COLLATE:控制相关数据的完整性保护

邓颖川; 张桐; 刘维杰; 王丽娜

doi:10.19665/j.issn1001-2400.20230106

您当前的位置：

首页 >

文章列表页 >

COLLATE:控制相关数据的完整性保护

网络空间安全 | 更新时间：2023-11-30

- COLLATE:控制相关数据的完整性保护
- 暂无标题
- 西安电子科技大学学报 2023年50卷第5期页码：199-211
- 作者机构：
  
  1. 武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室,湖北武汉 430040
  2. 蚂蚁集团,浙江杭州 310012
- 作者简介：
  
  [ "邓颖川(1998—),男,武汉大学硕士研究生,E-mail:[email protected];" ]
  [ "张桐(1996—),男,武汉大学博士研究生,E-mail:[email protected];" ]
  [ "刘维杰(1991—),男,高级工程师,E-mail:[email protected]" ]
  王丽娜(1964—),女,教授,E-mail:[email protected]
- 基金信息：
  
  国家重点研发计划(2020YFB1805400);国家重点研发计划(2021YFB3100700);国家自然科学基金(61876134)
- DOI：10.19665/j.issn1001-2400.20230106
  中图分类号：
扫描看全文
邓颖川, 张桐, 刘维杰, 等. COLLATE:控制相关数据的完整性保护[J]. 西安电子科技大学学报, 2023,50(5):199-211.
邓颖川, 张桐, 刘维杰, 等. COLLATE:控制相关数据的完整性保护[J]. 西安电子科技大学学报, 2023,50(5):199-211. DOI： 10.19665/j.issn1001-2400.20230106.

DOI：

摘要

使用C/C++语言编写的程序可能包含安全漏洞。这些漏洞可以被用来劫持控制流。现存的控制流劫持攻击防御措施通常是对间接控制流跳转的目标进行校验,或保证代码指针的完整性。然而,此时攻击者依然可以通过修改函数指针的依赖将间接控制流跳转的目标弯曲为合法但是不符合预期的值。为了解决这个问题,引入了控制相关数据完整性来保证函数指针以及它们的依赖的完整性。这些依赖决定了函数指针的定义和间接控制流跳转之间潜在的数据流关系。首先,控制相关数据完整性保护系统识别出所有函数指针;然后,使用过程间静态污点分析收集它们所依赖的数据;最后,系统将这些控制相关数据分配到硬件保护的内存Ms中来阻止未授权的修改。在SPEC CPU 2006 benchmarks和Nginx上测量了控制相关数据完整性保护系统的开销,并在三个真实世界的漏洞和一个虚表指针劫持攻击的测试集测试了它的有效性。结果显示,设计的系统能够成功检测到所有攻击,同时在C/C++ benchmarks上只有约10.2%的平均开销,在Nginx上约是6.8%,在可接受范围内。实验表明,控制相关数据完整性保护系统是有效且实用的。

Abstract

Programs written in C/C++ may contain bugs that can be exploited to subvert the control flow.Existing control-flow hijacking mitigations validate the indirect control-flow transfer targets,or guarantee the integrity of code pointers.However,attackers can still overwrite the dependencies of function pointers,bending indirect control-flow trans-fers(ICTs) to valid but unexpected targets.We introduce the control-related data integrity(COLLATE) to guarantee the integrity of function pointers and their dependencies.The dependencies determine the potential data-flow between function pointers definition and ICTs.The COLLATE identifies function pointers,and collects their dependencies with the inter-procedure static taint analysis.Moreover,the COLLATE allocates control-related data on a hardware-protected memory domain MS to prevent unauthorized modifications.We evaluate the overhead of the COLLATE on SPEC CPU 2006 benchmarks and Nginx.Also,we evaluate its effectiveness on three real-world exploits and one test suite for vtable pointer overwrites.The evaluation results show that the COLLATE successfully detects all attacks,and introduces a 10.2% performance overhead on average for the C/C++ benchmark and 6.8% for Nginx,which is acceptable.Experiments prove that the COLLATE is effective and practical.

关键词

静态分析网络安全控制流完整性代码指针完整性

Keywords

static analysisnetwork securitycontrol-flow integritycode pointer integrity

references

COWAN C, BEATTIE S, JOHANSEN J, et al. PointGuardTM:Protecting Pointers from Buffer Overflow Vulnerabilities[C]//Proceedings of the 12th USENIX Security Symposium. Berkeley:USENIX, 2003:91-104.

KUZNETZOV V, SZEKERES L, PAYER M, et al. Code-Pointer Integrity[C]//11th USENIX Symposium on Operating Systems Design and Implementation. Berkeley:USENIX, 2014:147-163.

LILJESTRAND H, NYMAN T, WANG K, et al. PAC It Up:Towards Pointer Integrity Using ARM Pointer Authentication[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:177-194.

MASHTIZADEH A J, BITTAU A, BONEH D, et al. CCFI:Cryptographically Enforced Control Flow Integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015:941-951.

ABADI M, BUDIU M, ERLINGSSON U, et al. Control-Flow Integrity Principles,Implementations,and Applications[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005:340-353.

DING R, QIAN C, SONG C, et al. Efficient Protection of Path-Sensitive Control Security[C]//26th USENIX Security Symposium. Berkeley:USENIX, 2017:131-148.

