New Perspectives on Control-Flow Hijacking Mitigation

Abstract

Despite over 20 years of research, control-flow hijacking attacks remain the most significant threat to software security. Attackers exploit C/C++ lack of memory and type safety to corrupt code-pointers, thereby hijacking application control flow and redirecting it to locations of their choice. Control-flow hijacking through code-pointer corruption lies at the heart of modern code-reuse attacks such as return-oriented programming (ROP). The state-of-the-art defense against these attacks is Control-Flow Integrity (CFI), which limits attackers to a set of targets based on a static computation of the program’s control-flow graph (CFG). Computing the CFG relies on alias analysis, which is fundamentally over-approximated, leaving attackers sufficient freedom to exploit software. Further, deployed CFI implementations do not protect return instructions and so do not mitigate ROP. This talk will focus on recent advancements by myself and the HexHive group at Purdue in addressing both the precision of control-flow hijacking defenses and also protecting returns. For precision, we observe that C++ virtual calls have their targets uniquely determined by the underlying object’s class. Consequently, we introduce a new policy called Object Type Integrity (OTI) that dynamically tracks the class (type) of every object, thereby protecting virtual calls. OTI is significantly more precise than CFI on real-world applications such as browsers, allowing only one target for virtual calls as opposed to a set of up to 100. Returns are best protected by shadow stacks, which mirror the return addresses in a protected memory region. We comprehensively evaluate the design and performance of all existing shadow stack mechanisms, allowing us to identify two new shadow stack mechanisms and recommend a design for deployment.