PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings

Paul Muntean; Mathias Neumayer; Zhiqiang Lin; Gang Tan; Jens Grossklags; Claudia Eckert

doi:10.1145/3427228.3427246

PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings

Paul Muntean, Mathias Neumayer, Zhiqiang Lin, Gang Tan, Jens Grossklags, Claudia Eckert

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

In this paper, we propose reversed forward-edge mapper (PFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program's control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated PFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that PFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. PFEM's runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.

Original language	English
Title of host publication	Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
Publisher	Association for Computing Machinery
Pages	466-479
Number of pages	14
ISBN (Electronic)	9781450388580
DOIs	https://doi.org/10.1145/3427228.3427246
State	Published - 7 Dec 2020
Event	36th Annual Computer Security Applications Conference, ACSAC 2020 - Virtual, Online, United States Duration: 7 Dec 2020 → 11 Dec 2020

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	36th Annual Computer Security Applications Conference, ACSAC 2020
Country/Territory	United States
City	Virtual, Online
Period	7/12/20 → 11/12/20

Keywords

Clang/LLVM
control flow integrity
cyber defense.
hijacking attack

Access to Document

10.1145/3427228.3427246

Cite this

Muntean, P., Neumayer, M., Lin, Z., Tan, G., Grossklags, J., & Eckert, C. (2020). PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings. In Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020 (pp. 466-479). Article 3427246 (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3427228.3427246

@inproceedings{c7cea736a5204a608d9d1d474b20f8f2,

title = "PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings",

abstract = "In this paper, we propose reversed forward-edge mapper (PFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program's control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated PFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that PFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. PFEM's runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.",

keywords = "Clang/LLVM, control flow integrity, cyber defense., hijacking attack",

author = "Paul Muntean and Mathias Neumayer and Zhiqiang Lin and Gang Tan and Jens Grossklags and Claudia Eckert",

note = "Publisher Copyright: {\textcopyright} 2020 ACM.; 36th Annual Computer Security Applications Conference, ACSAC 2020 ; Conference date: 07-12-2020 Through 11-12-2020",

year = "2020",

month = dec,

day = "7",

doi = "10.1145/3427228.3427246",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "466--479",

booktitle = "Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020",

}

Muntean, P, Neumayer, M, Lin, Z, Tan, G, Grossklags, J & Eckert, C 2020, PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings. in Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020., 3427246, ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 466-479, 36th Annual Computer Security Applications Conference, ACSAC 2020, Virtual, Online, United States, 7/12/20. https://doi.org/10.1145/3427228.3427246

PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings. / Muntean, Paul; Neumayer, Mathias; Lin, Zhiqiang et al.
Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020. Association for Computing Machinery, 2020. p. 466-479 3427246 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - PFEM

T2 - 36th Annual Computer Security Applications Conference, ACSAC 2020

AU - Muntean, Paul

AU - Neumayer, Mathias

AU - Lin, Zhiqiang

AU - Tan, Gang

AU - Grossklags, Jens

AU - Eckert, Claudia

PY - 2020/12/7

Y1 - 2020/12/7

N2 - In this paper, we propose reversed forward-edge mapper (PFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program's control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated PFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that PFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. PFEM's runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.

AB - In this paper, we propose reversed forward-edge mapper (PFEM), a Clang/LLVM compiler-based tool, to protect the backward edges of a program's control flow graph (CFG) against runtime control-flow hijacking (e.g., code reuse attacks). It protects backward-edge transfers in C/C++ originating from virtual and non-virtual functions by first statically constructing a precise virtual table hierarchy, with which to form a precise forward-edge mapping between callees and non-virtual calltargets based on precise function signatures, and then checks each instrumented callee return against the previously computed set at runtime. We have evaluated PFEM using the Chrome browser, NodeJS, Nginx, Memcached, and the SPEC CPU2017 benchmark. Our results show that PFEM enforces less than 2.77 return targets per callee in geomean, even for applications heavily relying on backward edges. PFEM's runtime overhead is less than 1% in geomean for the SPEC CPU2017 benchmark and 3.44% in geomean for the Chrome browser.

KW - Clang/LLVM

KW - control flow integrity

KW - cyber defense.

KW - hijacking attack

UR - http://www.scopus.com/inward/record.url?scp=85098050844&partnerID=8YFLogxK

U2 - 10.1145/3427228.3427246

DO - 10.1145/3427228.3427246

M3 - Conference contribution

AN - SCOPUS:85098050844

T3 - ACM International Conference Proceeding Series

SP - 466

EP - 479

BT - Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020

PB - Association for Computing Machinery

Y2 - 7 December 2020 through 11 December 2020

ER -

PFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this