Renewable Just-In-Time Control-Flow Integrity
Pages 580 - 594
Abstract
Renew (Rewriting Newly Executable pages after Writes) unites and extends recent advances in binary code analysis and transformation to solve a longstanding compatibility problem for binary code security hardening algorithms—support for arbitrary dynamically self-modifying code. Self-modification is now a mainstay of many consumer software products, including Just-In-Time (JIT) compiled languages, on-demand component loading, self-extracting installers, and self-hooking APIs; but it poses significant challenges for code hardening algorithms that rely on computationally heavy static analyses, source code information, or compiler-specific code generation patterns. As a result, many of the strongest protection mechanisms for code hardening have remained incompatible or significantly weakened for the large class of software that incorporates self-modification (either directly or within its underlying runtime systems).
By leveraging recent advances in lightweight binary disassembly, efficient memory page interception, and fast machine code rewriting, Renew transparently extends binary code security hardening algorithms, such as source-free control-flow integrity (CFI) and software fault isolation (SFI), to self-modifying target codes. Experiments on two commodity JIT compilers and a commodity self-extracting installer solution show that Renew supports highly diverse dynamic code generation strategies with little or no customization to each new application, and achieves a 3–4 × performance improvement over alternative solutions that disable dynamic code to achieve equivalent security guarantees.
References
[1]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). 340–353.
[2]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information and System Security (TISSEC) 13, 1 (2009), 4:1–40.
[3]
Ittai Anati and Oren Ben Simhon. 2017. Control Flow Enforcement Technology (CET). Compiler Architecture and Tools Conference (CATC).
[4]
Jason Ansel, Petr Marchenko, Úlfar Erlingsson, Elijah Taylor, Brad Chen, Derek L. Schuff, David Sehr, Cliff L. Biffle, and Bennet Yee. 2011. Language-independent Sandboxing of Just-in-time Compilation and Self-modifying Code. In Proceedings of the 32nd ACM Conference on Programming Language Design and Implementation (PLDI). 355–366.
[5]
Erick Bauman, Zhiqiang Lin, and Kevin W Hamlen. 2018. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics. In Proceedings of the 25th Annual Network & Distributed System Security Symposium (NDSS).
[6]
Andrew R. Bernat and Barton P. Miller. 2011. Anywhere, Any-time Binary Instrumentation. In Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools (PASTE). 9–16.
[7]
Dionysus Blazakis. 2010. Interpreter Exploitation. In Proceedings of the 4th USENIX Workshop on Offensive Technologies (WOOT).
[8]
Derek Bruening, Timothy Garnett, and Saman Amarasinghe. 2003. An Infrastructure for Adaptive Dynamic Optimization. In Proceedings of the International Symposium on Code Generation and Optimization (CGO). 265–275.
[9]
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. 2011. BAP: A Binary Analysis Platform. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV). 463–469.
[10]
Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. 2018. Control-flow Integrity: Precision, Security, and Performance. Comput. Surveys 50, 1 (2018).
[11]
Cristian Cadar, Daniel Dunbar, Dawson R Engler, 2008. Klee: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 209–224.
[12]
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow Bending: On the Effectiveness of Control-flow Integrity. In Proceedings of the 24th USENIX Security Symposium. 161–176.
[13]
Fred Cohen. 1986. Computer Viruses. Ph. D. Dissertation. U. Southern California.
[14]
Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2015. The Performance Cost of Shadow Stacks and Stack Canaries. In Proceedings of the ACM Asia Conference on Information, Computer and Communications Security (AsiaCCS). 555–566.
[15]
Jan de Mooij. 2019. The Baseline Interpreter: A Faster JS Interpreter in Firefox 70. Mozilla Hacks (2019). https://hacks.mozilla.org/2019/08/the-baseline-interpreter-a-faster-js-interpreter-in-firefox-70.
[16]
Jan de Mooij. 2020. Warp: Improved JS Performance in Firefox 83. Mozilla Hacks (2020). https://hacks.mozilla.org/2020/11/warp-improved-js-performance-in-firefox-83.
