Results 1 -
6 of
6
Code-Pointer Integrity
, 2014
"... Systems code is often written in low-level languages like C/C++, which offer many benefits but also dele-gate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed de-fense mechanisms (e.g., ASLR, DEP) ..."
Abstract
-
Cited by 16 (1 self)
- Add to MetaCart
Systems code is often written in low-level languages like C/C++, which offer many benefits but also dele-gate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed de-fense mechanisms (e.g., ASLR, DEP) are incomplete, and stronger defense mechanisms (e.g., CFI) often have high overhead and limited guarantees [19, 15, 9]. We introduce code-pointer integrity (CPI), a new de-sign point that guarantees the integrity of all code point-ers in a program (e.g., function pointers, saved return ad-dresses) and thereby prevents all control-flow hijack at-tacks, including return-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2 % overhead for C and 1.9 % for C/C++, while CPI’s overhead is 2.9 % for C and 8.4 % for C/C++. A prototype implementation of CPI and CPS can be obtained from
The Performance Cost of Shadow Stacks and Stack Canaries
"... Control flow defenses against ROP either use strict, expen-sive, but strong protection against redirected RET instruc-tions with shadow stacks, or much faster but weaker pro-tections without. In this work we study the inherent over-heads of shadow stack schemes. We find that the overhead is roughly ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Control flow defenses against ROP either use strict, expen-sive, but strong protection against redirected RET instruc-tions with shadow stacks, or much faster but weaker pro-tections without. In this work we study the inherent over-heads of shadow stack schemes. We find that the overhead is roughly 10 % for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measure-ments suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs as-sociated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives.
Micro-Policies Formally Verified, Tag-Based Security Monitors
"... Abstract—Recent advances in hardware design have demon-strated mechanisms allowing a wide range of low-level secu-rity policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Recent advances in hardware design have demon-strated mechanisms allowing a wide range of low-level secu-rity policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level “symbolic machine, ” and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy’s rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller. Index Terms—security; dynamic enforcement; reference mon-itors; low-level code; tagged hardware architecture; metadata; formal verification; refinement; machine-checked proofs; Coq; dynamic sealing; compartmentalization; isolation; least privilege; memory safety; control-flow integrity 1
Evaluating Modern Defenses Against Control Flow Hijacking Evaluating Modern Defenses Against Control Flow Hijacking
"... Abstract Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Strong defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker and practical defenses such as Code Pointer Integrity (CPI) and Control Flow I ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Strong defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker and practical defenses such as Code Pointer Integrity (CPI) and Control Flow Integrity (CFI) have their weaknesses. In this thesis, I present attacks that expose the fundamental weaknesses of CPI and CFI. CPI promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is isolated by hardward enforcement on 0x86-32 architecture and by information-hiding on 0x86-64 and ARM architectures. We show that when CPI relies on information hiding, CPI's safe region can be leaked and thus rendering it ineffective against malicious exploits. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve the performance overhead have been shown to be ineffective. As a result, a number of recent efforts have focused on fine-grained enforcement of CFI as it was originally proposed. In this work, we show that even a fine-grained form of CFI with unlimited number of tags is ineffective in protecting against attacks. We show that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG. These flexibilities allow an attacker to gain control of the execution while strictly adhering to a fine-grained CFI.
Code-Pointer Integrity
, 2014
"... Systems code is often written in low-level languages like C/C++, which offer many benefits but also dele-gate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed de-fense mechanisms (e.g., ASLR, DEP) ..."
Abstract
- Add to MetaCart
Systems code is often written in low-level languages like C/C++, which offer many benefits but also dele-gate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed de-fense mechanisms (e.g., ASLR, DEP) are incomplete, and stronger defense mechanisms (e.g., CFI) often have high overhead and limited guarantees [19, 15, 9]. We introduce code-pointer integrity (CPI), a new de-sign point that guarantees the integrity of all code point-ers in a program (e.g., function pointers, saved return ad-dresses) and thereby prevents all control-flow hijack at-tacks, including return-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2 % overhead for C and 1.9 % for C/C++, while CPI’s overhead is 2.9 % for C and 8.4 % for C/C++. A prototype implementation of CPI and CPS can be obtained from
Missing the Point(er): On the Effectiveness of Code Pointer Integrity
"... Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) ..."
Abstract
- Add to MetaCart
(Show Context)
Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware; on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI’s safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proof-of-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.
