with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf ·...
Transcript of with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf ·...
![Page 1: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/1.jpg)
Preventing control-flow hijackswith
Code Pointer Integrity
László Szekeres
Stony Brook University
Joint work with Volodymyr Kuznetsov, Mathias Payer, George Candea, R. Sekar, Dawn Song
![Page 2: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/2.jpg)
Problem
• C/C++ is unsafe and unavoidable today
• All of our systems have C/C++ parts
• All of them have exploitable vulnerabilities
• They all can be compromised
![Page 3: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/3.jpg)
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Control-flow hijack attack[Eternal War in Memory, IEEE S&P ‘13]
![Page 4: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/4.jpg)
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Control-flow hijack defenses[Eternal War in Memory, IEEE S&P ‘13]
![Page 5: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/5.jpg)
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Control-flow hijack defenses
DEP
[Eternal War in Memory, IEEE S&P ‘13]
![Page 6: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/6.jpg)
Cookies
Control-flow hijack defenses
DEP
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 7: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/7.jpg)
Cookies
Control-flow hijack defenses
CFI
DEP
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 8: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/8.jpg)
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 9: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/9.jpg)
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 10: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/10.jpg)
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
Memory Safety
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 11: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/11.jpg)
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
Memory Safety
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 12: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/12.jpg)
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
Memory Safety
Code Pointer Integrity
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 13: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/13.jpg)
Code Pointer Integrity?
Code Pointer Integrity?
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
![Page 14: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/14.jpg)
Code Pointer Integrity
• Joint work with Volodymyr Kuznetsov, Mathias Payer, George Candea, R. Sekar, Dawn Song
• It prevents all control-flow hijacks
• It has only 8% runtime overhead in average
[OSDI ’14]
![Page 15: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/15.jpg)
Outline
![Page 16: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/16.jpg)
Outline
Safe Stack
![Page 17: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/17.jpg)
Outline
Safe Stack
Code Pointer Separation
![Page 18: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/18.jpg)
Outline
Safe Stack
Code Pointer Separation
Code Pointer Integrity
![Page 19: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/19.jpg)
Safe StackEnforcing the integrity of return addresses
![Page 20: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/20.jpg)
Integrity of return addresses
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
char buff[16]
Stack
![Page 21: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/21.jpg)
Integrity of return addresses
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
char buff[16]
Stack
![Page 22: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/22.jpg)
Integrity of return addresses
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
char buff[16]
p[idx]=val;
Stack
![Page 23: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/23.jpg)
Stack cookies
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
RANDOM CANARY
char buff[16] char buff[16]
![Page 24: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/24.jpg)
Shadow stack
...
int i(local variable)
saved %ebp #2(base pointer)
saved %eip #2(ret. address.)
func call argument
...
...
...
...
saved %eip #0(ret. address.)
...
char buff[16]
saved %ebp #0(base pointer)
saved %eip #1(ret. address.)
saved %ebp #1(base pointer)
saved %eip #2(ret. address.)
saved %ebp #2(base pointer)
Stack Shadow stack
![Page 25: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/25.jpg)
Protected region
Shadow stack
...
int i(local variable)
saved %ebp #2(base pointer)
saved %eip #2(ret. address.)
func call argument
...
...
...
...
saved %eip #0(ret. address.)
...
char buff[16]
saved %ebp #0(base pointer)
saved %eip #1(ret. address.)
saved %ebp #1(base pointer)
saved %eip #2(ret. address.)
saved %ebp #2(base pointer)
Stack Shadow stack
![Page 26: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/26.jpg)
Protected region
Safe Stack
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
...
......
...
...
char buff[16]
Safe stack (original stack)Unsafe stack
![Page 27: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/27.jpg)
Protecting the Safe Stack
movl $42, (%rsp)
movl $42, %ds:(%eax)
movl $42, %ss:(%esp)
Regular Data Segment
Safe StackSegment
x86-32
Safe StackSegment
x86-64
![Page 28: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/28.jpg)
How effective is the Safe Stack?
• Strictly stronger protection than stack cookies or shadow stack
• Only the Safe Stack provides guaranteed protection against return address corruption
• Stops all ROP attacks alone!
