Boosting Practical Control-Flow Integrity with Complete Field Sensitivity and Origin Awareness

Control-flow integrity (CFI) is a strong and efficient defense mechanism against memory-corruption attacks.The practical versions of CFI, which have been integrated into compilers, employ static analysis to collect all possibly valid target functions of indirect calls.They are however less effective because the static analysis is imprecise.While more precise CFI techniques have been proposed, such as dynamic CFI, they are not yet practical due to issues on performance, compatibility, and deployability.We believe that to be practical, CFI based on static analysis is still the promising direction.However, these years have not seen much progress on the effectiveness of such practical CFI.This paper aims to boost the effectiveness of practical CFI by dramatically optimizing the target-function sets (aka equivalence class or EC) of indirect calls.We first identify two fundamental limitations that lead to the imprecision of static indirect-call analysis: incomplete field sensitivity due to variable field indexes and the unawareness of the origins of point-to targets.We then propose two novel analysis techniques, complete field sensitivity and origin awareness, which handle variable field indexes and distinguish target origins.The techniques dramatically reduce the size of target functions.To enforce the origin awareness, we further employ Intel Memory Protection Keys to safely store the origin information.We implement our techniques as a system called ECCut.The evaluation results show that compared to the mainline LLVM CFI, ECCut achieves a substantial reduction of 94.8% and 90.3% in the average and the largest EC sizes.While compared to the state-of-the-art origin-aware CFI (i.e., OS-CFI), ECCut reduces the average and the largest EC sizes by 90.2% and 89.3% respectively.Additionally,