Missing the Point(er): On the Effectiveness of Code Pointer Integrity
Author(s)
Evans, Isaac; Fingeret, Samuel (Samuel P.); González, Julián Armando; Otgonbaatar, Ulziibayar; Tang, Tiffany(Tiffany L.); Shrobe, Howard E; Sidiroglou, Stylianos; Rinard, Martin C; Okhravi, Hamed; ... Show more Show less
DownloadAccepted version (719.1Kb)
Terms of use
Metadata
Show full item recordAbstract
Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware, on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proof-of-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.
Date issued
2015-07Department
Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Lincoln LaboratoryJournal
IEEE Symposium on Security and Privacy
Publisher
Institute of Electrical and Electronics Engineers (IEEE)
Citation
Evans, Isaac, et al. "Missing the Point(er): On the Effectiveness of Code Pointer Integrity." 2015 IEEE Symposium on Security and Privacy, San Jose, CA, 2015, pp. 781-796, doi: 10.1109/SP.2015.53. © 2015 Author(s)
Version: Author's final manuscript
ISBN
978-1-4673-6949-7
ISSN
1081-6011
2375-1207