FRASSETTO T, JAUERNIG P, KOISSER D, et al. CFINSIGHT:A Comprehensive Metric for CFI Policies[C] //Proceedings of the 2022 Network and Distributed System Security Symposium. San Diego: NDSS, 2022:1-15.

KHANDAKER M R, LIU W, NASER A, et al. Origin-sensitive Control Flow Integrity[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:195-211.

LI Y, WANG M, ZHANG C, et al. Finding Cracks in Shields:on the Security of Control Flow Integrity Mechanisms[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020:1821-1835.

MOHAN V, LARSEN P, BRUNTHALER S, et al. Opaque Control-Flow Integrity[C]//Proceedings of the 2015 Network and Distributed System Security Symposium. San Diego: NDSS, 2015:1-15.

NIU B, TAN G. Modular Control-Flow Integrity[C]//Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2014:577-587.

VAN DER VEEN V, ANDRIESSE D, GÖKTAŞ E, et al. Practical Context-Sensitive CFI[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015:927-940.

ZHANG M, SEKAR R. Control Flow Integrity for COTS Binaries[C]//Proceedings of the 22th USENIX Security Symposium. Berkeley:USENIX, 2013:337-352.

BUROW N, ZHANG X, PAYER M. SoK:Shining Light on Shadow Stacks[C]//2019 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2019:985-999.

CARLINI N, BARRESI A, PAYER M, et al. Control-Flow Bending:On the Effectiveness of Control-Flow Integrity[C]//Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX, 2015:161-176.

BUROW N, MCKEE D, CARR S A, et al. CFIXX:Object Type Integrity for C++[C]//25th Annual Network and Distributed System Security Symposium. San Diego: NDSS, 2018:1-14.

HU H, QIAN C, YAGEMANN C, et al. Enforcing Unique Code Target Property for Control-Flow Integrity[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018:1470-1486.

ISMAIL M, YOM J, JELESNIANSKI C, et al. VIP:Safeguard Value Invariant Property for Thwarting Critical Memory Corruption Attacks[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021:1612-1626.

XIE M, WU C, ZHANG Y, et al. CETIS:Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:2989-3002.

CARLINI N, WAGNER D. ROP is Still Dangerous:Breaking Modern Defenses[C]//Proceedings of the 23rd USENIX Security Symposium. Berkeley:USENIX, 2014:385-399.

KHANDAKER M, NASER A, LIU W, et al. Adaptive Call-Site Sensitive Control Flow Integrity[C]//2019 IEEE European Symposium on Security and Privacy.Piscataway:IEEE, 2019:95-110.

EVANS I, FINGERET S, GONZALEZ J, et al. Missing the Point(er):On the Effectiveness of Code Pointer Integrity[C]//2015 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2015:781-796.

LILJESTRAND H, NYMAN T, GUNN L J, et al. PACStack:an Authenticated Call Stack[C]//30th USENIX Security Symposium. Berkeley:USENIX, 2021:357-374.

LI Y, TAN W, LV Z, et al. PACMem:Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:1901-1915.

ZIAD M T I, ARROYO M A, MANZHOSOV E, et al. ZeRØ:Zero-Overhead Resilient Operation Under Pointer Integrity Attacks[C]//48th Annual International Symposium on Computer Architecture. Piscataway:IEEE, 2021:999-1012.

PROSKURIN S, MOMEU M, GHAVAMNIA S, et al. xMP:Selective Memory Protection for Kernel and User Space[C]//2020 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2020:563-577.

HEDAYATI M, GRAVANI S, JOHNSON E, et al. Hodor:Intra-Process Isolation for High-Throughput Data Plane Libraries[C]//2019 USENIX Annual Technical Conference.Berkeley:USENIX, 2019:489-503.

VAHLDIEK-OBERWAGNER A, ELNIKETY E, DUARTE N O, et al. ERIM:Secure,Efficient In-process Isolation with Protection Keys[C]//28th USENIX Security Symposium. Berkeley:USENIX, 2019:1221-1238.

JIN X, XIAO X, JIA S, et al. Annotating,Tracking,and Protecting Cryptographic Secrets with CryptoMPK[C]//43rd IEEE Symposium on Security and Privacy. Piscataway:IEEE, 2022:650-665.

MILBURN A, VAN DER KOUWE E, GIUFFRIDA C. Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation[C]//43rd IEEE Symposium on Security and Privacy. Piscataway:IEEE, 2022:1049-1065.

KIRTH P, DICKERSON M, CRANE S, et al. PKRU-Safe:Automatically Locking Down the Heap Between Safe and Unsafe Languages[C]//EuroSys’22:Seventeenth European Conference on Computer Systems. New York: ACM, 2022:132-148.

SCHRAMMEL D, WEISER S, SADEK R, et al. Jenny:Securing Syscalls for PKU-based Memory Isolation Systems[C]//31st USENIX Security Symposium. Berkeley:USENIX, 2022:936-952.

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

软件定义网络中流规则安全性研究进展

因果图增强的APT攻击检测算法

应用Q学习决策的最优攻击路径生成方法

结构状态覆盖导向的灰盒模糊测试技术

一种基于规则的自动程序修复方法