173 research outputs found
FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking
We present the design, implementation, and evaluation of FineIBT: a CFI
enforcement mechanism that improves the precision of hardware-assisted CFI
solutions, like Intel IBT and ARM BTI, by instrumenting program code to reduce
the valid/allowed targets of indirect forward-edge transfers. We study the
design of FineIBT on the x86-64 architecture, and implement and evaluate it on
Linux and the LLVM toolchain. We designed FineIBT's instrumentation to be
compact, and incur low runtime and memory overheads, and generic, so as to
support a plethora of different CFI policies. Our prototype implementation
incurs negligible runtime slowdowns (0%-1.94% in SPEC CPU2017 and
0%-1.92% in real-world applications) outperforming Clang-CFI. Lastly,
we investigate the effectiveness/security and compatibility of FineIBT using
the ConFIRM CFI benchmarking suite, demonstrating that our nimble
instrumentation provides complete coverage in the presence of modern software
features, while supporting a wide range of CFI policies (coarse- vs. fine- vs.
finer-grain) with the same, predictable performance
Execution Integrity with In-Place Encryption
Instruction set randomization (ISR) was initially proposed with the main goal
of countering code-injection attacks. However, ISR seems to have lost its
appeal since code-injection attacks became less attractive because protection
mechanisms such as data execution prevention (DEP) as well as code-reuse
attacks became more prevalent.
In this paper, we show that ISR can be extended to also protect against
code-reuse attacks while at the same time offering security guarantees similar
to those of software diversity, control-flow integrity, and information hiding.
We present Scylla, a scheme that deploys a new technique for in-place code
encryption to hide the code layout of a randomized binary, and restricts the
control flow to a benign execution path. This allows us to i) implicitly
restrict control-flow targets to basic block entries without requiring the
extraction of a control-flow graph, ii) achieve execution integrity within
legitimate basic blocks, and iii) hide the underlying code layout under
malicious read access to the program. Our analysis demonstrates that Scylla is
capable of preventing state-of-the-art attacks such as just-in-time
return-oriented programming (JIT-ROP) and crash-resistant oriented programming
(CROP). We extensively evaluate our prototype implementation of Scylla and show
feasible performance overhead. We also provide details on how this overhead can
be significantly reduced with dedicated hardware support
- …