Weiyi Wang,Lang Feng,Zhiguo Shi,Cheng Zhuo,Jiming Chen

DOI: https://doi.org/10.23919/date58400.2024.10546789

2024-01-01

Abstract:Internet of Things (IoT) devices face an escalating threat from code reuse attacks (CRAs) as they can reuse existing code for malicious purpose. Thus a practical cost-effective Control-Flow Integrity (CFI) mechanism for IoT devices is urgently needed. However, existing CFI solutions suffer from impractical-ities, including high performance overhead and a heavy reliance on offline perfect Control-Flow Graph (CFG) generation. To tackle these challenges, we propose a fine-grained dependable CFI scheme for IoT devices that real-time updates the CFG of devices. We evaluate the implementation on RISC-V architectures and the results show that our CFI scheme provides both backward- and forward-edge protection with almost no performance overhead in the case of fixed CFG, negligible power overhead, and low hardware overhead. Compared to the current hardware-assisted CFI designs, our design eliminates the dependence on the offline perfect CFG generation and performs real-time CFG updating for better practicality.

Zhijiao Zhang,Yashuai Lü,Yu Chen,Yongqiang Lu,Yuanchun Shi

DOI: https://doi.org/10.1007/978-3-319-18467-8_29

2015-01-01

Abstract:Recently, code-reuse attack (CRA) is becoming the most prevalent attack vector which reuses fragments of existing code to make up malicious code. Recent studies show that CRAs especially jump-oriented programming (JOP) attacks are hard and costly to detect and protect from, especially on CISC processors. One reason for this is that the instructions of CISC architecture are of variable-length, and lots of unintended but legal instructions can be exploited by starting from in the middle of a legal instruction. This feature of CISC architectures makes the finding of so called gadgets for CRAs is much easier than that of RISC architectures. Most of previous studies for mitigating CRA on CISC processors rely on software-only means to tackle the unintended instruction problem, which makes their approaches either very costly or can only be applied under restricted conditions. In this paper, we propose two hardware supported techniques. The first, which is the main contribution of this paper, is to eliminate the execution of an unintended instruction. This technique only requires a few modifications to the processor and operating system. Furthermore, the proposed mechanism has little performance impact on the examined SPEC CPU 2006 benchmarks (-0.093% similar to 2.993%). Second, we propose using hardware control-flow locking as a complementary technique to our protection mechanism. By using the two techniques together, an attacker will have little chance to carry out CRAs on a CISC processor.

Yang Li,Zi-bin Dai,Jun-wei Li

DOI: https://doi.org/10.12783/dtcse/ccnt2018/24682

2018-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:A full-process tag inspection system was designed and experimentally verified. This system based on RISC processors can defend code reuse attacks, as well as prevent high overhead caused by the implementation of software fine-grained control flow integrity technology. By extending memory tag, adding special memory-access instructions and setting up security rules, this design achieves hardware-based fine-grained control flow integrity, which can defend against attacks of ROP, JOP and COOP. The experimental measurement have been performed to validate that this design has effective effect on defending CRA with low overhead, which is evaluated on the RISC-V platform.

Jiliang Zhang,Binhang Qi,Gang Qu

DOI: https://doi.org/10.1109/JIOT.2018.2866164

2018-09-19

Abstract:Recently, code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP), have emerged as a new class of ingenious security threatens. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Many defenses, classed into software-based and hardware-based, have been proposed. However, software-based methods are difficult to be deployed in practical systems due to high performance overhead. Hardware-based methods can reduce performance overhead but may require extending instruction set architectures (ISAs) and modifying compiler or suffer the vulnerability of key leakage. To tackle these issues, this paper proposes a new hardware-based control flow checking method to resist CRAs with negligible performance overhead without extending ISAs, modifying compiler and leaking the encryption/decryption key. The key technique involves two control flow checking mechanisms. The first one is the encrypted Hamming distances (EHDs) matching between the physical unclonable function (PUF) response and the return addresses, which prevents attackers from returning between gadgets so long as the PUF response is secret, thus resisting ROP attacks. The second one is the liner encryption/decryption operation (XOR) between PUF response and the instructions at target addresses of call and jmp instructions to defeat JOP attacks. Advanced return-based full-function reuse attacks will be prevented with the dynamic key-updating method. Experimental evaluations on benchmarks demonstrate that the proposed method introduces negligible 0.95% run-time overhead and 0.78% binary size overhead on average.

