Efficient Protection of Path-Sensitive Control Security
Transcript of Efficient Protection of Path-Sensitive Control Security
![Page 1: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/1.jpg)
Efficient Protection of Path-Sensitive Control Security
Ren Ding, Chenxiong Qian, Chengyu Song*, Bill Harris, Taesoo Kim, Wenke Lee
Georgia Tech, UC Riverside*
![Page 2: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/2.jpg)
What is Control Flow?
The order of instruction execution
Only limited sets of valid transitions
2
![Page 3: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/3.jpg)
What is Control Hijacking?
3
![Page 4: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/4.jpg)
0
100
200
300
400
500
600
700
800
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Reported Software Flaws - Buffer Errors
Control Flow Attacks Still Exist...
4
ATTACK Year DEFENSE
Stack smashing 1996
Ret2libc 1997
Format stringHeap overflow
Integer overflow
1998 Stack guard canaries
2000 Stack cookiesW^X
2001 Shadow stackASLR
Info leak to bypass ASLR 2002
2003 ProPolicePointGuard
2005 CFI
Softbound 2009
CETS 2010
CfimonControl-flow locking
2011
Kbouncer 2013
Modular CFIROPecker
Hardware-assisted CFICPI
2014 History-hiding ROP
Opaque CFIPer-Input CFI
Context-Sensitive CFI
2015 Control-flow bendingMissing the pointer
Control JujutsuCOOP
GriffinFlowGuard
2017
![Page 5: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/5.jpg)
Control Flow Integrity (CFI)
Lightweight
Runtime Enforcement
Pre-computed valid sets: points-to analysis
Limitations: over-approximation for soundness!
5
![Page 6: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/6.jpg)
Motivating Example
Parse request
Assign “handler” fptro If request from admin:
— handler() = priv
o else:— handler() = unpriv
Strip request args
Handle request
6
1 void dispatch() {
2 void (*handler)(struct request *) = 0;
3 struct request req;
4
5 while(1) {
6 parse_request(&req);
7
8 if (req.auth_user == ADMIN) {
9 handler = priv;
10 } else {
11 handler = unpriv;
12 // NOTE. buffer overflow
13 strip_args(req.args);
14 }
15
16 handler(&req);
17 }
18 }
![Page 7: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/7.jpg)
Motivating Example
7
req
handler
ret addr
……
high
low
strip_args ()
dispatch ()
Shellcode
libc.so
priv()
unpriv()
1 void dispatch() {
2 void (*handler)(struct request *) = 0;
3 struct request req;
4
5 while(1) {
6 parse_request(&req);
7
8 if (req.auth_user == ADMIN) {
9 handler = priv;
10 } else {
11 handler = unpriv;
12 // NOTE. buffer overflow
13 strip_args(req.args);
14 }
15
16 handler(&req);
17 }
18 }
![Page 8: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/8.jpg)
Limitation of Traditional CFI
• Computes valid transfer sets at each location (lack dynamic info)
8
parse_request()
if admin: priv() else: unpriv()
handler()
priv() & unpriv()
1 void dispatch() {
2 void (*handler)(struct request *) = 0;
3 struct request req;
4
5 while(1) {
6 parse_request(&req);
7
8 if (req.auth_user == ADMIN) {
9 handler = priv;
10 } else {
11 handler = unpriv;
12 // NOTE. buffer overflow
13 strip_args(req.args);
14 }
15
16 handler(&req);
17 }
18 }
![Page 9: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/9.jpg)
Per-Input CFI:
Most Precise Known CFI
• Relies on static analysis for soundness
• Instrumentation required
• Enable valid target based on execution history for addresses that are taken
9
![Page 10: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/10.jpg)
Limitation of Per-Input CFI
• Once transfer targets enabled, cannot be eliminated
10
1 void dispatch() {
2 void (*handler)(struct request *) = 0;
3 struct request req;
4
5 while(1) {
6 parse_request(&req);
7
8 if (req.auth_user == ADMIN) {
9 handler = priv;
10 } else {
11 handler = unpriv;
12 // NOTE. buffer overflow
13 strip_args(req.args);
14 }
15
16 handler(&req);
17 }
18 }
parse_request()
if admin: priv()
handler()
priv() & unpriv()priv()
else: unpriv()
![Page 11: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/11.jpg)
PITTYPAT: Path-Sensitive CFI
• At each control transfer, verify based on points-to analysis of whole execution path
11
1 void dispatch() {
2 void (*handler)(struct request *) = 0;
3 struct request req;
4
5 while(1) {
6 parse_request(&req);
7
8 if (req.auth_user == ADMIN) {
9 handler = priv;
10 } else {
11 handler = unpriv;
12 // NOTE. buffer overflow
13 strip_args(req.args);
14 }
15
16 handler(&req);
17 }
18 }
parse_request()
if admin: priv() else: unpriv()
handler()
unpriv()priv()
![Page 12: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/12.jpg)
Assumptions
Current approach only examines control security
Non-control data is out of scope
Not a memory safety solution
12
![Page 13: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/13.jpg)
Challenges
Collecting executed path information and share for analysis efficiently