[17]
Peter Deutsch and Charles A. Grant. 1971. A Flexible Measurement Tool for Software Systems. In Proceedings of the IFIP Congress, Volume 1. 320–326.
[18]
Xiaoning Du, Bihuan Chen, Yuekang Li, Jianmin Guo, Yaqin Zhou, Yang Liu, and Yu Jiang. 2019. Leopard: Identifying Vulnerable Code for Vulnerability Assessment Through Program Metrics. In Proceedings of the 41st IEEE/ACM International Conference on Software Engineering (ICSE). 60–71.
[19]
Isaac Evans, Sam Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard E. Shrobe, Stelios Sidiroglou-Douskos, Martin C. Rinard, and Hamed Okhravi. 2015. Missing the Point(er): On the Effectiveness of Code Pointer Integrity. In Proceedings of the 36th IEEE Symposium on Security & Privacy (S&P). 781–796.
[20]
Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard E. Shrobe, Martin C. Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). 901–913.
[21]
Tommaso Frassetto, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. JITGuard: Hardening Just-in-time Compilers with SGX. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). 2405–2419.
[22]
Debin Gao, Michael K. Reiter, and Dawn Song. 2004. Gray-box Extraction of Execution Graphs for Anomaly Detection. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). 318–329.
[23]
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. 2016. Fine-grained Control-flow Integrity for Kernel Software. In Proceedings of the 37th IEEE Symposium on Security & Privacy (S&P). 179–194.
[24]
Enes Göktaş, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of Control: Overcoming Control-flow Integrity. In Proceedings of the 35th IEEE Symposium on Security & Privacy (S&P). 575–589.
[25]
Willem De Groef, Nick Nikiforakis, Yves Younan, and Frank Piessens. 2010. JITSec: Just-in-time Security for Code Injection Attacks. In Proceedings of the 5th Benelux Workshop on Information and System Security (WISSEC).
[26]
Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider. 2006. Computability Classes for Enforcement Mechanisms. ACM Transactions on Programming Languages and Systems (TOPLAS) 28, 1 (2006), 175–205.
[27]
Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz. 2013. Librando: Transparent Code Randomization for Just-in-time Compilers. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). 993–1004.
[28]
Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R. Harris, Taesoo Kim, and Wenke Lee. 2018. Enforcing Unique Code Target Property for Control-flow Integrity. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS). 1470–1486.
[29]
Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented Programming: On the Expressiveness of Non-control Data Attacks. In Proceedings of the 37th IEEE Symposium on Security & Privacy (S&P). 969–986.
[30]
Intel®. 2023. Intel 64 and IA-32 Architectures Optimization Reference Manual. Intel® Corporation, Chapter 3.6.8: Mixing Code and Data.
[31]
Mustakimur Khandaker, Abu Naser, Wenqing Liu, Zhi Wang, Yajin Zhou, and Yueqiang Cheng. 2019. Adaptive Call-site Sensitive Control Flow Integrity. In Proceedings of the 4th IEEE European Symposium on Security & Privacy (EuroS&P). 95–110.
[32]
Mustakimur Rahman Khandaker, Wenqing Liu, Abu Naser, Zhi Wang, and Jie Yang. 2019. Origin-sensitive Control Flow Integrity. In Proceedings of the 28th USENIX Security Symposium. 195–211.
[33]
Sun Hyoung Kim, Cong Sun, Dongrui Zeng, and Gang Tan. 2021. Refining Indirect Call Targets at the Binary Level. In Proceedings of the 28th Annual Network & Distributed System Security Symposium (NDSS).
[34]
Johannes Kinder and Helmut Veith. 2008. Jakstab: A Static Analysis Platform for Binaries. In Proceedings of the 20th International Conference on Computer Aided Verification (CAV). 423–427.
[35]
Yuan Li, Mingzhe Wang, Chao Zhang, Xingman Chen, Songtao Yang, and Ying Liu. 2020. Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms. In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS). 1821–1835.