Cryptography and Security,Hardware Architecture

Jianhao Xu,Luca Di Bartolomeo,Flavio Toffalini,Bing Mao,Mathias Payer

DOI: https://doi.org/10.1109/SP46215.2023.10179433

2023-01-01

Abstract:Code-reuse attacks are dangerous threats that attracted the attention of the security community for years. These attacks aim at corrupting important control-flow transfers for taking control of a process without injecting code. Nowadays, the combinations of multiple mitigations (e.g., ASLR, DEP, and CFI) drastically reduced this attack surface, making running code-reuse exploits more challenging. Unfortunately, security mitigations are combined with compiler optimizations, that do not distinguish between securityrelated and application code. Blindly deploying code optimizations over code-reuse mitigations may undermine their security guarantees. For instance, compilers may introduce doublefetch vulnerabilities that lead to concurrency issues such as Time-Of-Check to Time-Of-Use (TOCTTOU) attacks. In this work, we propose a new attack vector, called WarpAttack, that exploits compiler-introduced double-fetch optimizations to mount TOCTTOU attacks and bypass codereuse mitigations. We study the mechanism underlying this attack and present a practical proof-of-concept exploit against the last version of Firefox. Additionally, we propose a lightweight analysis to locate vulnerable double-fetch code (with 3% false positives) and conduct research over six popular applications, five operating systems, and four architectures (32 and 64 bits) to study the diffusion of this threat. Moreover, we study the implication of our attack against six CFI implementations. Finally, we investigate possible research lines for addressing this threat and propose practical solutions to be deployed in existing projects.

Yi Zhuang,Tao Zheng,Zhitian Lin

2014-01-01

Abstract:Fine-grained address space layout randomization has recently been proposed as a method of efficiently mitigating ROP attacks. In this paper, we introduce a design and implementation of a framework based on a runtime strategy that undermines the benefits of fine-grained ASLR. Specifically, we abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover gadgets and construct the desired exploit payload, and finish our goals by using virtual function call mechanism—all with a script environment at the time an exploit is launched. We demonstrate the effectiveness of our framework by using it in conjunction with a real-world exploit against Internet Explorer and other applications protected by fine-grained ASLR. Moreover, we provide evaluations that demonstrate the practicality of run-time code reuse attacks. Our work shows that such a framework is effective and fine-grained ASLR may not be as promising as first thought. Keywords-code reuse; security; dynamic; fine-grained ASLR

Ping Chen,Jun Xu,Jun Wang,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1507.02786

2015-07-10

Abstract:Fine-grained Address Space Randomization has been considered as an effective protection against code reuse attacks such as ROP/JOP. However, it only employs a one-time randomization, and such a limitation has been exploited by recent just-in-time ROP and side channel ROP, which collect gadgets on-the-fly and dynamically compile them for malicious purposes. To defeat these advanced code reuse attacks, we propose a new defense principle: instantly obsoleting the address-code associations. We have initialized this principle with a novel technique called virtual space page table remapping and implemented the technique in a system CHAMELEON. CHAMELEON periodically re-randomizes the locations of code pages on-the-fly. A set of techniques are proposed to achieve our goal, including iterative instrumentation that instruments a to-be-protected binary program to generate a re-randomization compatible binary, runtime virtual page shuffling, and function reordering and instruction rearranging optimizations. We have tested CHAMELEON with over a hundred binary programs. Our experiments show that CHAMELEON can defeat all of our tested exploits by both preventing the exploit from gathering sufficient gadgets, and blocking the gadgets execution. Regarding the interval of our re-randomization, it is a parameter and can be set as short as 100ms, 10ms or 1ms. The experiment results show that CHAMELEON introduces on average 11.1%, 12.1% and 12.9% performance overhead for these parameters, respectively.

