Conference Proceeding Article
Control Flow Integrity (CFI) is an attractive security property with which most injected and code reuse attacks can be defeated, including advanced attacking techniques like Return-Oriented Programming (ROP). However, comprehensive enforcement of CFI is expensive due to additional supports needed (e.g., compiler support and presence of relocation or debug information) and performance overhead. Recent research has been trying to strike the balance among reasonable approximation of the CFI properties, minimal additional supports needed, and acceptable performance. We investigate existing dynamic code optimization techniques and find that they provide an architecture on which CFI can be enforced effectively and efficiently. In this paper, we propose and implement DynCFI that enforces security policies on a well established dynamic optimizer and show that it provides comparable CFI properties with existing CFI implementations while lowering the overall performance overhead from 28.6 % to 14.8 %. We further perform comprehensive evaluations and shed light on the exact amount of savings contributed by the various components of the dynamic optimizer including basic block cache, trace cache, branch prediction, and indirect branch lookup.
Control Flow Integrity, Return-oriented programming, Dynamic code optimization
Computer Sciences | Theory and Algorithms
Information Security: Proceedings of 19th International Conference, ISC 2016
City or Country
LIN, Yan; TANG, Xiaoxiao; GAO, Debin; and FU, Jianming.
Control flow integrity enforcement with dynamic code optimization. (2016). Information Security: Proceedings of 19th International Conference, ISC 2016. 9866,. Research Collection School Of Information Systems.
Available at: http://ink.library.smu.edu.sg/sis_research/3419
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.