Architectural Support for Software-Based Protection

Mihai Budiu Úlfar Erlingsson Martín Abadi

ASID Workshop, Oct 21, 2006

Silicon Valley

Summary

CFI XFI

Enforce control flow to prevent software attacks

[CCS 05] [ICFEM 05]

Protect modules within a single address space

[OSDI 06]

2

This work: add hardware supportThis work: add hardware support

Outline

• Control-Flow Integrity

• XFI: Protecting Modules• Conclusions

3

CFI Motivation

4

Control flow

Anatomy of many software attacks

CFI Idea

5

Executable Control-Flow Graph

+ =

Self-checking program

CFI Security Benefits

• Enforces CFG against attacker that controlswhole data memory

• Defends against a large class of attacks– Buffer overflows– Stack smashing– Jump-to-libc– Pointer subterfuge

• Validated experimentally

6

Code

Data

Stack

Embedding a CFG Edge

7

jmpc r1, 50......

cfilabel 60….cfilabel 50.....

jmp r1......

dest:.....

?

Traditional indirect jump New ISA: checked jump and label

Semantics

8

jmpc r1, L cfilabel L

cfi_register = L;jmp r1

if (cfi_register == L) cfi_register = 0

before any instructionexcept cfilabel

if (cfi_register != 0) cfi_exception()

Evaluation

9

Binary

Squeeze++binary rewriter

instrumentationalgorithm

Sim-alphasimulator

Alpha CC

Spec2k Sources

Instrumentedbinary

Performancedata

Linux

CFI Execution Overhead

Outline

• Control-Flow Integrity• XFI: Protecting Modules

• Conclusions11

XFI Motivation

12

OS Kernel Driver Driver

Ring 0 (high privilege)Single address space

Kernel heap

Shareddata structure

XFI Address Spaces

13

Host system XFI Module

Data R/OData

R/WData

Stacks

CodeCode

Entry points

Fastpathregion

A B Slowpathregion

Host heap

Memory Bounds Checks

14

Host system XFI Module

Data R/OData

R/WDataCodeCode

A B

Host heap

*(int*)x = 2;

if (x < A + 0) goto SlowpathCheck; if (B – sizeof(int) < x) goto SlowpathCheck;retfromSlowCheck: *(int*)x = 2;

2x

ISA Support for XFI

15

mrguard $r, L, H

If ($r < $a + L) XFI_exception()if ($b – H < $r) XFI_exception()

[$r – L, $r + H) [$a, $b)

A B

$rL H

Evaluation

16

Assembly

Sim-alphasimulator

Alpha CC

Mediabench Sources

Instrumentedbinary

Performancedata

Linux

HandinstrumentKernel

LinkObject files

Bounds Checks Overhead

17

Advantages of ISA SupportCompared with software solutions:• Reduce executable size• Reduce pressure on fetch structures

(I-cache, trace cache, br. predictors)• Decrease register pressure

(no intermediate results)• Do not pollute condition flags• Do not pollute the data cache

to fetch code label [CFI only]

18

Conclusions

• ISA support is very simple• ISA support does not stretch

critical hw resources

• ISA support can reduce the cost of CFI and XFI enforcement

19

Backup Slides 20

21

MSR Silicon Valley

22

Our Neighbors

GoogleNASA AMESMicrosoft SVC

23

We’re Going Into Architecture

We’re Hiring Computer Architects

24

• Exciting research opportunities• A chance to influence industry• A lot of creative freedom• A great interdisciplinary team• A brand new research group• A great location

research.microsoft.com/aboutmsr/labs/siliconvalley

CFI & XFI Toolchain

25

Compiler

Executable

Debugginginformation

ProgramBinary

rewriter

Safe executable

Unsafecode

Execution

Safecode

Verifier

Instrumentationalgorithm

Trusted computing base

CFI Software Implementation

26

jmpc r1, 50......

cfilabel 50.....

if (*r1 != 50) then goto error;goto r1+4;….

.data 50….

CFI Binary Size Increase

27