Cryptography and Security

Zhenliang An,Weike Wang,Wenxin Li,Senyang Li,Dexue Zhang

DOI: https://doi.org/10.3390/mi14081525

IF: 3.4

2023-07-30

Micromachines

Abstract:The growing prevalence of embedded systems in various applications has raised concerns about their vulnerability to malicious code reuse attacks. Current software-based and hardware-assisted security techniques struggle to detect or block these attacks with minor performance and implementation overhead. To address this issue, this paper presents a lightweight hardware-assisted scheme to enhance the security of embedded systems against code reuse attacks. We develop an on-chip lightweight hardware shadow stack to validate target addresses at runtime for backward-edge control flow integrity, which backs up valid return addresses during function calls and automatically verifies actual return addresses during the return phase. Additionally, we propose a lightweight stream cipher circuit that encrypts and decrypts critical stack data related to control flow manipulation, preventing attackers from analyzing or tampering with them. When designing and implementing the security mechanism for embedded systems, we fully consider the constraints of limited system resources and performance, optimizing both the architecture design and implementation of the proposed hardware. Finally, we integrate both the proposed lightweight hardware shadow stack and the runtime data encryption hardware into the OR1200 processor. We have verified the system security function on the Terasic DE1-SoC FPGA platform and evaluated the system performance as well as implementation overhead. The results show that the proposed lightweight hardware-assisted scheme can provide a dedicated defense capability against code reuse attacks for embedded systems, with an average system performance overhead of 0.39% and an area footprint of 0.316 mm2.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Xiaoqi Song,Wenjie Lv,Haipeng Qu,Lingyun Ying

2023-03-22

Abstract:Code-reuse attacks have become a kind of common attack method, in which attackers use the existing code in the program to hijack the control flow. Most existing defenses focus on control flow integrity (CFI), code randomization, and software debloating. However, most fine-grained schemes of those that ensure such high security suffer from significant performance overhead, and only reduce attack surfaces such as software debloating can not defend against code-reuse attacks completely. In this paper, from the perspective of shrinking the available code space at runtime, we propose LoadLord, which dynamically loads, and timely unloads functions during program running to defend against code-reuse attacks. LoadLord can reduce the number of gadgets in memory, especially high-risk gadgets. Moreover, LoadLord ensures the control flow integrity of the loading process and breaks the necessary conditions to build a gadget chain. We implemented LoadLord on Linux operating system and experimented that when limiting only 1/16 of the original function. As a result, LoadLord can defend against code-reuse attacks and has an average runtime overhead of 1.7% on the SPEC CPU 2006, reducing gadgets by 94.02%.

Cryptography and Security

Andreas Follner,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.1504.02288

2015-04-09

Abstract:Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4x, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available.

Cryptography and Security

Pengfei Qiu,Yongqiang Lyu,Jiliang Zhang,Xingwei Wang,Di Zhai,Dongsheng Wang,Gang Qu

DOI: https://doi.org/10.1145/2897937.2898061

2016-01-01

Abstract:Recently, code reuse attacks (CRAs) have emerged as a new class of ingenious security threatens. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Existing defenses against CRAs often incur high memory and performance overheads or require extending the existing processors' instruction set architectures (ISAs). To tackle these issues, we propose a hardware-based control flow integrity (CFI) that employs physical unclonable functions (PUF)-based linear encryption architecture (LEA) to protect against CRAs with negligible hardware extending and run time overheads. The proposed method can protect ret and indirect jmp instructions from return oriented programming (ROP) and jump oriented programming (JOP) without any additional software manipulations and extending ISAs. The pre-process will be conducted on codes once the executable binary is loaded into memory, and the real-time control flow verification based on LEA can be done while ret and jmp instructions are executed. Performance evaluations on benchmarks show that the proposed method only introduces 0.61% run-time overhead and 0.63% memory overhead on average.

