Full Program »
Mitigating Code-Reuse Attacks with Control-Flow Locking
attacker directs control flow through existing code
with a malicious result. One such technique,
return-oriented programming, is based on "gadgets"
(short pre-existing sequences of code ending in a
ret instruction) being executed in arbitrary order
as a result of a stack corruption exploit. Many
existing code-reuse defenses have relied upon
a particular attribute of the attack in question
(e.g., the frequency of ret instructions in a
return-oriented attack), which leads to an incomplete
protection, while a smaller number of efforts in
protecting all exploitable control flow transfers
suffer from limited deployability due to high
performance overhead. In this paper, we present
a novel cost-effective defense technique called
control flow locking, which allows for effective
enforcement of control flow integrity with a
small performance overhead. Specifically, instead
of immediately determining whether a control flow
violation happens before the control flow transfer
takes place, control flow locking lazily detects
the violation after the transfer. To still restrict
attackers' capability, our scheme guarantees that
the deviation of the normal control flow graph will
only occur at most once. Further, our scheme ensures
that this deviation cannot be used to craft a malicious
system call, which denies any potential gains an
attacker might obtain from what is permitted in the
threat model. We have developed a proof-of-concept
prototype in Linux and our evaluation demonstrates
desirable effectiveness and competitive performance
overhead with existing techniques. In several
benchmarks, our scheme is able to achieve significant
gains.
Author(s):
Tyler Bletsch
NetApp, Inc
United States
Xuxian Jiang
North Carolina State University
United States
Vince Freeh
North Carolina State University
United States