COLLATE:控制相关数据的完整性保护

doi:10.19665/j.issn1001-2400.20230106

Abstract

Abstract:

Programs written in C/C++ may contain bugs that can be exploited to subvert the control flow.Existing control-flow hijacking mitigations validate the indirect control-flow transfer targets,or guarantee the integrity of code pointers.However,attackers can still overwrite the dependencies of function pointers,bending indirect control-flow trans-fers(ICTs) to valid but unexpected targets.We introduce the control-related data integrity(COLLATE) to guarantee the integrity of function pointers and their dependencies.The dependencies determine the potential data-flow between function pointers definition and ICTs.The COLLATE identifies function pointers,and collects their dependencies with the inter-procedure static taint analysis.Moreover,the COLLATE allocates control-related data on a hardware-protected memory domain MS to prevent unauthorized modifications.We evaluate the overhead of the COLLATE on SPEC CPU 2006 benchmarks and Nginx.Also,we evaluate its effectiveness on three real-world exploits and one test suite for vtable pointer overwrites.The evaluation results show that the COLLATE successfully detects all attacks,and introduces a 10.2% performance overhead on average for the C/C++ benchmark and 6.8% for Nginx,which is acceptable.Experiments prove that the COLLATE is effective and practical.

Key words: static analysis, network security, control-flow integrity, code pointer integrity

CLC Number:

TP309

DENG Yingchuan,ZHANG Tong,LIU Weijie,WANG Lina. COLLATE:towards the integrity of control-related data[J].Journal of Xidian University, 2023, 50(5): 199-211.