Tianning Zhang,Miao Cai,Diming Zhang,Hao Huang

DOI: https://doi.org/10.1109/TrustCom50675.2020.00045

2020-01-01

Abstract:Recently, many effective defensive methods (e.g., ASLR, execute-only-memory) have been proposed to defeat the code reuse attack in the software system. These approaches provide strong system protection through address randomization or memory access restriction. However, this paper identifies a new weak point in these approaches, i.e., missing time protection. We propose a new attack method called timing function attack, which can initiate a code reuse attack even against the state-of-the-art defense techniques. Previous solutions utilize various techniques to hide the spatial information. However, we still can obtain critical security information through the time channel. Specifically, we leverage the function execution time to conduct a side-channel attack. Further, we de-randomize the code segment layout with the timing-channel attack result. Finally, we perform a code-reuse attack with gadgets gathered in previous steps, compromising the whole system. To validate our timing function attack in the real world, we conduct two attacks on two JavaScript engines, i.e., ChakraCore and Chrome v8. Evaluation results show that our attack can successfully bypass the existing defense techniques, such as function-granularity ASLR and XOM, and escalate the privilege. Besides, we also discuss some solutions to prevent and defend our proposed timing function attack.

Bingchen Lan,Yan Li,Hao Sun,Chao Su,Yao Liu,Qingkai Zeng

DOI: https://doi.org/10.1109/trustcom.2015.374

2015-01-01

Abstract:Code reuse attacks have become one of the most popular exploitation techniques, and coarse-grained control flow integrity (CFI) is a practical approach used to prevent such attacks. Recently, some new approaches have been proposed to construct call-preceded-ROP attacks to bypass coarse-grained CFI, however, we find that they still fail to bypass shadow stack, which enforces caller-callee semantics to strengthen CFI that constrains the control flow in a much stricter way. Therefore, in this paper, we propose a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack. Quite different from previous code reuse attacks, LOP collects entire functions as basic building blocks (i.e., gadgets), and chains these gadgets in a way that the control flows strictly follow the process of call-ret-pairing. Specifically, LOP selects a particular function with a loop statement, called loop gadget, to chain all the available gadgets. To demonstrate the effectiveness of LOP, we construct a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.

Tao Wei,Chao Zhang,Zhaofeng Chen,Linlin Duan,László Szekeres,Stephen McCamant,Dawn Song

2012-01-01

Abstract:We propose and evaluate a new protection mechanism for indirect call and jump instructions in binaries, which we call FPGate. FPGate stops attacks targeting function pointers by limiting indirect transfers to only those targets that are legal in the original program. When deployed together with other existing lightweight protections, FPGate can provide a level of protection comparable to CFI (Control Flow Integrity), stopping almost all control-ow hijacking attacks including ROP. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which FPGate can use to nd all legal jump targets reliably,

Yutao Liu,Peitao Shi,Xinran Wang,Haibo Chen,Binyu Zang,Haibing Guan

DOI: https://doi.org/10.1109/hpca.2017.18

2017-01-01

Abstract:Current control flow integrity (CFI) enforcement approaches either require instrumenting application executables and even shared libraries, or are unable to defend against sophisticated attacks due to relaxed security policies, or both, many of them also incur high runtime overhead. This paper observes that the main obstacle of providing transparent and strong defense against sophisticated adversaries is the lack of sufficient runtime control flow information. To this end, this paper describes FlowGuard, a lightweight, transparent CFI enforcement approach by a novel reuse of Intel Processor Trace (IPT), a recent hardware feature that efficiently captures the entire runtime control flow. The main challenge is that IPT is designed for offline performance analysis and software debugging such that decoding collected control flow traces is prohibitively slow on the fly. FlowGuard addresses this challenge by reconstructing applications' conservative control flow graphs (CFG) to be compatible with the compressed encoding format of IPT, and labeling the CFG edges with credits in the help of fuzzing-like dynamic training. At runtime, FlowGuard separates fast and slow paths such that the fast path compares the labeled CFGs with the IPT traces for fast filtering, while the slow path decodes necessary IPT traces for strong security. We have implemented and evaluated FlowGuard on a commodity Intel Skylake machine with IPT support. Evaluation results show that FlowGuard is effective in enforcing CFI for several applications, while introducing only small performance overhead. We also show that, with minor hardware extensions, the performance overhead can be further reduced.

