Weiyi Wang,Lang Feng,Zhiguo Shi,Cheng Zhuo,Jiming Chen

DOI: https://doi.org/10.23919/date58400.2024.10546789

2024-01-01

Abstract:Internet of Things (IoT) devices face an escalating threat from code reuse attacks (CRAs) as they can reuse existing code for malicious purpose. Thus a practical cost-effective Control-Flow Integrity (CFI) mechanism for IoT devices is urgently needed. However, existing CFI solutions suffer from impractical-ities, including high performance overhead and a heavy reliance on offline perfect Control-Flow Graph (CFG) generation. To tackle these challenges, we propose a fine-grained dependable CFI scheme for IoT devices that real-time updates the CFG of devices. We evaluate the implementation on RISC-V architectures and the results show that our CFI scheme provides both backward- and forward-edge protection with almost no performance overhead in the case of fixed CFG, negligible power overhead, and low hardware overhead. Compared to the current hardware-assisted CFI designs, our design eliminates the dependence on the offline perfect CFG generation and performs real-time CFG updating for better practicality.

So Shizukuishi,Yoshitaka Arahori,Katsuhiko Gondow

DOI: https://doi.org/10.48550/arXiv.2302.07717

2023-02-15

Abstract:Although numerous defenses against memory vulnerability exploits have been studied so far, highly-compatible, precise, and efficient defense is still an open problem. In fact, existing defense methods have at least one of the following problems: they (1) cannot precisely protect structure fields, (2) incur high protection overheads, and/or (3) cannot maintain compatibility with existing code due to imposing memory layout change on the protected program. In this paper, we propose a novel memory-protection method FIX-Sense that aims to solve all of these problems simultaneously. Our key idea is to perform memory protection based on field-sensitive data-flow integrity. Specifically, our method (1) computes a safe write-read relation for each memory object, at the structure-field granularity, based on field-sensitive value-flow analysis at the compile-time of the protected program. (2) At run-time, lightweight verification is performed to determine whether each memory read executed by the protected program belong to the safe write-read relation calculated for the memory object at compile time. (3) This verification is implemented by lightweight metadata management that tracks memory writes at the structure field granularity without changing the memory layout of the target program (especially the structure field layout).

Cryptography and Security,Software Engineering

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Kejun Chen,Orlando Arias,Qingxu Deng,Daniela Oliveira,Xiaolong Guo,Yier Jin

DOI: https://doi.org/10.1109/tifs.2022.3144868

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Dynamic Information Flow Tracking (DIFT) is a technique that facilitates run-time data-flow analysis on a running process, allowing a system to overcome the limitations of finding data dependencies statically at compilation time. DIFT serves as the backbone for applications including data-flow integrity (DFI). However, previous uses of DIFT towards DFI often have large overhead in terms of hardware, software or both, and often cannot provide fine-granularity tracking for software object, such as variables. To address these limitations, we present FineDIFT as a DFI framework which utilizes DIFT to generate a live data-flow graph of a running process and perform hardware-based assisted analysis at fine-granularity, thus being able to enforce the application’s Data-Flow Graph (DFG). We provide a sample implementation on a RISC-V core with a performance overhead of 5.03% for BEEBS benchmarks and hardware overhead of 6% LUTs and 8% Flip-Flops in the FPGA implementation, if excluding the Content-Addressable Memory (CAM) like structure used for metadata storage. With CAM-like structure being synthesized using FPGA logic, the total hardware overhead is $\approx 2 \times $ LUTs and 33% Flip-Flops compared to the original RISC-V core. We also use the real-world application and customized vulnerable application to demonstrate the effectiveness of the proposed framework in protecting computing systems.

computer science, theory & methods,engineering, electrical & electronic

Irene Díez-Franco,Xabier Ugarte-Pedrero,Pablo García-Bringas

DOI: https://doi.org/10.1109/access.2024.3454551

IF: 3.9

2024-09-14

IEEE Access

Abstract:Non-control-data attacks are those attacks that purely target and modify the non-control data of a program, such as boolean values, user input or configuration parameters, and leave the control flow of a program untouched. These attacks were considered a niche due to the high difficulty in crafting attacks that do not modify the control flow. However, in recent years researchers have already demonstrated that non-control-data attacks can be automatically constructed and that they pose a significant threat because they can compromise critical and widely used software, such as web browsers and the Linux kernel. Moreover, they can also be used to disable or bypass state-of-the-art software security techniques, such as control-flow integrity. The most promising technique to protect against non-control-data attacks is data-flow integrity, however, modern compilers do not implement this protection yet. In this work we present an optimized data-flow integrity implementation for modern compilers that reduces the amount of basic blocks that need to be protected in an average of 45.8%, it also has broader security guarantees due to its more precise static analysis. Finally, we evaluate the completeness of our optimized data-flow integrity implementation.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shi Wenchang,Zhou Hongwei,Yuan Jinhui,Liang Bin