![Page 29: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/29.jpg)
Safe Stack overhead
-5.00%-4.00%-3.00%-2.00%-1.00%0.00%1.00%2.00%3.00%4.00%5.00%
40
0_p
erlb
ench
(C
)
40
1_b
zip
2 (
C)
40
3_g
cc (
C)
42
9_m
cf (
C)
44
5_g
ob
mk
(C)
45
6_h
mm
er (
C)
45
8_s
jen
g (C
)
46
2_l
ibq
uan
tum
…
46
4_h
26
4re
f (C
)
47
1_o
mn
etp
p…
47
3_a
star
(C
++)
48
3_x
alan
bm
k…
43
3_m
ilc (
C)
44
4_n
amd
(C
++)
44
7_d
ealII
(C
++)
45
0_s
op
lex
(C++
)
45
3_p
ovr
ay (
C++
)
47
0_l
bm
(C
)
48
2_s
ph
inx3
(C
)
SPEC 2006 Benchmark
0% avg.
![Page 30: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/30.jpg)
Safe Stack overhead
0 %
5%
10%
Perf
. ove
rhea
dSPEC 2006 Benchmark
![Page 31: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/31.jpg)
Code Pointer SeparationProtecting function pointers
![Page 32: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/32.jpg)
Integrity of function pointers
func_ptr
int
int_ptr
...
...
buffer
Heap
![Page 33: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/33.jpg)
Integrity of function pointers
func_ptr
int
int_ptr
...
...
buffer
Heap
![Page 34: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/34.jpg)
Integrity of function pointers
func_ptr
int
int_ptr
...
...
buffer
Heap
p[idx]=val;
![Page 35: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/35.jpg)
Protected region
Code Pointer Separation (CPS)
func_ptr
int
int_ptr
...
...
...
func_ptr
...
...
...
...
buffer
...
Heap Safe Pointer Store
![Page 36: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/36.jpg)
Protected region
Protected region
Code Pointer Separation (CPS)
data_ptr
func_ptr
...
...
func_ptr
...
Heap Safe Pointer Store
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
...
char buff[8]
Safe stack (original stack)Unsafe stack
![Page 37: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/37.jpg)
Protecting the Safe Pointer Store
movl $42, %fs:(%rax)
movl $42, (%rsp)
movl $42, %ds:(%eax)
movl $42, %gs:(%eax)
movl $42, %ss:(%esp)
Regular Data Segment
Safe StackSegment
x86-32
Safe StackSegment
x86-64
Safe Pointer StoreSegment
Safe Pointer StoreSegment
![Page 38: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/38.jpg)
How effective is CPS?
obj->func();
obj
do_good()
do_bad()
func
![Page 39: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/39.jpg)
How effective is CPS?
obj->func();
obj
do_good()
do_bad()
func
![Page 40: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/40.jpg)
CPS vs. CFI
CFI CPS
Callscan go to
any function whose address is taken
any function whose address is taken and stored in memory at the current point of execution
Returncan go to
any call site only their actual caller
CFI attacksGöktaş et al., IEEE S&P ‘14Göktaş et al., Usenix Sec ‘14Davi et al., Usenix Sec ‘14 Carlini et al., Usenix Sec ‘14
Practical CFI solutionsClassic CFI, CCS ‘05CCFIR, IEEE S&P ‘13binCFI, Usenix Sec ‘13kBouncer, Usenix Sec ‘13
![Page 41: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/41.jpg)
CPS overhead
-5.00%
0.00%
5.00%
10.00%
15.00%
20.00%
40
0_p
erlb
ench
(C
)
40
1_b
zip
2 (
C)
40
3_g
cc (
C)
42
9_m
cf (
C)
44
5_g
ob
mk
(C)
45
6_h
mm
er (
C)
45
8_s
jen
g (C
)
46
2_l
ibq
uan
tum
(C
)
46
4_h
26
4re
f (C
)
47
1_o
mn
etp
p (
C++
)
47
3_a
star
(C
++)
48
3_x
alan
bm
k (C
++)
43
3_m
ilc (
C)
44
4_n
amd
(C
++)
44
7_d
ealII
(C
++)
45
0_s
op
lex
(C++
)
45
3_p
ovr
ay (
C++
)
47
0_l
bm
(C
)
48
2_s
ph
inx3
(C
)
SPEC 2006 Benchmark2% avg.
