Evaluating modern defenses against control flow hijacking

Otgonbaatar, Ulziibayar

Author(s)

Otgonbaatar, Ulziibayar

DownloadFull printable version (915.3Kb)

Other Contributors

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.

Advisor

Hamed Okhravi and Howard Shrobe.

Terms of use

M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582

Metadata

Show full item record

Abstract

Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Strong defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker and practical defenses such as Code Pointer Integrity (CPI) and Control Flow Integrity (CFI) have their weaknesses. In this thesis, we present attacks that expose the fundamental weaknesses of CPI and CFI. CPI promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is isolated by hardward enforcement on 0x86-32 architecture and by information-hiding on 0x86-64 and ARM architectures. We show that when CPI relies on information hiding, it's safe region can be leaked and thus rendering it ineffective against malicious exploits. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve the performance overhead have been shown to be ineffective. As a result, a number of recent efforts have focused on fine-grained enforcement of CFI as it was originally proposed. In this work, we show that even a fine-grained form of CFI with unlimited number of tags is ineffective in protecting against attacks. We show that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG. These flexibilities allow an attacker to gain control of the execution while strictly adhering to a fine-grained CFI.

Description

Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2015.

This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.

Cataloged from student-submitted PDF version of thesis.

Includes bibliographical references (pages 65-70).

Date issued

2015

URI

http://hdl.handle.net/1721.1/106003

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Keywords

Electrical Engineering and Computer Science.

Collections

Graduate Theses