Author(s): Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin W. Hamlen, Michael Franz

Download: Paper (PDF)

Date: 7 Feb 2015

Document Type: Briefing Papers

Additional Documents: Slides

Associated Event: NDSS Symposium 2015


A new binary software randomization and Control-Flow Integrity (CFI) enforcement system is presented, which is the first to resist code-reuse attacks launched by informed adversaries who possess full knowledge of the in-memory code layout of victim programs. While fine-grained code randomization continues to be an effective defense against brute-force code-reuse attacks such as Return-Oriented Programming (ROP), researchers have recently demonstrated the feasibility of implementation disclosure attacks that can potentially divulge most or all of the in-memory code layout of victim processes. Such attacks defeat fine-grained randomization defenses by revealing the randomized locations of the code gadgets that attackers abuse to effect code-reuse attacks. Opaque CFI (O-CFI) is the first exploit mitigation technique that resists this latest wave of attacks against fine-grained code randomization. By combining fine-grained code-randomization with coarse-grained integrity checks, it conceals the graph of hijackable control-flow edges even from attackers who can view the complete stack, heap, and binary code of the victim process. For maximal efficiency, the integrity checks are implemented using instructions that will soon be hardware-accelerated on commodity x86-x64 processors. The approach is highly practical since it does not require a modified compiler and can protect legacy binaries without access to source code. Experiments using our fully functional prototype implementation show that O-CFI provides significant probabilistic protection against ROP attacks launched by adversaries with complete code layout knowledge, and exhibits only 4.97% mean performance overhead on current hardware (with further overhead reductions to follow on forthcoming Intel processors).