Efficient Protection of Path-Sensitive Control Security

Control-Flow Integrity (CFI), as a means to prevent control-flow hijacking attacks, enforces that each instruction transfers control to an address in a set of valid targets. The security guarantee of CFI thus depends on the definition of valid targets, which conventionally are defined as the result of a static analysis. Unfortunately, previous research has demonstrated that such a definition, and thus any implementation that enforces it, still allows practical control-flow attacks. In this work, we present a path-sensitive variation of CFI that utilizes runtime path-sensitive point-to analysis to compute the legitimate control transfer targets. We have designed and implemented a runtime environment, PITTYPAT, that enforces path-sensitive CFI efficiently by combining commodity, low-overhead hardware monitoring and a novel runtime points-to analysis. Our formal analysis and empirical evaluation demonstrate that, compared to CFI based on static analysis, PITTYPAT ensures that applications satisfy stronger security guarantees, with acceptable overhead for security-critical contexts. Program Features Payload Features π-CFI Features PITTYPAT Features CETS+SB Features Name KLoC Exp Tm (sec) Alarm Overhd (%) Alarm Overhd (%) Alarm Overhd (%) 400.perlbench 128 No 332 No 8.7% No 47.3% Yes -401.bzip2 6 No 317 No 1.3% No 17.7% No 91.4% 403.gcc 383 No 179 No 6.2% No 34.1% Yes -429.mcf 2 No 211 No 4.3% No 32.2% Yes -433.milc 10 No 514 No 1.9% No 1.8% Yes -444.namd 4 No 556 No -0.3% No 28.8% Yes -445.gobmk 158 No 328 No 11.4% No 4.0% Yes -450.soplex 28 No 167 No -1.1% No 27.5% Yes -453.povray 79 No 100 No 11.9% No 16.0% Yes -456.hmmer 21 No 258 No 0.2% No 20.2% Yes -458.sjeng 11 No 359 No 8.5% No 6.7% No 80.1% 462.libquantum 3 No 234 No -1.5% No 14.1% Yes -464.h264ref 36 No 339 No 8.0% No 11.8% No 251.7% 470.lbm 1 No 429 No 1.4% No 0.7% Yes -473.astar 4 No 289 No 2.2% No 22.5% Yes -482.sphinx3