Figures/Tables 5

References 32

[1]	COWAN C, BEATTIE S, JOHANSEN J, et al. PointGuard^TM:Protecting Pointers from Buffer Overflow Vulnerabilities[C]//Proceedings of the 12th USENIX Security Symposium. Berkeley:USENIX, 2003:91-104.
[2]	KUZNETZOV V, SZEKERES L, PAYER M, et al. Code-Pointer Integrity[C]//11th USENIX Symposium on Operating Systems Design and Implementation. Berkeley:USENIX, 2014:147-163.
[3]	LILJESTRAND H, NYMAN T, WANG K, et al. PAC It Up:Towards Pointer Integrity Using ARM Pointer Authentication[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:177-194.
[4]	MASHTIZADEH A J, BITTAU A, BONEH D, et al. CCFI:Cryptographically Enforced Control Flow Integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015:941-951.
[5]	ABADI M, BUDIU M, ERLINGSSON U, et al. Control-Flow Integrity Principles,Implementations,and Applications[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005:340-353.
[6]	DING R, QIAN C, SONG C, et al. Efficient Protection of Path-Sensitive Control Security[C]//26th USENIX Security Symposium. Berkeley:USENIX, 2017:131-148.
[7]	FRASSETTO T, JAUERNIG P, KOISSER D, et al. CFINSIGHT:A Comprehensive Metric for CFI Policies[C] //Proceedings of the 2022 Network and Distributed System Security Symposium. San Diego: NDSS, 2022:1-15.
[8]	KHANDAKER M R, LIU W, NASER A, et al. Origin-sensitive Control Flow Integrity[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:195-211.
[9]	LI Y, WANG M, ZHANG C, et al. Finding Cracks in Shields:on the Security of Control Flow Integrity Mechanisms[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020:1821-1835.
[10]	MOHAN V, LARSEN P, BRUNTHALER S, et al. Opaque Control-Flow Integrity[C]//Proceedings of the 2015 Network and Distributed System Security Symposium. San Diego: NDSS, 2015:1-15.
[11]	NIU B, TAN G. Modular Control-Flow Integrity[C]//Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2014:577-587.
[12]	VAN DER VEEN V, ANDRIESSE D, GÖKTAŞ E, et al. Practical Context-Sensitive CFI[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015:927-940.
[13]	ZHANG M, SEKAR R. Control Flow Integrity for COTS Binaries[C]//Proceedings of the 22th USENIX Security Symposium. Berkeley:USENIX, 2013:337-352.
[14]	BUROW N, ZHANG X, PAYER M. SoK:Shining Light on Shadow Stacks[C]//2019 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2019:985-999.
[15]	CARLINI N, BARRESI A, PAYER M, et al. Control-Flow Bending:On the Effectiveness of Control-Flow Integrity[C]//Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX, 2015:161-176.
[16]	BUROW N, MCKEE D, CARR S A, et al. CFIXX:Object Type Integrity for C++[C]//25th Annual Network and Distributed System Security Symposium. San Diego: NDSS, 2018:1-14.
[17]	HU H, QIAN C, YAGEMANN C, et al. Enforcing Unique Code Target Property for Control-Flow Integrity[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018:1470-1486.
[18]	ISMAIL M, YOM J, JELESNIANSKI C, et al. VIP:Safeguard Value Invariant Property for Thwarting Critical Memory Corruption Attacks[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021:1612-1626.
[19]	XIE M, WU C, ZHANG Y, et al. CETIS:Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:2989-3002.
[20]	CARLINI N, WAGNER D. ROP is Still Dangerous:Breaking Modern Defenses[C]//Proceedings of the 23rd USENIX Security Symposium. Berkeley:USENIX, 2014:385-399.
[21]	KHANDAKER M, NASER A, LIU W, et al. Adaptive Call-Site Sensitive Control Flow Integrity[C]//2019 IEEE European Symposium on Security and Privacy.Piscataway:IEEE, 2019:95-110.
[22]	EVANS I, FINGERET S, GONZALEZ J, et al. Missing the Point(er):On the Effectiveness of Code Pointer Integrity[C]//2015 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2015:781-796.
[23]	LILJESTRAND H, NYMAN T, GUNN L J, et al. PACStack:an Authenticated Call Stack[C]//30th USENIX Security Symposium. Berkeley:USENIX, 2021:357-374.
[24]	LI Y, TAN W, LV Z, et al. PACMem:Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:1901-1915.
[25]	ZIAD M T I, ARROYO M A, MANZHOSOV E, et al. ZeRØ:Zero-Overhead Resilient Operation Under Pointer Integrity Attacks[C]//48th Annual International Symposium on Computer Architecture. Piscataway:IEEE, 2021:999-1012.
[26]	PROSKURIN S, MOMEU M, GHAVAMNIA S, et al. xMP:Selective Memory Protection for Kernel and User Space[C]//2020 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2020:563-577.
[27]	HEDAYATI M, GRAVANI S, JOHNSON E, et al. Hodor:Intra-Process Isolation for High-Throughput Data Plane Libraries[C]//2019 USENIX Annual Technical Conference.Berkeley:USENIX, 2019:489-503.
[28]	VAHLDIEK-OBERWAGNER A, ELNIKETY E, DUARTE N O, et al. ERIM:Secure,Efficient In-process Isolation with Protection Keys[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:1221-1238.
[29]	JIN X, XIAO X, JIA S, et al. Annotating,Tracking,and Protecting Cryptographic Secrets with CryptoMPK[C]//43rd IEEE Symposium on Security and Privacy. Piscataway:IEEE, 2022:650-665.
[30]	MILBURN A, VAN DER KOUWE E, GIUFFRIDA C. Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation[C]//43rd IEEE Symposium on Security and Privacy. Piscataway:IEEE, 2022:1049-1065.
[31]	KIRTH P, DICKERSON M, CRANE S, et al. PKRU-Safe:Automatically Locking Down the Heap Between Safe and Unsafe Languages[C]//EuroSys’22:Seventeenth European Conference on Computer Systems. New York: ACM, 2022:132-148.
[32]	SCHRAMMEL D, WEISER S, SADEK R, et al. Jenny:Securing Syscalls for PKU-based Memory Isolation Systems[C]//31st USENIX Security Symposium. Berkeley:USENIX, 2022:936-952.