Chenyu Wang,Bihuan Chen,Yang Liu,Hongjun Wu

DOI: https://doi.org/10.1109/tifs.2018.2855648

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy, i.e., TypeArmor and vfGuard utilize argument register count and dispatch offset at virtual callsite as the signature to check the validity of target functions, respectively. In this paper, we propose layered object-oriented programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained control flow integrity strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to, respectively, bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets and develop a tool to discover them at the binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player, and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we show the availability of argument expansion gadgets and transfer gadgets in common software or libraries.

Yubin Xia,Yutao Liu,Haibo Chen,Binyu Zang

DOI: https://doi.org/10.1109/DSN.2012.6263958

2012-01-01

Abstract:Many classic and emerging security attacks usually introduce illegal control flow to victim programs. This paper proposes an approach to detecting violation of control flow integrity based on hardware support for performance monitoring in modern processors. The key observation is that the abnormal control flow in security breaches can be precisely captured by performance monitoring units. Based on this observation, we design and implement a system called CFIMon, which is the first non-intrusive system that can detect and reason about a variety of attacks violating control flow integrity without any changes to applications (either source or binary code) or requiring special-purpose hardware. CFIMon combines static analysis and runtime training to collect legal control flow transfers, and leverages the branch tracing store mechanism in commodity processors to collect and analyze runtime traces on-the-fly to detect violation of control flow integrity. Security evaluation shows that CFIMon has low false positives or false negatives when detecting several realistic security attacks. Performance results show that CFIMon incurs only 6.1% performance overhead on average for a set of typical server applications.

Zichen Zhou,Bo Yin,Renhao Fan,Tao Liu,Bin Xu,Xiang Wang

2011-01-01

Abstract:Most embedded systems present a number of software vulnerabilities, such as buffer overflow, while the physical attacks are becoming popular as well. This paper presents a series of novel architectural-enhanced security solutions. The automated compiler extracts the intrusion model for intrusion detection and secure tag of each main memory segment at the compile time automatically. At runtime, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior and trigger appropriate response mechanisms. The proposed schemes don't change the compiler or the existing instruction set and imposes no restriction to the software developer. The architectural design is implemented on an actual OR1200-FPGA platform. The experimental analysis shows that the proposed techniques can eliminate a wide range of common software and physical attacks with low performance penalties and minimal overheads.

Robert Schilling,Pascal Nasahl,Stefan Mangard

DOI: https://doi.org/10.48550/arXiv.2104.14993

2021-04-30

Abstract:With the improvements of computing technology, more and more applications embed powerful ARM processors into their devices. These systems can be attacked by redirecting the control-flow of a program to bypass critical pieces of code such as privilege checks or signature verifications. Control-flow hijacks can be performed using classical software vulnerabilities, physical fault attacks, or software-induced fault attacks. To cope with this threat and to protect the control-flow, dedicated countermeasures are needed. To counteract control-flow hijacks, control-flow integrity~(CFI) aims to be a generic solution. However, software-based CFI typically either protects against software or fault attacks, but not against both. While hardware-assisted CFI can mitigate both types of attacks, they require extensive hardware modifications. As hardware changes are unrealistic for existing ARM architectures, a wide range of systems remains unprotected and vulnerable to control-flow attacks. In this work, we present FIPAC, an efficient software-based CFI scheme protecting the execution at basic block granularity of ARM-based devices against software and fault attacks. FIPAC exploits ARM pointer authentication of ARMv8.6-A to implement a cryptographically signed control-flow graph. We cryptographically link the correct sequence of executed basic blocks to enforce CFI at this granularity. We use an LLVM-based toolchain to automatically instrument programs. The evaluation on SPEC2017 with different security policies shows a code overhead between 54-97\% and a runtime overhead between 35-105%. While these overheads are higher than for countermeasures against software attacks, FIPAC outperforms related work protecting the control-flow against fault attacks. FIPAC is an efficient solution to provide protection against software- and fault-based CFI attacks on basic block level on modern ARM devices.

Cryptography and Security

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security