Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM
Venue
Proceedings of the 23rd Usenix Security Symposium, USENIX, San Diego, CA (2014)
Publication Year
2014
Authors
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, Geoff Pike
BibTeX
Abstract
Constraining dynamic control transfers is a common technique for mitigating
software vulnerabilities. This defense has been widely and successfully used to
protect return addresses and stack data; hence, current attacks instead typically
corrupt vtable and function pointers to subvert a forward edge (an indirect jump or
call) in the control-flow graph. Forward edges can be protected using Control-Flow
Integrity (CFI) but, to date, CFI implementations have been research prototypes,
based on impractical assumptions or ad hoc, heuristic techniques. To be widely
adoptable, CFI mechanisms must be integrated into production compilers and be
compatible with software-engineering aspects such as incremental compilation and
dynamic libraries. This paper presents implementations of fine-grained,
forward-edge CFI enforcement and analysis for GCC and LLVM that meet the above
requirements. An analysis and evaluation of the security, performance, and resource
consumption of these mechanisms applied to the SPEC CPU2006 benchmarks and common
benchmarks for the Chromium web browser show the practicality of our approach:
these fine-grained CFI mechanisms have significantly lower overhead than recent
academic CFI prototypes. Implementing CFI in industrial compiler frameworks has
also led to insights into design tradeoffs and practical challenges, such as
dynamic loading.