DOI: https://doi.org/10.1109/cc.2014.6969709

2014-01-01

Abstract:It is a challenge to verify integrity of dynamic control flows due to their dynamic and volatile nature. To meet the challenge, existing solutions usually implant an "attachment" in each control transfer. However, the attachment introduces additional cost except performance penalty. For example, the attachment must be unique or restrictedly modified. In this paper, we propose a novel approach to detect integrity of dynamic control flows by counting executed branch instructions without involving any attachment. Our solution is based on the following observation. If a control flow is compromised, the number of executed branch instructions will be abnormally increased. The cause is that intruders usually hijack control flows for malicious execution which absolutely introduces additional branch instructions. Inspired by the above observation, in this paper, we devise a novel system named DCFI-Checker, which detect integrity corruption of dynamic control flows with the support of Performance Monitoring Counter (PMC). We have developed a proof-of-concept prototype system of DCFI-Checker on Linux fedora 5. Our experiments with existing kernel rootkits and buffer overflow attack show that DCFI-Checker is effective to detect compromised dynamic control transfer, and performance evaluations indicate that performance penalty induced by DCFI-Checker is acceptable.

Kejun Chen,Xiaolong Guo,Qingxu Deng,Yier Jin

DOI: https://doi.org/10.3390/mi12080898

IF: 3.4

2021-01-01

Micromachines

Abstract:Dynamic information flow tracking (DIFT) has been proven an effective technique to track data usage; prevent control data attacks and non-control data attacks at runtime; and analyze program performance. Therefore, a series of DIFT techniques have been developed recently. In this paper, we summarize the current DIFT solutions and analyze the features and limitations of these solutions. Based on the analysis, we classify the existing solutions into three categories, i.e., software, hardware, software and hardware co-design. We discuss the DIFT design from the perspective of whole system and point out the limitations of current DIFT frameworks. Potential enhancements to these solutions are also presented. Furthermore, we present suggestions about the possible future direction of DIFT solutions so that DIFT can help improve security levels.

Ting Su,Zhoulai Fu,Geguang Pu,Jifeng He,Zhendong Su

DOI: https://doi.org/10.1109/icse.2015.81

2015-01-01

Abstract:Data flow testing (DFT) focuses on the flow of data through a program. Despite its higher fault-detection ability over other structural testing techniques, practical DFT remains a significant challenge. This paper tackles this challenge by introducing a hybrid DFT framework: (1) The core of our framework is based on dynamic symbolic execution (DSE), enhanced with a novel guided path search to improve testing performance, and (2) we systematically cast the DFT problem as reach ability checking in software model checking to complement our DSE-based approach, yielding a practical hybrid DFT technique that combines the two approaches' respective strengths. Evaluated on both open source and industrial programs, our DSE-based approach improves DFT performance by 60~80% in terms of testing time compared with state-of-the-art search strategies, while our combined technique further reduces 40% testing time and improves data-flow coverage by 20% by eliminating infeasible test objectives. This combined approach also enables the cross-checking of each component for reliable and robust testing results.

Ting Su,Ke Wu,Weikai Miao,Geguang Pu,Jifeng He,Yuting Chen,Zhendong Su

DOI: https://doi.org/10.1145/3020266

2017-01-01

Abstract:Data-flow testing (DFT) is a family of testing strategies designed to verify the interactions between each program variable’s definition and its uses. Such a test objective of interest is referred to as a def-use pair. DFT selects test data with respect to various test adequacy criteria (i.e., data-flow coverage criteria) to exercise each pair. The original conception of DFT was introduced by Herman in 1976. Since then, a number of studies have been conducted, both theoretically and empirically, to analyze DFT’s complexity and effectiveness. In the past four decades, DFT has been continuously concerned, and various approaches from different aspects are proposed to pursue automatic and efficient data-flow testing. This survey presents a detailed overview of data-flow testing, including challenges and approaches in enforcing and automating it: (1) it introduces the data-flow analysis techniques that are used to identify def-use pairs; (2) it classifies and discusses techniques for data-flow-based test data generation, such as search-based testing, random testing, collateral-coverage-based testing, symbolic-execution-based testing, and model-checking-based testing; (3) it discusses techniques for tracking data-flow coverage; (4) it presents several DFT applications, including software fault localization, web security testing, and specification consistency checking; and (5) it summarizes recent advances and discusses future research directions toward more practical data-flow testing.

