Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Assessing the Effectiveness of Binary-Level CFI Techniques (2401.07148v1)

Published 13 Jan 2024 in cs.CR and cs.SE

Abstract: Memory corruption is an important class of vulnerability that can be leveraged to craft control flow hijacking attacks. Control Flow Integrity (CFI) provides protection against such attacks. Application of type-based CFI policies requires information regarding the number and type of function arguments. Binary-level type recovery is inherently speculative, which motivates the need for an evaluation framework to assess the effectiveness of binary-level CFI techniques compared with their source-level counterparts, where such type information is fully and accurately accessible. In this work, we develop a novel, generalized and extensible framework to assess how the program analysis information we get from state-of-the-art binary analysis tools affects the efficacy of type-based CFI techniques. We introduce new and insightful metrics to quantitatively compare source independent CFI policies with their ground truth source aware counterparts. We leverage our framework to evaluate binary-level CFI policies implemented using program analysis information extracted from the IDA Pro binary analyzer and compared with the ground truth information obtained from the LLVM compiler, and present our observations.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (43)
  1. Control-Flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS ’05). Association for Computing Machinery, New York, NY, USA, 340–353.
  2. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 583–600. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/andriesse
  3. TyPro: Forward CFI for C-Style Indirect Function Calls Using Type Propagation. In Proceedings of the 38th Annual Computer Security Applications Conference (Austin, TX, USA) (ACSAC ’22). Association for Computing Machinery, New York, NY, USA, 346–360. https://doi.org/10.1145/3564625.3564627
  4. Control-Flow Integrity: Precision, Security, and Performance. ACM Comput. Surv. 50, 1, Article 16 (apr 2017), 33 pages. https://doi.org/10.1145/3054924
  5. Juan Caballero and Zhiqiang Lin. 2016. Type Inference on Executables. ACM Comput. Surv. 48, 4, Article 65 (may 2016), 35 pages. https://doi.org/10.1145/2896499
  6. Return-Oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS ’10). Association for Computing Machinery, New York, NY, USA, 559–572. https://doi.org/10.1145/1866307.1866370
  7. CATI: Context-Assisted Type Inference from Stripped Binaries. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 88–98. https://doi.org/10.1109/DSN48063.2020.00028
  8. Augmenting Decompiler Output with Learned Variable Names and Types. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 4327–4343. https://www.usenix.org/conference/usenixsecurity22/presentation/chen-qibin
  9. Neural Nets Can Learn Function Type Signatures From Binaries. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 99–116. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/chua
  10. It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS ’15). Association for Computing Machinery, New York, NY, USA, 243–255. https://doi.org/10.1145/2810103.2813682
  11. Solar Designer. 1997. Getting around non-executable stack (and fix). ”http://ouah.bsdjeunz.org/solarretlibc.html” (1997).
  12. Boosting the Precision of Virtual Call Integrity Protection with Partial Pointer Analysis for C++. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (Santa Barbara, CA, USA) (ISSTA 2017). Association for Computing Machinery, New York, NY, USA, 329–340. https://doi.org/10.1145/3092703.3092729
  13. On the Effectiveness of Type-Based Control Flow Integrity. In Proceedings of the 34th Annual Computer Security Applications Conference (San Juan, PR, USA) (ACSAC ’18). Association for Computing Machinery, New York, NY, USA, 28–39. https://doi.org/10.1145/3274694.3274739
  14. CFInsight: A Comprehensive Metric for CFI Policies. In NDSS. https://doi.org/10.14722/ndss.2022.23165
  15. gcc fcf protection. 2022. https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html. In Clang 16.0.0git documentation.
  16. Fine-Grained Control-Flow Integrity for Kernel Software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). 179–194. https://doi.org/10.1109/EuroSP.2016.24
  17. hexrays IDA Pro. 2022. https://hex-rays.com/ida-pro/. In Interactive Disassembler (IDA).
