COLLATE:控制相关数据的完整性保护

doi:10.19665/j.issn1001-2400.20230106

摘要/Abstract

摘要：

使用C/C++语言编写的程序可能包含安全漏洞。这些漏洞可以被用来劫持控制流。现存的控制流劫持攻击防御措施通常是对间接控制流跳转的目标进行校验,或保证代码指针的完整性。然而,此时攻击者依然可以通过修改函数指针的依赖将间接控制流跳转的目标弯曲为合法但是不符合预期的值。为了解决这个问题,引入了控制相关数据完整性来保证函数指针以及它们的依赖的完整性。这些依赖决定了函数指针的定义和间接控制流跳转之间潜在的数据流关系。首先,控制相关数据完整性保护系统识别出所有函数指针;然后,使用过程间静态污点分析收集它们所依赖的数据;最后,系统将这些控制相关数据分配到硬件保护的内存Ms中来阻止未授权的修改。在SPEC CPU 2006 benchmarks和Nginx上测量了控制相关数据完整性保护系统的开销,并在三个真实世界的漏洞和一个虚表指针劫持攻击的测试集测试了它的有效性。结果显示,设计的系统能够成功检测到所有攻击,同时在C/C++ benchmarks上只有约10.2%的平均开销,在Nginx上约是6.8%,在可接受范围内。实验表明,控制相关数据完整性保护系统是有效且实用的。

关键词: 静态分析, 网络安全, 控制流完整性, 代码指针完整性

Abstract:

Programs written in C/C++ may contain bugs that can be exploited to subvert the control flow.Existing control-flow hijacking mitigations validate the indirect control-flow transfer targets,or guarantee the integrity of code pointers.However,attackers can still overwrite the dependencies of function pointers,bending indirect control-flow trans-fers(ICTs) to valid but unexpected targets.We introduce the control-related data integrity(COLLATE) to guarantee the integrity of function pointers and their dependencies.The dependencies determine the potential data-flow between function pointers definition and ICTs.The COLLATE identifies function pointers,and collects their dependencies with the inter-procedure static taint analysis.Moreover,the COLLATE allocates control-related data on a hardware-protected memory domain MS to prevent unauthorized modifications.We evaluate the overhead of the COLLATE on SPEC CPU 2006 benchmarks and Nginx.Also,we evaluate its effectiveness on three real-world exploits and one test suite for vtable pointer overwrites.The evaluation results show that the COLLATE successfully detects all attacks,and introduces a 10.2% performance overhead on average for the C/C++ benchmark and 6.8% for Nginx,which is acceptable.Experiments prove that the COLLATE is effective and practical.

Key words: static analysis, network security, control-flow integrity, code pointer integrity

中图分类号:

TP309

邓颖川,张桐,刘维杰,王丽娜. COLLATE:控制相关数据的完整性保护[J]. 西安电子科技大学学报, 2023, 50(5): 199-211.

DENG Yingchuan,ZHANG Tong,LIU Weijie,WANG Lina. COLLATE:towards the integrity of control-related data[J]. Journal of Xidian University, 2023, 50(5): 199-211.

