with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf ·...

Preventing control-flow hijackswith

Code Pointer Integrity

László Szekeres

Stony Brook University

Joint work with Volodymyr Kuznetsov, Mathias Payer, George Candea, R. Sekar, Dawn Song

Problem

• C/C++ is unsafe and unavoidable today

• All of our systems have C/C++ parts

• All of them have exploitable vulnerabilities

• They all can be compromised

Make pointer out-of-bounds

Make pointer dangling

Use pointer to write

Use pointer to read

Modify a code pointer...

… to target code address

Use pointer by indir. call/jmp

Execute injected code

Exec. gadgets or functions

Control-flow hijack

Use pointer by ret instruction

Control-flow hijack attack[Eternal War in Memory, IEEE S&P ‘13]




Use pointer to read






Control-flow hijack


Control-flow hijack defenses[Eternal War in Memory, IEEE S&P ‘13]




Use pointer to read






Control-flow hijack


Control-flow hijack defenses

DEP

[Eternal War in Memory, IEEE S&P ‘13]

Cookies


DEP





Use pointer to read






Control-flow hijack


Cookies


CFI

DEP





Use pointer to read






Control-flow hijack


Cookies


CFI

DEP

ASLR





Use pointer to read






Control-flow hijack


Cookies


CFI

DEP

ASLR

Memory Safety





Use pointer to read






Control-flow hijack


Cookies


CFI

DEP

ASLR

Memory Safety






Use pointer to read






Control-flow hijack


Code Pointer Integrity?

Code Pointer Integrity?





Use pointer to read






Control-flow hijack



• Joint work with Volodymyr Kuznetsov, Mathias Payer, George Candea, R. Sekar, Dawn Song

• It prevents all control-flow hijacks

• It has only 8% runtime overhead in average

[OSDI ’14]

Outline

Outline

Safe Stack

Outline

Safe Stack

Code Pointer Separation

Outline

Safe Stack



Safe StackEnforcing the integrity of return addresses

Integrity of return addresses

...

int i(local variable)

saved %ebp(base pointer)

saved %eip (ret. address.)

func call argument

...

char buff[16]

Stack

Integrity of return addresses

...




func call argument

...

char buff[16]

p[idx]=val;

Stack

Stack cookies

...




func call argument

...

...




func call argument

...

RANDOM CANARY

char buff[16] char buff[16]

Shadow stack

...


saved %ebp #2(base pointer)

saved %eip #2(ret. address.)

func call argument

...

...

...

...


...

char buff[16]






Stack Shadow stack

Protected region

Shadow stack

...




func call argument

...

...

...

...


...

char buff[16]






Stack Shadow stack

Protected region

Safe Stack




func call argument

...

...

......

...

...

char buff[16]

Safe stack (original stack)Unsafe stack

Protecting the Safe Stack

movl $42, (%rsp)

movl $42, %ds:(%eax)

movl $42, %ss:(%esp)

Regular Data Segment

Safe StackSegment

x86-32

Safe StackSegment

x86-64

How effective is the Safe Stack?

• Strictly stronger protection than stack cookies or shadow stack

• Only the Safe Stack provides guaranteed protection against return address corruption

• Stops all ROP attacks alone!

Safe Stack overhead

-5.00%-4.00%-3.00%-2.00%-1.00%0.00%1.00%2.00%3.00%4.00%5.00%

40

0_p

erlb

ench

(C

)

40

1_b

zip

2 (

C)

40

3_g

cc (

C)

42

9_m

cf (

C)

44

5_g

ob

mk

(C)

45

6_h

mm

er (

C)

45

8_s

jen

g (C

)

46

2_l

ibq

uan

tum

…

46

4_h

26

4re

f (C

)

47

1_o

mn

etp

p…

47

3_a

star

(C

++)

48

3_x

alan

bm

k…

43

3_m

ilc (

C)

44

4_n

amd

(C

++)

44

7_d

ealII

(C

++)

45

0_s

op

lex

(C++

)

45

3_p

ovr

ay (

C++

)

47

0_l

bm

(C

)

48

2_s

ph

inx3

(C

)

SPEC 2006 Benchmark

0% avg.

Safe Stack overhead

0 %

5%

10%

Perf

. ove

rhea

dSPEC 2006 Benchmark

Code Pointer SeparationProtecting function pointers

Integrity of function pointers

func_ptr

int

int_ptr

...

...

buffer

Heap

Integrity of function pointers

func_ptr

int

int_ptr

...

...

buffer

Heap

p[idx]=val;

Protected region

Code Pointer Separation (CPS)

func_ptr

int

int_ptr

...

...

...

func_ptr

...

...

...

...

buffer

...

Heap Safe Pointer Store

Protected region

Protected region

Code Pointer Separation (CPS)

data_ptr

func_ptr

...

...

func_ptr

...

Heap Safe Pointer Store




func call argument

...

