TY - GEN
T1 - Analyzing control flow integrity with LLVM-CFI
AU - Muntean, Paul
AU - Neumayer, Matthias
AU - Lin, Zhiqiang
AU - Tan, Gang
AU - Grossklags, Jens
AU - Eckert, Claudia
N1 - Publisher Copyright:
© 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2019/12/9
Y1 - 2019/12/9
N2 - Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availability. Further, tool comparison is underdeveloped or not possible at all. CFI has proven to be one of the most promising protections against control flow hijacking attacks, thus many efforts have been made to improve CFI in various ways. However, there is a lack of systematic assessment of existing CFI protections. In this paper, we present LLVM-CFI, a static source code analysis framework for analyzing state-of-the-art static CFI protections based on the Clang/LLVM compiler framework. LLVM-CFI works by precisely modeling a CFI policy and then evaluating it within a unified approach. LLVM-CFI helps determine the level of security offered by different CFI protections, after the CFI protections were deployed, thus providing an important step towards exploit creation/prevention and stronger defenses. We have used LLVM-CFI to assess eight state-of-the-art static CFI defenses on real-world programs such as Google Chrome and Apache Httpd. LLVM-CFI provides a precise analysis of the residual attack surfaces, and accordingly ranks CFI policies against each other. LLVM-CFI also successfully paves the way towards construction of COOP-like code reuse attacks and elimination of the remaining attack surface by disclosing protected calltargets under eight restrictive CFI policies.
AB - Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availability. Further, tool comparison is underdeveloped or not possible at all. CFI has proven to be one of the most promising protections against control flow hijacking attacks, thus many efforts have been made to improve CFI in various ways. However, there is a lack of systematic assessment of existing CFI protections. In this paper, we present LLVM-CFI, a static source code analysis framework for analyzing state-of-the-art static CFI protections based on the Clang/LLVM compiler framework. LLVM-CFI works by precisely modeling a CFI policy and then evaluating it within a unified approach. LLVM-CFI helps determine the level of security offered by different CFI protections, after the CFI protections were deployed, thus providing an important step towards exploit creation/prevention and stronger defenses. We have used LLVM-CFI to assess eight state-of-the-art static CFI defenses on real-world programs such as Google Chrome and Apache Httpd. LLVM-CFI provides a precise analysis of the residual attack surfaces, and accordingly ranks CFI policies against each other. LLVM-CFI also successfully paves the way towards construction of COOP-like code reuse attacks and elimination of the remaining attack surface by disclosing protected calltargets under eight restrictive CFI policies.
KW - Clang
KW - Computer systems
KW - Control flow integrity
KW - Defense
KW - LLVM
UR - http://www.scopus.com/inward/record.url?scp=85077821963&partnerID=8YFLogxK
U2 - 10.1145/3359789.3359806
DO - 10.1145/3359789.3359806
M3 - Conference contribution
AN - SCOPUS:85077821963
T3 - ACM International Conference Proceeding Series
SP - 584
EP - 597
BT - Proceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019
PB - Association for Computing Machinery
T2 - 35th Annual Computer Security Applications Conference, ACSAC 2019
Y2 - 9 December 2019 through 13 December 2019
ER -