Trace information cannot be tampered
Compute points-to relations online both efficiently and precisely
13
![Page 14: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/14.jpg)
Our Solution Per Challenge
Intel Processor Trace (PT)
Incremental Online Points-to Analysis
14
![Page 15: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/15.jpg)
Intel Processor Trace
Low-overhead commodity hardware
Compressed packets to save bandwidth
CR3 filtering
Trace information shared & protected efficiently
15
![Page 16: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/16.jpg)
Incremental Points-to Analysis
Input:o LLVM IR of target program
o Metadata of mapping between IR and binary
o Runtime execution trace
Output: points-to relations on a single execution path
16
![Page 17: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/17.jpg)
Things Differentiate Our Analysis
Traditional static points-to analysis reasons about all paths for soundness
Instead, we only reasons about points-to relation on one single path
Maintain shadow callstack of instructions executed
Most precise enforcement based on control data only
17
![Page 18: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/18.jpg)
System Overview
Monitor Module:o Kernel-space driver for PT
o Shares taken branch information
Analyzer Module:o User-space
o Updates points-to relation based on trace
18
![Page 19: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/19.jpg)
Challenging Language Features
• Signal handling
• Setjmp/Longjmp
• Exception Handling
19
![Page 20: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/20.jpg)
Signal Handling
20
; Function Attrs: nounwind uwtable
define void @SIGKILL_handler(i32 %signo) #0 {
entry:
...
if.then: ; preds = %entry
...
if.else: ; preds = %entry
...
if.end: ; preds = %if.else, %if.then
ret void
}
; Function Attrs: nounwind uwtable
define i32 @main() #0 {
entry:
%call1 = call void (i32)* @signal(i32 9, void (i32)* @SIGKILL_handler) #3
ret i32 0
}
![Page 21: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/21.jpg)
Setjmp/Longjmp
21
; Function Attrs: nounwind uwtable
define void @hello() #0 {
entry:
...
call void @longjmp(%struct.__jmp_buf_tag* getelementptr inbounds ([1 x
%struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* @resume_here, i32 0,
i32 0), i32 1) #4
...
}
; Function Attrs: nounwind uwtable
define i32 @main() #0 {
entry:
...
%call1 = call i32 @_setjmp(%struct.__jmp_buf_tag* getelementptr inbounds
([1 x %struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* @resume_here, i32
0, i32 0)) #5
...
![Page 22: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/22.jpg)
; Function Attrs: norecurse uwtable
define i32 @main() #4 personality i8* bitcast (i32
(...)* @__gxx_personality_v0 to i8*) {
entry:
...
%call = invoke i32 @_Z3foov()
to label %invoke.cont unwind label %lpad
invoke.cont: ;
preds = %entry
br label %try.cont
lpad: ;
preds = %entry
%0 = landingpad { i8*, i32 }
catch i8* bitcast (i8** @_ZTIi to i8*)
catch i8* bitcast (i8** @_ZTIc to i8*)
catch i8* null
...
Exception Handling
22
![Page 23: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/23.jpg)
Optimizations on Analysis
Only analyzing about calling context
Maintains current executing IR block along with executiono To avoid decoding of PT traces and translation from binary address
to IR
Only analyze control-relevant functions and instructions
23
![Page 24: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/24.jpg)
Evaluation
Are benign applications satisfying path-sensitive CFI less susceptible to control hijacking attacks?
Do malicious applications that satisfy weaker CFI mechanisms fail to satisfy current solution?
Can we achieve path-sensitive CFI efficiently?
24
![Page 25: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/25.jpg)
Forward Edge Points-to Set Size
25
![Page 26: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/26.jpg)
RIPE
Contains various vulnerabilities that can be exploited to hijack control flow
Passed all 264 benchmark suites that compiled in the testing environment
26
![Page 27: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/27.jpg)
Performance Overhead
27
3.3%
12.73%
0%
10%
20%
30%
40%
50%
pi-CFI
PittyPat
![Page 28: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/28.jpg)
Limitations
Non-control data corruption can not be detected
Not reasoning about field sensitiveness for points-to analysis
Performance might not be ideal as a CFI solution
28
![Page 29: Efficient Protection of Path-Sensitive Control Security](https://reader031.fdocuments.in/reader031/viewer/2022012503/617d676b63a9216bcf1bcbed/html5/thumbnails/29.jpg)
Conclusion
Define path-sensitive CFI
Deploy practical mechanism for enforcement
Strictly stronger security guarantees
Acceptable runtime overhead in security critical settings
29