Simon Schneider,Nicolás E. Díaz Ferreyra,Pierre-Jean Quéval,Georg Simhandl,Uwe Zdun,Riccardo Scandariato

2024-01-09

Abstract:Models of software systems are used throughout the software development lifecycle. Dataflow diagrams (DFDs), in particular, are well-established resources for security analysis. Many techniques, such as threat modelling, are based on DFDs of the analysed application. However, their impact on the performance of analysts in a security analysis setting has not been explored before. In this paper, we present the findings of an empirical experiment conducted to investigate this effect. Following a within-groups design, participants were asked to solve security-relevant tasks for a given microservice application. In the control condition, the participants had to examine the source code manually. In the model-supported condition, they were additionally provided a DFD of the analysed application and traceability information linking model items to artefacts in source code. We found that the participants (n = 24) performed significantly better in answering the analysis tasks correctly in the model-supported condition (41% increase in analysis correctness). Further, participants who reported using the provided traceability information performed better in giving evidence for their answers (315% increase in correctness of evidence). Finally, we identified three open challenges of using DFDs for security analysis based on the insights gained in the experiment.

Software Engineering

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2022.3197190

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:In modern industries, data-driven fault detection and classification (FDC) systems can efficiently maintain industrial security and stability, while the security of the data-driven FDC system itself is rarely or even never considered. The security problem named adversarial vulnerability is the intrinsic of data-driven machine learning models, which will give incorrect predictions under the maliciously perturbed input data. This paper presents a work on this new security topic of the data-driven FDC systems, by 1) summarizing and comparing various recent and typical adversarial attack and defense methods for fault classifiers; 2) proposing novel attack and defense techniques for unsupervised fault detectors; 3) constructing a novel industrial adversarial security benchmark on FDC systems in the Tennessee-Eastman process (TEP) dataset; 4) exploring and discussing which attack is most potentially threatening for FDC systems and which defense technique is most applicable to mitigate attacks. The results reveal unique security properties of FDC systems, mainly including 1) for fault classifiers, black-box attack is close to the attack strength of white-box FGSM and the universal transferable attack is not significantly stronger than random noise; 2) weak adversarial training is excellent with high adversarial accuracy improvement and negligible clean accuracy decrease; 3) fault detectors are intrinsically more robust, and can be well protected by strong adversarial training. More intriguing properties and profound insights are demonstrated in the paper. This pioneering work could guide researchers and practitioners in discovering and navigating the field of FDC system adversarial robustness, outlining the research directions and open problems.

Yuan Li,Mingzhe Wang,Chao Zhang,Xingman Chen,Songtao Yang,Ying Liu

DOI: https://doi.org/10.1145/3372297.3417867

2020-01-01

Abstract:Control-flow integrity (CFI) is a promising technique to mitigate control-flow hijacking attacks. In the past decade, dozens of CFI mechanisms have been proposed by researchers. Despite the claims made by themselves, the security promises of these mechanisms have not been carefully evaluated, and thus are questionable. In this paper, we present a solution to measure the gap between the practical security and the claimed theoretical security. First, we propose CScan to precisely measure runtime feasible targets of indirect control transfer (ICT) instructions protected by CFI, by enumerating all potential code addresses and testing whether ICTs are allowed to jump to them. Second, we propose CBench as a sanity check for verifying CFI solutions? effectiveness against typical attacks, by exploiting a comprehensive set of vulnerable programs protected by CFI and verifying the recognized feasible targets. We evaluated 12 most recent open-source CFI mechanisms and discovered 10 flaws in most CFI mechanisms or implementations. For some CFIs, their security policies or protected ICT sets do not match what they claimed. Some CFIs even expand the attack surface (e.g. introducing unintended targets). To facilitate a deeper understanding of CFI, we summarize the flaws into 7 common pitfalls which cover the whole lifetime of CFI mechanisms and reveal issues that affect CFI mechanisms in practical security.

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security

Ziyu Wang,Jingyu Wang,Dongyuan Shi

DOI: https://doi.org/10.1109/PandaFPE57779.2023.10140382

2023-01-01

Abstract:State Estimation (SE) is used to derive accurate operating states from redundant field measurements, wherein Bad Data Detection (BDD) is used to eliminate measurement outliers. In the past decade, False Data Injection (FDI) attacks have attracted extensive attention, as they provide a strategy to introduce bias to SE results by maliciously modifying measurements in a way that can bypass BDD. Regrettably, although FDI attacks are plausible in math, whether they are feasible in practice has not been paid enough attention. This paper tries to give an answer by formulating three FDI attack vectors, each exploiting the vulnerability of a different communication protocol to achieve background reconnaissance and data tampering. Based on the proposed attack vectors, the path of launching FDI attacks in a concrete cyber environment and the corresponding defense countermeasures are analyzed through cyber-physical co-simulation. Case studies demonstrate that applying classical countermeasures, such as cryptographic techniques and access control policies, can effectively frustrate FDI attacks in the real world. Futhermore, it can be summarized from the experiments that attackers may leverage side-effects of defense countermeasures to mount more subtle attacks. It is essential to consider defending against cyber-physical attacks from an overall perspective in the future.

