TOWARDS A POLICY-AGNOSTIC CONTROL-FLOW INTEGRITY IMPLEMENTATION presented at BlackHatEU 2016

by Ahmad-reza Sadeghi, Yier Jin, Dean Sullivan, Orlando Arias,

Summary : Control-flow integrity (CFI) is a general defense against code-reuse attacks. In theory, a CFI implementation mitigates control-flow hijacking by verifying that the control-flow transfer follows its legitimate path. However, CFI and its current implementations suffer from deficiencies with regard to either security or practicality: 1) they assume the extraction of a precise control-flow graph, which is not generally possible; 2) prior implementations have resulted in significant performance overhead; and 3) efficient software-based CFI implementations (e.g. Microsoft's Control-Flow Guard, GCC/LLVM's VTable Verification, Google's IFCC) often make concessions in the face of such performance limitations, weakening the policy's security.
To date, almost all "efficient" CFI defenses can be shown to be bypassable. Weakening the CFI policy to achieve improved performance, in one form or another, is the culprit. A signficant amount of research has been conducted to address this singular point. While prior work has demonstrated significant improvements on these fronts, no existing CFI countermeasure has been able to address a new class of stealthy adversaries that bend control-flow hijacking attacks around the CFI policy itself. These attacks maliciously mimick the behavior of an ideally protected CFI application.
To tackle these shortcomings, recent CFI defenses have begun to incorporate architectural or hardware/software co-design principles to strengthen the security guarantees of the defense. Intel has recently proposed its Control-flow Enforcement Technology (CET) along with the NSA and several research solutions. Much like past approaches, however, these systems are making concessions with the CFI policy to handle complex code contstructs, shared-libraries or multi-tasking, or otherwise improve the performance of the protected application.
We present a general-purpose, hardware-enhanced CFI scheme that tackles these issues and allows the enforcement of diverse CFI policies. We provide a detailed analysis of existing hardware-assisted CFI defenses and show that our solution is more secure, efficient, and scalable. We demonstrate how careful systems-software and architectural design considerations can address prior issues with CFI implementations. We will elaborate on a CFI platform that handles shared-libraries with compiler-supported ISA extensions, as well as incorporating features to handle multi-tasking and interoperation with legacy applications. Our evaluation includes a detailed analysis of known bypasses of existing CFI protected systems, both in software and hardware, aimed to highlight why past approaches have failed. We further demonstrate that our approach shows resilience to these attacks and CFI vulnerabilities. Finally, we evaluate our solution against compute-intesive workloads and show high efficiency.