...

char buff[8]

Safe stack (original stack)Unsafe stack

Protecting the Safe Pointer Store

movl $42, %fs:(%rax)

movl $42, (%rsp)

movl $42, %ds:(%eax)

movl $42, %gs:(%eax)

movl $42, %ss:(%esp)

Regular Data Segment

Safe StackSegment

x86-32

Safe StackSegment

x86-64

Safe Pointer StoreSegment

Safe Pointer StoreSegment

How effective is CPS?

obj->func();

obj

do_good()

do_bad()

func

CPS vs. CFI

CFI CPS

Callscan go to

any function whose address is taken

any function whose address is taken and stored in memory at the current point of execution

Returncan go to

any call site only their actual caller

CFI attacksGöktaş et al., IEEE S&P ‘14Göktaş et al., Usenix Sec ‘14Davi et al., Usenix Sec ‘14 Carlini et al., Usenix Sec ‘14

Practical CFI solutionsClassic CFI, CCS ‘05CCFIR, IEEE S&P ‘13binCFI, Usenix Sec ‘13kBouncer, Usenix Sec ‘13

CPS overhead

-5.00%

0.00%

5.00%

10.00%

15.00%

20.00%

40

0_p

erlb

ench

(C

)

40

1_b

zip

2 (

C)

40

3_g

cc (

C)

42

9_m

cf (

C)

44

5_g

ob

mk

(C)

45

6_h

mm

er (

C)

45

8_s

jen

g (C

)

46

2_l

ibq

uan

tum

(C

)

46

4_h

26

4re

f (C

)

47

1_o

mn

etp

p (

C++

)

47

3_a

star

(C

++)

48

3_x

alan

bm

k (C

++)

43

3_m

ilc (

C)

44

4_n

amd

(C

++)

44

7_d

ealII

(C

++)

45

0_s

op

lex

(C++

)

45

3_p

ovr

ay (

C++

)

47

0_l

bm

(C

)

48

2_s

ph

inx3

(C

)

SPEC 2006 Benchmark2% avg.

Code Pointer IntegrityGuaranteed protection of all code pointers

Issue #1

obj->func();

obj

do_good()

do_bad()

func

Issue #1: pointer coverage

obj->func();

obj

do_good()

do_bad()

func

Issue #2

obj=&objs[idx]obj->func();

objs

do_good()

do_bad()

func

do_well()func

+idx

Issue #2: spatial safety

obj=&objs[idx]obj->func();

objs

do_good()

do_bad()

func

do_well()func

+idx

Issue #3

obj

do_good()func

do_bad()

delete obj;…obj->func();

Issue #3

obj

do_good()

do_bad()


Issue #3: temporal safety

obj

do_good()

do_bad()


Protected region

Safe Pointer Store

CPS → Code Pointer Integrity

obj_ptr

int

func_ptr

int_ptr

buf

func_ptr

Protected region

Safe Pointer Store

Issue #1: pointer coverage

obj_ptr

int

func_ptr

int_ptr

buf

obj_ptr

func_ptr

Protected region

Safe Pointer Store

Issue #2: spatial safety

obj_ptr

int

func_ptr

int_ptr

buf

obj_ptr

func_ptr

lower_bound

func_ptr

upper_bound

func_ptr

Protected region

Issue #3: temporal safety

obj_ptr

int

func_ptr

int_ptr

buf

obj_ptr

func_ptr

lower_bound

func_ptr

upper_bound

func_ptr

uid

-

Safe Pointer Store

CPI overhead

-10.00%

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

40

0_p

erlb

ench

(C

)

40

1_b

zip

2 (

C)

40

3_g

cc (

C)

42

9_m

cf (

C)

44

5_g

ob

mk

(C)

45

6_h

mm

er (

C)

45

8_s

jen

g (C

)

46

2_l

ibq

uan

tum

(C

)

46

4_h

26

4re

f (C

)

47

1_o

mn

etp

p (

C++

)

47

3_a

star

(C

++)

48

3_x

alan

bm

k (C

++)

43

3_m

ilc (

C)

44

4_n

amd

(C

++)

44

7_d

ealII

(C

++)

45

0_s

op

lex

(C++

)

45

3_p

ovr

ay (

C++

)

47

0_l

bm

(C

)

48

2_s

ph

inx3

(C

)

SPEC 2006 Benchmark8% avg.

Implementationand case studies

Levee in LLVM/Clang

clang –fsafe-stack

clang –fcps

clang –fcpi

Get the prototype from: http://levee.epfl.ch

http://levee.epfl.ch/

Control-flow hijack protected FeeBSD

• Complete FreeBSD distribution (modulo kernel)

• >100 extra packages

Summary

Summary

Safe Stack0% avg.

Summary

Safe Stack

Code Pointer Separation2% avg.

0% avg.

Summary

Safe Stack


Code Pointer Integrity8% avg.

2% avg.

0% avg.

Thank you!

Questions?

with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf ·...

Documents

Transcript of with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf ·...