Control Jujutsu
Control flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve t...
| Main Authors: | , , , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | en_US |
| Published: |
Association for Computing Machinery
2018
|
| Online Access: | http://hdl.handle.net/1721.1/113878 https://orcid.org/0000-0003-3322-656X https://orcid.org/0000-0002-6232-3118 https://orcid.org/0000-0002-9993-9135 https://orcid.org/0000-0001-8095-8523 |
| _version_ | 1811092597078228992 |
|---|---|
| author | Evans, Isaac Long, Fan Otgonbaatar, Ulziibayar Shrobe, Howard E Rinard, Martin C Okhravi, Hamed Sidiroglou-Douskos, Stelios |
| author2 | Lincoln Laboratory |
| author_facet | Lincoln Laboratory Evans, Isaac Long, Fan Otgonbaatar, Ulziibayar Shrobe, Howard E Rinard, Martin C Okhravi, Hamed Sidiroglou-Douskos, Stelios |
| author_sort | Evans, Isaac |
| collection | MIT |
| description | Control flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve the performance overhead have been shown to be ineffective. As a result, a number of recent efforts have focused on fine-grained enforcement of CFI as it was originally proposed. In this work, we show that even a fine-grained form of CFI with unlimited number of tags and a shadow stack (to check calls and returns) is ineffective in protecting against malicious attacks. We show that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG. These flexibilities allow an attacker to gain control of the execution while strictly adhering to a fine-grained CFI. We then construct two proof-of-concept exploits that attack an unlimited tag CFI system with a shadow stack. We also evaluate the difficulties of generating a precise CFG using scalable static analysis for real-world applications. Finally, we perform an analysis on a number of popular applications that highlights the availability of such attacks. |
| first_indexed | 2024-09-23T15:20:36Z |
| format | Article |
| id | mit-1721.1/113878 |
| institution | Massachusetts Institute of Technology |
| language | en_US |
| last_indexed | 2024-09-23T15:20:36Z |
| publishDate | 2018 |
| publisher | Association for Computing Machinery |
| record_format | dspace |
| spelling | mit-1721.1/1138782022-10-02T02:22:08Z Control Jujutsu Evans, Isaac Long, Fan Otgonbaatar, Ulziibayar Shrobe, Howard E Rinard, Martin C Okhravi, Hamed Sidiroglou-Douskos, Stelios Lincoln Laboratory Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science Evans, Isaac Long, Fan Otgonbaatar, Ulziibayar Shrobe, Howard E Rinard, Martin C Okhravi, Hamed Sidiroglou-Douskos, Stelios Control flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve the performance overhead have been shown to be ineffective. As a result, a number of recent efforts have focused on fine-grained enforcement of CFI as it was originally proposed. In this work, we show that even a fine-grained form of CFI with unlimited number of tags and a shadow stack (to check calls and returns) is ineffective in protecting against malicious attacks. We show that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG. These flexibilities allow an attacker to gain control of the execution while strictly adhering to a fine-grained CFI. We then construct two proof-of-concept exploits that attack an unlimited tag CFI system with a shadow stack. We also evaluate the difficulties of generating a precise CFG using scalable static analysis for real-world applications. Finally, we perform an analysis on a number of popular applications that highlights the availability of such attacks. United States. Defense Advanced Research Projects Agency (Grant FA8650-11-C-7192) 2018-02-22T21:23:24Z 2018-02-22T21:23:24Z 2015-10 Article http://purl.org/eprint/type/ConferencePaper 978-1-4503-3832-5 http://hdl.handle.net/1721.1/113878 Evans, Isaac, et al. "Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 12-16 October, 2015, Denver, Colorado, ACM Press, 2015, pp. 901–13. https://orcid.org/0000-0003-3322-656X https://orcid.org/0000-0002-6232-3118 https://orcid.org/0000-0002-9993-9135 https://orcid.org/0000-0001-8095-8523 en_US http://dx.doi.org/10.1145/2810103.2813646 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15 Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/ application/pdf Association for Computing Machinery MIT Web Domain |
| spellingShingle | Evans, Isaac Long, Fan Otgonbaatar, Ulziibayar Shrobe, Howard E Rinard, Martin C Okhravi, Hamed Sidiroglou-Douskos, Stelios Control Jujutsu |
| title | Control Jujutsu |
| title_full | Control Jujutsu |
| title_fullStr | Control Jujutsu |
| title_full_unstemmed | Control Jujutsu |
| title_short | Control Jujutsu |
| title_sort | control jujutsu |
| url | http://hdl.handle.net/1721.1/113878 https://orcid.org/0000-0003-3322-656X https://orcid.org/0000-0002-6232-3118 https://orcid.org/0000-0002-9993-9135 https://orcid.org/0000-0001-8095-8523 |
| work_keys_str_mv | AT evansisaac controljujutsu AT longfan controljujutsu AT otgonbaatarulziibayar controljujutsu AT shrobehowarde controljujutsu AT rinardmartinc controljujutsu AT okhravihamed controljujutsu AT sidirogloudouskosstelios controljujutsu |