Publication Type

Conference Proceeding Article

Publication Date

9-2016

Abstract

Control Flow Integrity (CFI) is an attractive security property with which most injected and code reuse attacks can be defeated, including advanced attacking techniques like Return-Oriented Programming (ROP). However, comprehensive enforcement of CFI is expensive due to additional supports needed (e.g., compiler support and presence of relocation or debug information) and performance overhead. Recent research has been trying to strike the balance among reasonable approximation of the CFI properties, minimal additional supports needed, and acceptable performance. We investigate existing dynamic code optimization techniques and find that they provide an architecture on which CFI can be enforced effectively and efficiently. In this paper, we propose and implement DynCFI that enforces security policies on a well established dynamic optimizer and show that it provides comparable CFI properties with existing CFI implementations while lowering the overall performance overhead from 28.6 % to 14.8 %. We further perform comprehensive evaluations and shed light on the exact amount of savings contributed by the various components of the dynamic optimizer including basic block cache, trace cache, branch prediction, and indirect branch lookup.

Keywords

Control Flow Integrity, Return-oriented programming, Dynamic code optimization

Discipline

Computer Sciences | Theory and Algorithms

Research Areas

Cybersecurity

Publication

Information Security: Proceedings of 19th International Conference, ISC 2016

Volume

9866

ISBN

978-3-319-45870-0

Identifier

10.1007/978-3-319-45871-7_22

Publisher

Springer

City or Country

Honolulu, HI

Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Additional URL

http://dx.doi.org/10.1007/978-3-319-45871-7_22

Share

COinS