Evaluating the Attack Surface of Control Flow Integrity
Open Access
- Author:
- Zeng, Dongrui
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- October 06, 2021
- Committee Members:
- Trent Jaeger, Major Field Member
Peng Liu, Outside Unit & Field Member
G. Tan, Chair & Dissertation Advisor
Sencun Zhu, Major Field Member
Ben Niu, Special Member
Chitaranjan Das, Program Head/Chair - Keywords:
- Control Flow Integrity
Security Evaluation
Binary Analysis
Control Flow Graph
Type Inference
Attack Surface - Abstract:
- Control-Flow Integrity (CFI) enforces a control-flow graph (CFG) to limit attackers’ ability to manipulate runtime control flow. The essence of a CFI enforcement is a binary-level CFG, which we call a CFI policy. However, there are many CFI variations, each enforcing CFGs of a certain precision level. Each precision level achieves different effectiveness of eliminating attack surface, resulting in different security guarantees. In general, enforcing a more precise CFG exposes a smaller attack surface. However, the remaining attack surface after a CFI defense may leave programs still vulnerable. Therefore, evaluating the attack surface of a CFI-protected software is critical and desired. The first step is to construct CFGs corresponding to different CFI implementations. Some CFI systems construct CFGs based on binaries alone but others modify compilers to access source-level information for better CFG precision. Extracting CFGs from different CFI implementations can be laborious. Thus, we propose to generate CFGs of different precision levels based on standard compiler-generated meta-information, including symbol tables, relocation information, and debugging information. The key component of the system is a type-inference engine that infers types of low-level storage locations, which enables various signature matching methods for constructing CFGs at different precision levels. Different CFGs result in different security strengths; the ideal measurement of security strength would be the attack-surface reduction. We define the attack surface as all attack paths that fulfill an attacker’s malicious goal. Due to the unavoidable path explosion problem in finding all paths in a program, the key of designing a good metric for the attack surface is to balance the completeness, accuracy, and scalability of the static analysis used for revealing the attack surface. Therefore, we propose two quantitative metrics for the attack surface of a CFI-hardened program, one pursuing the completeness of covering the attack surface with overapproximation while the other one favoring better accuracy. Computing the two metrics requires a program’s CFG, an attack model, and a security-violation policy as input. The first one relies on an attack-aware data dependency tracking algorithm to identify all risky program points; and the second one relies on a per-path value tracking analysis to determine risky paths.