFI on forward-edge control transfers (i.e. indirect calls, but not returns). Cryptographically enforced CFI [32] enforces another form of fine-grained CFI by adding message authentication code (MAC) to control flow elements which prevents the usage of unintended control transfers in the CFG. Opaque CFI (OCFI) [34] enforces fine-grained CFI by transforming branch target checks to bounds checking (possible base and bound of allowed control transfers). The security of fine-grained CFI techniques is contingent on the ability to construct CFGs that accurately capture the intended control transfers permitted by the application. For C/C++ applications, even with access to source code, this assumption is tenuous at best. In theory, the construction of an accurate CFG requires the use of a precise (sound and complete) pointer analysis. Unfortunately, sound and complete points-to analysis is undecidable [41]. In...

Citation Context

...ttSFIeld [16], NaCl [32, 26], CCFIR [34], binCFI [35], and MIP [18]. The major benefit of coarse-grained CFI is that coarse-grained CFGs are easier to build, even without access to source code (e.g., =-=[17]-=-). But on the down side, the coarsegrained CFGs are too permissive so that it is still possible to mount attacks in general, as demonstrated in recent work [13, 10, 8]. Fine-grained CFI supports progr...

Citation Context

...rity. Fine-grained CFI provides a strong protection against most control-flow hijacking attacks, but often has high performance overhead. It also requires a precise control-flow graph that still is not readily available in the commodity compilers. Recent research effort focuses on reducing CFI performance overhead for commodity programs [54, 55]. They trade the protection granularity for performance, leading to potential vulnerabilities [23, 28]. Opaque CFI uses coarse-grained controlflow integrity to strengthen fine-grained code randomization against certain types of information leak attacks [38]. Instead of validating the exact target address, OCFI ensures that the target is within a certain randomized bound. RockJIT leverages modular CFI to protect the JIT compiler and the dynamically generated code [39]. It builds a finegrained CFG from the source code of the JIT compiler, and keeps the control-flow policy updated with the new generated code. Even though most CFI systems are implemented in the software, hardware architectural support for CFI has been proposed that can substantially simplify and speed up CFI systems [25]. In addition to control-flow integrity, researchers have propo...

Citation Context

...ctest rules. When use a unique ID for each control flow transfer, thus resulting in an unlimited number of tags (or ID-s), we refer to it a fine-grained CFI. A number of recent fine-grained CFI techniques have been proposed in the literature. Forward-edge CFI [60] enforces a fine-grained CFI on forward-edge control transfers (i.e. indirect calls, but not returns). Cryptographically enforced CFI [35] enforces another form of finegrained CFI by adding message authentication code (MAC) to control flow elements which prevents the usage of unintended control transfers in the CFG. Opaque CFI (OCFI) [37] enforces a fine-grained CFI by transforming the problem of branch target check to bounds checking (possible base and bound of allowed control transfers). Moreover, it prevents attacks on unintended CFG edges by applying code randomization. The authors of OCFI mention that it achieves resilience against information leakage (a.k.a. memory disclosure) attacks [58, 52] because the attacker can only learn about intended edges in such attacks, and not the unintended ones which were used in previous attacks against coarse-grained CFI [22]. The attack we describe in section 3.4 shows that just the in...

Citation Context

...icient for an adversary to execute arbitrary code. 4. ADVERSARY MODEL We consider a powerful, yet realistic adversary model that is consistent with previous work on code-reuse attacks and mitigations =-=[11, 13, 24, 31, 35]-=-. We rely on several existing and complementary mitigations for comprehensive coverage. Adversarial Capabilities. • System Configuration: The adversary is aware of the applied defenses and has access ...

Citation Context

...icient for an adversary to execute arbitrary code. 4. ADVERSARY MODEL We consider a powerful, yet realistic adversary model that is consistent with previous work on code-reuse attacks and mitigations =-=[11, 13, 24, 31, 35]-=-. We rely on several existing and complementary mitigations for comprehensive coverage. Adversarial Capabilities. • System Configuration: The adversary is aware of the applied defenses and has access ...

Citation Context

...PittSFIeld [29] and CCFIR [30] enforce coarse-grained policy by aligning code. Based on a CPU emulator, MoCFI [31] rewrites ARM binary code to retrofit CFI protection on smart phone. While Opaque CFI =-=[32]-=- combines coarse-grained CFI and artificial diversification in order to render disclosure attacks harder, it introduces other problems like large space overhead, lack of fine-grained diversification, ...