![Page 42: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/42.jpg)
Code Pointer IntegrityGuaranteed protection of all code pointers
![Page 43: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/43.jpg)
Issue #1
obj->func();
obj
do_good()
do_bad()
func
![Page 44: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/44.jpg)
Issue #1: pointer coverage
obj->func();
obj
do_good()
do_bad()
func
![Page 45: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/45.jpg)
Issue #1: pointer coverage
obj->func();
obj
do_good()
do_bad()
func
![Page 46: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/46.jpg)
Issue #2
obj=&objs[idx]obj->func();
objs
do_good()
do_bad()
func
do_well()func
+idx
![Page 47: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/47.jpg)
Issue #2: spatial safety
obj=&objs[idx]obj->func();
objs
do_good()
do_bad()
func
do_well()func
+idx
![Page 48: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/48.jpg)
Issue #3
obj
do_good()func
do_bad()
delete obj;…obj->func();
![Page 49: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/49.jpg)
Issue #3
obj
do_good()
do_bad()
delete obj;…obj->func();
![Page 50: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/50.jpg)
Issue #3: temporal safety
obj
do_good()
do_bad()
delete obj;…obj->func();
![Page 51: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/51.jpg)
Protected region
Safe Pointer Store
CPS → Code Pointer Integrity
obj_ptr
int
func_ptr
int_ptr
buf
func_ptr
![Page 52: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/52.jpg)
Protected region
Safe Pointer Store
Issue #1: pointer coverage
obj_ptr
int
func_ptr
int_ptr
buf
obj_ptr
func_ptr
![Page 53: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/53.jpg)
Protected region
Safe Pointer Store
Issue #2: spatial safety
obj_ptr
int
func_ptr
int_ptr
buf
obj_ptr
func_ptr
lower_bound
func_ptr
upper_bound
func_ptr
![Page 54: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/54.jpg)
Protected region
Issue #3: temporal safety
obj_ptr
int
func_ptr
int_ptr
buf
obj_ptr
func_ptr
lower_bound
func_ptr
upper_bound
func_ptr
uid
-
Safe Pointer Store
![Page 55: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/55.jpg)
CPI overhead
-10.00%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
40
0_p
erlb
ench
(C
)
40
1_b
zip
2 (
C)
40
3_g
cc (
C)
42
9_m
cf (
C)
44
5_g
ob
mk
(C)
45
6_h
mm
er (
C)
45
8_s
jen
g (C
)
46
2_l
ibq
uan
tum
(C
)
46
4_h
26
4re
f (C
)
47
1_o
mn
etp
p (
C++
)
47
3_a
star
(C
++)
48
3_x
alan
bm
k (C
++)
43
3_m
ilc (
C)
44
4_n
amd
(C
++)
44
7_d
ealII
(C
++)
45
0_s
op
lex
(C++
)
45
3_p
ovr
ay (
C++
)
47
0_l
bm
(C
)
48
2_s
ph
inx3
(C
)
SPEC 2006 Benchmark8% avg.
![Page 56: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/56.jpg)
Implementationand case studies
![Page 57: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/57.jpg)
Levee in LLVM/Clang
clang –fsafe-stack
clang –fcps
clang –fcpi
Get the prototype from: http://levee.epfl.ch
![Page 58: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/58.jpg)
Control-flow hijack protected FeeBSD
• Complete FreeBSD distribution (modulo kernel)
• >100 extra packages
![Page 59: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/59.jpg)
Summary
![Page 60: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/60.jpg)
Summary
Safe Stack0% avg.
![Page 61: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/61.jpg)
Summary
Safe Stack
Code Pointer Separation2% avg.
0% avg.
![Page 62: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/62.jpg)
Summary
Safe Stack
Code Pointer Separation
Code Pointer Integrity8% avg.
2% avg.
0% avg.
![Page 63: with Code Pointer Integrityseclab.cs.sunysb.edu/lszekeres/Talks/Szekeres-2014-THREADS.pdf · Preventing control-flow hijacks with Code Pointer Integrity László Szekeres Stony Brook](https://reader036.fdocuments.net/reader036/viewer/2022071215/60466d063bfd3b1c9871a397/html5/thumbnails/63.jpg)
Thank you!
Questions?