benchmark	ICTs	插桩指令		FN_protected		CRD
benchmark	ICTs	CPI	COLLATE	CPI	COLLATE	CRD
bzip2	53	498	1 596	4	15	43
mcf	0	85	0	1	0	0
gobmk	46	7 626	185	222	6	55
hmmer	13	6 380	102	22	10	21
sjeng	1	707	107	18	0	2
libquantum	0	156	0	2	0	0
h264ref	354	4 219	96	42	11	146
milc	4	2 414	0	25	35	52
lbm	0	76	0	1	0	0
sphinx3	8	6 997	697	17	20	50
Nginx	332	13 284	7 753	212	173	229

COLLATE:towards the integrity of control-related data

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 32

Related Articles 15

Metrics

Comments

Recommended 10

[1]	ZHU Guangming,LU Zijie,FENG Jiawei,ZHANG Xiangdong,ZHANG Fengjun,NIU Zuoyuan,ZHANG Liang. Cause-effectgraph enhanced APT attack detection algorithm [J]. Journal of Xidian University, 2023, 50(5): 107-117.
[2]	LIU Huayuan,SU Yunfei,LI Ruilin,TANG Chaojing. Structure-statebased graybox Fuzzing technique [J]. Journal of Xidian University, 2021, 48(1): 117-123.
[3]	LI Teng,CAO Shijie,YIN Siwei,WEI Dawei,MA Xindi,MA Jianfeng. Optimal method for the generation of the attack path based on the Q-learning decision [J]. Journal of Xidian University, 2021, 48(1): 160-167.
[4]	YANG Hongyu,ZENG Renyun. Method for assessment of network security situation with deep learning [J]. Journal of Xidian University, 2021, 48(1): 183-190.
[5]	HUANG Yuming,MA Jianfeng,LIU Zhiquan,FENG Bingwen,WEI Kaimin. Rule-based automatic program repair method [J]. Journal of Xidian University, 2020, 47(4): 117-123.
[6]	YANG Hongyu,ZHANG Xugao. Network security situation adaptive prediction model [J]. Journal of Xidian University, 2020, 47(3): 14-22.
[7]	HUANG Yuming,MA Jianfeng,LIU Zhiquan,WEI Kaimin,FENG Bingwen. Security risk scenarios and solutions in automatic program repair [J]. Journal of Xidian University, 2019, 46(6): 147-154.
[8]	YANG Baowang. Low-rate-denial-of-service attack detection by symbolic dynamics method [J]. Journal of Xidian University, 2018, 45(1): 140-144.
[9]	LIANG Hongquan;WU Wei. Secure link status routing protocol based on node trustworthiness [J]. Journal of Xidian University, 2016, 43(5): 121-127.
[10]	WANG Jindong;YU Dingkun;ZHANG Hengwei;WANG Na. Active defense strategy selection based on the static Bayesian game [J]. J4, 2016, 43(1): 144-150.
[11]	SU Zijian;LIANG Changhong;LI Long;ZHAI Huiqing. Improved quasi-static effective medium model of the electromagnetic band gap (EBG) high-impedance surface [J]. J4, 2015, 42(5): 92-97.
[12]	WANG Zhiqiang;ZHANG Yuqing;LIU Qixu;HUANG Tingpei. Algorithm for discovering SNMP protocol vulnerability [J]. J4, 2015, 42(4): 20-26+40.
[13]	GUO Jingjing;MA Jianfeng. Trust recommendation algorithm for the virtual community based Internet of Things(IoT) [J]. J4, 2015, 42(2): 52-57+179.
[14]	FAN Yesen;LI Tuanjie;MA Xiaofei;LI Zhengjun. Form-finding method of equal tension cable networks for space mesh antennas [J]. J4, 2015, 42(1): 49-55.
[15]	WANG Yichuan;MA Jianfeng;LU Di;ZHANG Liumei;MENG Xianjia. Cloud droplets freezing attack in cloud computing [J]. J4, 2014, 41(3): 116-122.