Value-Based Constraint Control Flow Integrity

Value-Based Constraint Control Flow Integrity

Control flow integrity (CFI) is a generic technique that prevents a control flow hijacking attacks by verifying the legitimacy of indirect branches against a predefined set of targets. State-of-the-art CFI solutions focus on reducing the number of targets using the context of a program such as the p...

Full description

Bibliographic Details
Main Authors: Dongjae Jung, Minsu Kim, Jinsoo Jang, Brent Byunghoon Kang
Format: Article
Language:English
Published: IEEE 2020-01-01
Series:IEEE Access
Subjects:
Control flow hijacking
control flow integrity
non-control data
program analysis
Online Access:https://ieeexplore.ieee.org/document/9032089/
id doaj-6b51d620ebb84547aad5bdbf9c0ec96c
record_format Article
spelling doaj-6b51d620ebb84547aad5bdbf9c0ec96c2021-03-30T01:28:17ZengIEEEIEEE Access2169-35362020-01-018505315054210.1109/ACCESS.2020.29800269032089Value-Based Constraint Control Flow IntegrityDongjae Jung0https://orcid.org/0000-0002-2790-091XMinsu Kim1https://orcid.org/0000-0003-3962-6046Jinsoo Jang2https://orcid.org/0000-0003-2070-2408Brent Byunghoon Kang3https://orcid.org/0000-0001-8984-1006Graduate School of Information Security, Korea Advanced Institute of Science and Technology, Daejeon, South KoreaS2W LAB Inc., Seongnam, South KoreaDepartment of Computer Science and Engineering, Chungnam National University (CNU), Daejeon, South KoreaGraduate School of Information Security, Korea Advanced Institute of Science and Technology, Daejeon, South KoreaControl flow integrity (CFI) is a generic technique that prevents a control flow hijacking attacks by verifying the legitimacy of indirect branches against a predefined set of targets. State-of-the-art CFI solutions focus on reducing the number of targets using the context of a program such as the path to the indirect branch and the origin of the code pointer. However, these solutions work with an impractical assumption that the attacker only compromises control data; non-control data such as condition data that can also be abused by attackers are not considered. To overcome these limitations, in this paper, we propose value-based constraint CFI (vCFI) to improve the effectiveness of CFI by retrieving and protecting all data that can potentially be manipulated for control flow hijacking. We first perform static analysis such as dependency, condition, and data analyses to derive all control flow-related data. Then, vCFI protects these data during runtime by instrumenting a program to be hardened. We implemented vCFI as a compiler extension and evaluated its performance using SPEC CPU2006. The performance degradation caused by adopting vCFI was reasonable, and the average overhead was 13.6%.https://ieeexplore.ieee.org/document/9032089/Control flow hijackingcontrol flow integritynon-control dataprogram analysis
collection DOAJ
language English
format Article
sources DOAJ
author Dongjae Jung
Minsu Kim
Jinsoo Jang
Brent Byunghoon Kang
spellingShingle Dongjae Jung
Minsu Kim
Jinsoo Jang
Brent Byunghoon Kang
Value-Based Constraint Control Flow Integrity
IEEE Access
Control flow hijacking
control flow integrity
non-control data
program analysis
author_facet Dongjae Jung
Minsu Kim
Jinsoo Jang
Brent Byunghoon Kang
author_sort Dongjae Jung
title Value-Based Constraint Control Flow Integrity
title_short Value-Based Constraint Control Flow Integrity
title_full Value-Based Constraint Control Flow Integrity
title_fullStr Value-Based Constraint Control Flow Integrity
title_full_unstemmed Value-Based Constraint Control Flow Integrity
title_sort value-based constraint control flow integrity
publisher IEEE
series IEEE Access
issn 2169-3536
publishDate 2020-01-01
description Control flow integrity (CFI) is a generic technique that prevents a control flow hijacking attacks by verifying the legitimacy of indirect branches against a predefined set of targets. State-of-the-art CFI solutions focus on reducing the number of targets using the context of a program such as the path to the indirect branch and the origin of the code pointer. However, these solutions work with an impractical assumption that the attacker only compromises control data; non-control data such as condition data that can also be abused by attackers are not considered. To overcome these limitations, in this paper, we propose value-based constraint CFI (vCFI) to improve the effectiveness of CFI by retrieving and protecting all data that can potentially be manipulated for control flow hijacking. We first perform static analysis such as dependency, condition, and data analyses to derive all control flow-related data. Then, vCFI protects these data during runtime by instrumenting a program to be hardened. We implemented vCFI as a compiler extension and evaluated its performance using SPEC CPU2006. The performance degradation caused by adopting vCFI was reasonable, and the average overhead was 13.6%.
topic Control flow hijacking
control flow integrity
non-control data
program analysis
url https://ieeexplore.ieee.org/document/9032089/
work_keys_str_mv AT dongjaejung valuebasedconstraintcontrolflowintegrity
AT minsukim valuebasedconstraintcontrolflowintegrity
AT jinsoojang valuebasedconstraintcontrolflowintegrity
AT brentbyunghoonkang valuebasedconstraintcontrolflowintegrity
_version_ 1724187024386162688

Similar Items