  18. Loop-Oriented Programming: A New Code Reuse Attack to Bypass Modern Defenses. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1. 190–197. https://doi.org/10.1109/Trustcom.2015.374
  19. Subversive-C: Abusing and Protecting Dynamic Message Dispatch. In 2016 USENIX Annual Technical Conference (USENIX ATC 16). USENIX Association, Denver, CO, 209–221. https://www.usenix.org/conference/atc16/technical-sessions/presentation/lettner
  20. Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS ’20). Association for Computing Machinery, New York, NY, USA, 1821–1835. https://doi.org/10.1145/3372297.3417867
  21. Zhibo Liu and Shuai Wang. 2020. How Far We Have Come: Testing Decompilation Correctness of C Decompilers. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual Event, USA) (ISSTA 2020). Association for Computing Machinery, New York, NY, USA, 475–487. https://doi.org/10.1145/3395363.3397370
  22. LLVM. 2022. https://clang.llvm.org/docs/ControlFlowIntegrity.html. In Clang 16.0.0git documentation.
  23. LLVM. 2023. https://llvm.org. In The LLVM Compiler Infrastructure.
  24. Kangjie Lu and Hong Hu. 2019. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). Association for Computing Machinery, New York, NY, USA, 1867–1881. https://doi.org/10.1145/3319535.3354244
  25. Xiaozhu Meng and Barton P. Miller. 2016. Binary Code is Not Easy. In Proceedings of the 25th International Symposium on Software Testing and Analysis (Saarbrücken, Germany) (ISSTA 2016). Association for Computing Machinery, New York, NY, USA, 24–35. https://doi.org/10.1145/2931037.2931047
  26. τ𝜏\tauitalic_τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries. In Research in Attacks, Intrusions, and Defenses. Springer International Publishing, Cham, 423–444.
  27. Analyzing Control Flow Integrity with LLVM-CFI. In Proceedings of the 35th Annual Computer Security Applications Conference (San Juan, Puerto Rico, USA) (ACSAC ’19). Association for Computing Machinery, New York, NY, USA, 584–597.
  28. Ben Niu and Gang Tan. 2014. Modular Control-Flow Integrity. SIGPLAN Not. 49, 6 (jun 2014), 577–587. https://doi.org/10.1145/2666356.2594295
  29. Polymorphic Type Inference for Machine Code. SIGPLAN Not. 51, 6 (jun 2016), 27–41. https://doi.org/10.1145/2980983.2908119
  30. SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask. In 42nd IEEE Symposium on Security and Privacy (SP).
  31. StateFormer: Fine-Grained Type Recovery from Binaries Using Generative State Modeling. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 690–702. https://doi.org/10.1145/3468264.3468607
  32. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In 2015 IEEE Symposium on Security and Privacy. 745–762. https://doi.org/10.1109/SP.2015.51
  33. Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the X86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS ’07). Association for Computing Machinery, New York, NY, USA, 552–561.
  34. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In 2013 IEEE Symposium on Security and Privacy. 574–588. https://doi.org/10.1109/SP.2013.45
  35. BlueLotus Team. 2015a. Bctf challenge: bypass vtable read-only checks.
  36. PaX Team. 2015b. Rap: Rip rop. In Hackers 2 Hackers Conference (H2HC).
  37. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Conference on Security Symposium (San Diego, CA) (SEC’14). USENIX Association, USA, 941–955.
  38. A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level. In 2016 IEEE Symposium on Security and Privacy (SP). 934–953. https://doi.org/10.1109/SP.2016.60
  39. Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries. In Proceedings of the 31st Annual Computer Security Applications Conference (Los Angeles, CA, USA) (ACSAC ’15). Association for Computing Machinery, New York, NY, USA, 331–340. https://doi.org/10.1145/2818000.2818017
  40. CONFIRM: Evaluating Compatibility and Relevance of Control-Flow Integrity Protections for Modern Software. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC’19). USENIX Association, USA, 1805–1821.
  41. Practical Control Flow Integrity and Randomization for Binary Executables. In 2013 IEEE Symposium on Security and Privacy. 559–573. https://doi.org/10.1109/SP.2013.44
  42. Mingwei Zhang and R. Sekar. 2013. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Conference on Security (Washington, D.C.) (SEC’13). USENIX Association, USA, 337–352.
  43. OSPREY: Recovery of Variable and Data Structure via Probabilistic Analysis for Stripped Binary. In 2021 IEEE Symposium on Security and Privacy (SP). 813–832. https://doi.org/10.1109/SP40001.2021.00051
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now