Cryptographically Enforced Control Flow Integrity
Authors: A. Mashtizadeh, A. Bittau, D. Mazières, and D. Boneh
Abstract:
Control flow integrity (CFI) restricts jumps and branches within a
program to prevent attackers from executing arbitrary code in
vulnerable programs. However, traditional CFI still offers attackers
too much freedom to chose between valid jump targets, as seen in
recent attacks.
We present a new approach to CFI based on cryptographic message
authentication codes (MACs). Our approach, called cryptographic CFI
(CCFI), uses MACs to protect control flow elements such as return
addresses, function pointers, and vtable pointers. Through dynamic
checks, CCFI enables much finer-grained classification of sensitive
pointers than previous approaches, thwarting all known attacks and
resisting even attackers with arbitrary access to program memory.
We implemented CCFI in Clang/LLVM, taking advantage of recently
available cryptographic CPU instructions (AES-NI). We evaluate our
system on several large software packages (including nginx, Apache and
memcache) as well as all their dependencies. The cost of protection
ranges from a 3-18% decrease in server request rate. We also expect this
overhead to shrink as Intel improves the performance AES-NI.
Reference:
In proceedings of ACM CCS 2015, pp. 941-951.
Full paper: pdf
Related papers: See project site.