[36]
Jay Ligatti, Lujo Bauer, and David Walker. 2005. Edit Automata: Enforcement Mechanisms for Run-time Security Policies. International Journal of Information Security 4, 1–2 (2005), 2–16.
[37]
LuaJIT. Accessed 2022-05-02. Cleanup Workspace for LuaJIT Tests. https://github.com/LuaJIT/LuaJIT-test-cleanup.
[38]
LuaJIT. Accessed 2022-05-02. Performance Comparison. https://luajit.org/performance.html.
[39]
Andrea Mambretti, Alexandra Sandulescu, Alessandro Sorniotti, William Robertson, Engin Kirda, and Anil Kurmus. 2021. Bypassing Memory Safety Mechanisms Through Speculative Control Flow Hijacks. In Proceedings of the 42nd IEEE Symposium on Security & Privacy (S&P). 633–649.
[40]
Ali Jose Mashtizadeh, Andrea Bittau, Dan Boneh, and David Mazières. 2015. CCFI: Cryptographically Enforced Control Flow Integrity. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). 941–951.
[41]
Stephen McCamant and Greg Morrisett. 2006. Evaluating SFI for a CISC Architecture. In Proceedings of the 15th USENIX Security Symposium.
[42]
Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin W. Hamlen, and Michael Franz. 2015. Opaque Control-flow Integrity. In Proceedings of the 22nd Annual Network & Distributed System Security Symposium (NDSS).
[43]
Mozilla Foundation. 2019. SpiderMonkey: The Mozilla JavaScript Runtime. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.
[44]
Paul Muntean, Matthias Neumayer, Zhiqiang Lin, Gang Tan, Jens Grossklags, and Claudia Eckert. 2019. Analyzing Control Flow Integrity with LLVM-CFI. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC). 584–597.
[45]
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. ACM Sigplan Notices 42, 6 (2007), 89–100.
[46]
Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting Vulnerable Software Components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 529–540.
[47]
Ben Niu and Gang Tan. 2014. Modular Control-flow Integrity. SIGPLAN Notices 49, 6 (2014), 577–587.
[48]
Ben Niu and Gang Tan. 2014. RockJIT: Securing Just-in-time Compilation Using Modular Control-flow Integrity. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). 1317–1328.
[49]
Johnathan Norman. 2021. Super Duper Secure Mode. https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode.
[50]
Johnathan Norman. 2022. Introducing Enhanced Security for Microsoft Edge. https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge.
[51]
Markus F.X.J. Oberhumer, László Molnár, and John F. Reiser. 2018. UPX: the Ultimate Packer for eXecutables. http://upx.sourceforge.net.
[52]
Mike Pall. 2019. The LuaJIT Project. https://luajit.org.
[53]
Tom Ritter. 2021. Browser Exploit History. Mozilla. docs.google.com/spreadsheets/d/1FslzTx4b7sKZK4BR-DpO45JZNB1QZF9wuijK3OxBwr0.
[54]
Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In Proceedings of the 24th Annual Network & Distributed System Security Symposium (NDSS).
[55]
Riccardo Scandariato, James Walden, Aram Hovsepyan, and Wouter Joosen. 2014. Predicting Vulnerable Software Components Via Text Mining. IEEE Transactions on Software Engineering (TSE) 40, 10 (2014), 993–1006.
[56]
Fred B. Schneider. 2000. Enforceable security policies. ACM Transactions on Information and System Security (TISSEC) 3, 1 (2000), 30––50.
[57]
Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, and Edgar Weippl. 2017. Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?Comput. Surveys 49, 1 (2017).
[58]
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proceedings of the 36th IEEE Symposium on Security & Privacy (S&P).
[59]
Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time Code Reuse: On the Effectiveness of Fine-grained Address Space Layout Randomization. In Proceedings of the 34th IEEE Symposium on Security & Privacy (S&P). 574–588.
[60]
Chengyu Song, Chao Zhang, Tielei Wang, Wenke Lee, and David Melski. 2015. Exploiting and Protecting Dynamic Code Generation. In Proceedings of the 22nd Annual Network & Distributed System Security Symposium (NDSS).
