Control Jujutsu

Evans, Isaac; Long, Fan; Otgonbaatar, Ulziibayar; Shrobe, Howard; Rinard, Martin; Okhravi, Hamed; Sidiroglou-Douskos, Stelios

Author(s)

Evans, Isaac; Long, Fan; Otgonbaatar, Ulziibayar; Shrobe, Howard E; Rinard, Martin C; ... Show more

DownloadRinard_Control jujutsu.pdf (280.3Kb)

OPEN_ACCESS_POLICY

Terms of use

Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/

Metadata

Show full item record

Abstract

Control flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve the performance overhead have been shown to be ineffective. As a result, a number of recent efforts have focused on fine-grained enforcement of CFI as it was originally proposed. In this work, we show that even a fine-grained form of CFI with unlimited number of tags and a shadow stack (to check calls and returns) is ineffective in protecting against malicious attacks. We show that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG. These flexibilities allow an attacker to gain control of the execution while strictly adhering to a fine-grained CFI. We then construct two proof-of-concept exploits that attack an unlimited tag CFI system with a shadow stack. We also evaluate the difficulties of generating a precise CFG using scalable static analysis for real-world applications. Finally, we perform an analysis on a number of popular applications that highlights the availability of such attacks.

Date issued

2015-10

URI

http://hdl.handle.net/1721.1/113878

Department

Lincoln Laboratory; Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Journal

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15

Publisher

Association for Computing Machinery

Citation

Evans, Isaac, et al. "Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 12-16 October, 2015, Denver, Colorado, ACM Press, 2015, pp. 901–13.

Version: Author's final manuscript

ISBN

978-1-4503-3832-5

Collections

MIT Open Access Articles

DSpace@MIT