图/表 5

图1

图2

图3

表1

图4

参考文献 32

[1]	COWAN C, BEATTIE S, JOHANSEN J, et al. PointGuard^TM:Protecting Pointers from Buffer Overflow Vulnerabilities[C]//Proceedings of the 12th USENIX Security Symposium. Berkeley:USENIX, 2003:91-104.
[2]	KUZNETZOV V, SZEKERES L, PAYER M, et al. Code-Pointer Integrity[C]//11th USENIX Symposium on Operating Systems Design and Implementation. Berkeley:USENIX, 2014:147-163.
[3]	LILJESTRAND H, NYMAN T, WANG K, et al. PAC It Up:Towards Pointer Integrity Using ARM Pointer Authentication[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:177-194.
[4]	MASHTIZADEH A J, BITTAU A, BONEH D, et al. CCFI:Cryptographically Enforced Control Flow Integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015:941-951.
[5]	ABADI M, BUDIU M, ERLINGSSON U, et al. Control-Flow Integrity Principles,Implementations,and Applications[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005:340-353.
[6]	DING R, QIAN C, SONG C, et al. Efficient Protection of Path-Sensitive Control Security[C]//26th USENIX Security Symposium. Berkeley:USENIX, 2017:131-148.
[7]	FRASSETTO T, JAUERNIG P, KOISSER D, et al. CFINSIGHT:A Comprehensive Metric for CFI Policies[C] //Proceedings of the 2022 Network and Distributed System Security Symposium. San Diego: NDSS, 2022:1-15.
[8]	KHANDAKER M R, LIU W, NASER A, et al. Origin-sensitive Control Flow Integrity[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:195-211.
[9]	LI Y, WANG M, ZHANG C, et al. Finding Cracks in Shields:on the Security of Control Flow Integrity Mechanisms[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020:1821-1835.
[10]	MOHAN V, LARSEN P, BRUNTHALER S, et al. Opaque Control-Flow Integrity[C]//Proceedings of the 2015 Network and Distributed System Security Symposium. San Diego: NDSS, 2015:1-15.
[11]	NIU B, TAN G. Modular Control-Flow Integrity[C]//Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2014:577-587.
[12]	VAN DER VEEN V, ANDRIESSE D, GÖKTAŞ E, et al. Practical Context-Sensitive CFI[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015:927-940.
[13]	ZHANG M, SEKAR R. Control Flow Integrity for COTS Binaries[C]//Proceedings of the 22th USENIX Security Symposium. Berkeley:USENIX, 2013:337-352.
[14]	BUROW N, ZHANG X, PAYER M. SoK:Shining Light on Shadow Stacks[C]//2019 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2019:985-999.
[15]	CARLINI N, BARRESI A, PAYER M, et al. Control-Flow Bending:On the Effectiveness of Control-Flow Integrity[C]//Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX, 2015:161-176.
[16]	BUROW N, MCKEE D, CARR S A, et al. CFIXX:Object Type Integrity for C++[C]//25th Annual Network and Distributed System Security Symposium. San Diego: NDSS, 2018:1-14.
[17]	HU H, QIAN C, YAGEMANN C, et al. Enforcing Unique Code Target Property for Control-Flow Integrity[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018:1470-1486.
[18]	ISMAIL M, YOM J, JELESNIANSKI C, et al. VIP:Safeguard Value Invariant Property for Thwarting Critical Memory Corruption Attacks[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021:1612-1626.
[19]	XIE M, WU C, ZHANG Y, et al. CETIS:Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:2989-3002.
[20]	CARLINI N, WAGNER D. ROP is Still Dangerous:Breaking Modern Defenses[C]//Proceedings of the 23rd USENIX Security Symposium. Berkeley:USENIX, 2014:385-399.
[21]	KHANDAKER M, NASER A, LIU W, et al. Adaptive Call-Site Sensitive Control Flow Integrity[C]//2019 IEEE European Symposium on Security and Privacy.Piscataway:IEEE, 2019:95-110.
[22]	EVANS I, FINGERET S, GONZALEZ J, et al. Missing the Point(er):On the Effectiveness of Code Pointer Integrity[C]//2015 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2015:781-796.
[23]	LILJESTRAND H, NYMAN T, GUNN L J, et al. PACStack:an Authenticated Call Stack[C]//30th USENIX Security Symposium. Berkeley:USENIX, 2021:357-374.
[24]	LI Y, TAN W, LV Z, et al. PACMem:Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:1901-1915.
[25]	ZIAD M T I, ARROYO M A, MANZHOSOV E, et al. ZeRØ:Zero-Overhead Resilient Operation Under Pointer Integrity Attacks[C]//48th Annual International Symposium on Computer Architecture. Piscataway:IEEE, 2021:999-1012.
[26]	PROSKURIN S, MOMEU M, GHAVAMNIA S, et al. xMP:Selective Memory Protection for Kernel and User Space[C]//2020 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2020:563-577.
[27]	HEDAYATI M, GRAVANI S, JOHNSON E, et al. Hodor:Intra-Process Isolation for High-Throughput Data Plane Libraries[C]//2019 USENIX Annual Technical Conference.Berkeley:USENIX, 2019:489-503.
[28]	VAHLDIEK-OBERWAGNER A, ELNIKETY E, DUARTE N O, et al. ERIM:Secure,Efficient In-process Isolation with Protection Keys[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:1221-1238.
[29]	JIN X, XIAO X, JIA S, et al. Annotating,Tracking,and Protecting Cryptographic Secrets with CryptoMPK[C]//43rd IEEE Symposium on Security and Privacy. Piscataway:IEEE, 2022:650-665.
[30]	MILBURN A, VAN DER KOUWE E, GIUFFRIDA C. Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation[C]//43rd IEEE Symposium on Security and Privacy. Piscataway:IEEE, 2022:1049-1065.
[31]	KIRTH P, DICKERSON M, CRANE S, et al. PKRU-Safe:Automatically Locking Down the Heap Between Safe and Unsafe Languages[C]//EuroSys’22:Seventeenth European Conference on Computer Systems. New York: ACM, 2022:132-148.
[32]	SCHRAMMEL D, WEISER S, SADEK R, et al. Jenny:Securing Syscalls for PKU-based Memory Isolation Systems[C]//31st USENIX Security Symposium. Berkeley:USENIX, 2022:936-952.

benchmark	ICTs	插桩指令		FN_protected		CRD
benchmark	ICTs	CPI	COLLATE	CPI	COLLATE	CRD
bzip2	53	498	1 596	4	15	43
mcf	0	85	0	1	0	0
gobmk	46	7 626	185	222	6	55
hmmer	13	6 380	102	22	10	21
sjeng	1	707	107	18	0	2
libquantum	0	156	0	2	0	0
h264ref	354	4 219	96	42	11	146
milc	4	2 414	0	25	35	52
lbm	0	76	0	1	0	0
sphinx3	8	6 997	697	17	20	50
Nginx	332	13 284	7 753	212	173	229