[61]
Vivek Thampi. 2014. Udis86 Disassembler Library for x86 / x86-64. http://udis86.sourceforge.net.
[62]
Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, and Pablo G. Bringas. 2015. SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P). 659–673.
[63]
Giovanni Vigna. 2017. When Malware is Packing Heat. LastLine. https://www.lastline.com/labsblog/malware-packing.
[64]
Christina Voskoglou, Jed Stephens, Konstantinos Korakitis, Michael Condon, Richard Muir, and Simon Jones. 2021. State of the Developer Nation: 21st Edition. Technical Report. SlashData.
[65]
Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-based Fault Isolation. In Proceedings of the ACM Symposium on Operating System Principles (SOSP). 203–216.
[66]
Fish Wang and Yan Shoshitaishvili. 2017. Angr – The Next Generation of Binary Analysis. In Proceedings of the IEEE Secure Development Conference (SecDev). 8–9.
[67]
Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making Reassembly Great Again. In Proceedings of the 24th Annual Network & Distributed System Security Symposium (NDSS).
[68]
Shuai Wang, Pei Wang, and Dinghao Wu. 2015. Reassembleable Disassembling. In Proceedings of the 24th USENIX Security Symposium. 627–642.
[69]
Shuai Wang, Pei Wang, and Dinghao Wu. 2016. UROBOROS: Instrumenting Stripped Binaries with Static Reassembling. In Proceedings of the IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER). 236–247.
[70]
Wenhao Wang, Xiaoyang Xu, and Kevin W. Hamlen. 2017. Object Flow Integrity. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). 1909–1924.
[71]
Richard Wartell, Vishwath Mohan, Kevin Hamlen, and Zhiqiang Lin. 2012. Securing Untrusted Code Via Compiler-agnostic Binary Rewriting. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC). 299–308.
[72]
Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). 157–168.
[73]
Xiaoyang Xu, Masoud Ghaffarinia, Wenhao Wang, Kevin W Hamlen, and Zhiqiang Lin. 2019. ConFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software. In Proceedings of the 28th USENIX Security Symposium. 1805–1821.
[74]
Carter Yagemann, Matthew Pruett, Simon P. Chung, Kennon Bittick, Brendan Saltaformaggio, and Wenke Lee. 2021. ARCUS: Symbolic Root Cause Analysis of Exploits in Production Systems. In Proceedings of the 30th USENIX Security Symposium. 1989–2006.
[75]
Chao Zhang, Mehrdad Niknami, Kevin Zhijie Chen, Chengyu Song, Zhaofeng Chen, and Dawn Song. 2015. JITScope: Protecting Web Users From Control-flow Hijacking Attacks. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM). 567–575.
[76]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, László Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In Proceedings of the 34th IEEE Symposium on Security & Privacy (S&P). 559–573.
[77]
Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium. 337–352.
Index Terms
- Renewable Just-In-Time Control-Flow Integrity
Recommendations
Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications ConferenceDespite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control --- the ability to execute arbitrary low-...
Ex-Tmem: Extending Transcendent Memory with Non-volatile Memory for Virtual Machines
HPCC '14: Proceedings of the 2014 IEEE Intl Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS)Virtualization and multicore technology now make Transcendent memory, or Tmem, is a new approach to it possible to consolidate heterogeneous workloads on one physical optimize RAM utilization in a virtual environment where machine. Such consolidation ...
Formally verified software countermeasures for control-flow integrity of smart card C code
AbstractFault attacks can target smart card programs to disrupt an execution and take control of the data or the embedded functionalities. Among all possible attacks, control-flow attacks aim at disrupting the normal execution flow. ...
Comments
Information & Contributors
Information
Published In
October 2023
769 pages
ISBN:9798400707650
DOI:10.1145/3607199
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
RAID 2023
RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses
October 16 - 18, 2023
Hong Kong, China
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 628Total Downloads
- Downloads (Last 12 months)628
- Downloads (Last 6 weeks)60
Reflects downloads up to 15 Sep 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in