Nicolas Boltz,Sebastian Hahner,Christopher Gerking,Robert Heinrich

2024-03-14

Abstract:The growing interconnection between software systems increases the need for security already at design time. Security-related properties like confidentiality are often analyzed based on data flow diagrams (DFDs). However, manually analyzing DFDs of large software systems is bothersome and error-prone, and adjusting an already deployed software is costly. Additionally, closed analysis ecosystems limit the reuse of modeled information and impede comprehensive statements about a system's security. In this paper, we present an open and extensible framework for data flow analysis. The central element of our framework is our new implementation of a well-validated data-flow-based analysis approach. The framework is compatible with DFDs and can also extract data flows from the Palladio architectural description language. We showcase the extensibility with multiple model and analysis extensions. Our evaluation indicates that we can analyze similar scenarios while achieving higher scalability compared to previous implementations.

Software Engineering,Cryptography and Security

Hao Sun,Chao Su,Yue Wang,Qingkai Zeng

DOI: https://doi.org/10.1142/s0218194015400331

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Integer signedness errors can be exploited by adversaries to cause severe damages to computer systems. Despite the significant advances in automating the detection of integer signedness errors, accurately differentiating exploitable and harmful signedness errors from unharmful ones is an important challenge. In this paper, we present the design and implementation of SignFlow, an instrumentation-based integer signedness error detector to reduce the reports for unharmful signedness errors. SignFlow first utilizes static data flow analysis to identify unharmful integer sign conversions from the view of where the source operands originate and whether the conversion results can propagate to security-related program points, and then inserts security checks for the remaining conversions so as to accomplish runtime protection. We evaluated SignFlow on 8 real-world harmful integer signedness bugs, SPECint 2006 benchmarks together with 5 real-world applications. The experimental results show that SignFlow correctly detected all harmful integer signedness bugs (i.e. no false negatives) and achieved a reduction of 41% in false positives over IntFlow, the state of the art.

Ali Jahanshahi

DOI: https://doi.org/10.48550/arXiv.1911.05664

2019-11-05

Abstract:Dynamic Information Flow Tracking (DIFT) is a technique to track potential security vulnerabilities in software and hardware systems at run time. The last fifteen years have seen a lot of research work on DIFT, including both hardware-based and software-based implementations for different types of processor architectures. This survey briefly reviews some hardware architectures that provide DIFT support. Starting from introducing different approaches for hardware based DIFT, this survey focuses on integrated/in-core architectures. Protection schemes, including tagging system, tag propagation, and tag checking for each architecture will be discussed. The survey is organized in such a way that it illustrates the evolution of integrated DIFT architectures, each architecture tries to improve the precious proposed architectures generality/versatility weaknesses. However, improving security while providing generality and versatility is kind of trade-offs. This survey compares the architectures from different aspects to show the trade-offs clearer.

Cryptography and Security,Hardware Architecture

Mathias Payer,Antonio Barresi,Thomas R. Gross

DOI: https://doi.org/10.3929/ethz-a-010171214

2014-07-02

Abstract:Applications written in low-level languages without type or memory safety are especially prone to memory corruption. Attackers gain code execution capabilities through such applications despite all currently deployed defenses by exploiting memory corruption vulnerabilities. Control-Flow Integrity (CFI) is a promising defense mechanism that restricts open control-flow transfers to a static set of well-known locations. We present Lockdown, an approach to dynamic CFI that protects legacy, binary-only executables and libraries. Lockdown adaptively learns the control-flow graph of a running process using information from a trusted dynamic loader. The sandbox component of Lockdown restricts interactions between different shared objects to imported and exported functions by enforcing fine-grained CFI checks. Our prototype implementation shows that dynamic CFI results in low performance overhead.

Cryptography and Security,Programming Languages

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

Yubin Xia,Yutao Liu,Haibo Chen,Binyu Zang

DOI: https://doi.org/10.1109/DSN.2012.6263958

2012-01-01

Abstract:Many classic and emerging security attacks usually introduce illegal control flow to victim programs. This paper proposes an approach to detecting violation of control flow integrity based on hardware support for performance monitoring in modern processors. The key observation is that the abnormal control flow in security breaches can be precisely captured by performance monitoring units. Based on this observation, we design and implement a system called CFIMon, which is the first non-intrusive system that can detect and reason about a variety of attacks violating control flow integrity without any changes to applications (either source or binary code) or requiring special-purpose hardware. CFIMon combines static analysis and runtime training to collect legal control flow transfers, and leverages the branch tracing store mechanism in commodity processors to collect and analyze runtime traces on-the-fly to detect violation of control flow integrity. Security evaluation shows that CFIMon has low false positives or false negatives when detecting several realistic security attacks. Performance results show that CFIMon incurs only 6.1% performance overhead on average for a set of typical server applications.