Control Flow Integrity
   HOME

TheInfoList



OR:

Control-flow integrity (CFI) is a general term for
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
techniques that prevent a wide variety of
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
attacks from redirecting the flow of execution (the
control flow In computer science, control flow (or flow of control) is the order in which individual statements, instructions or function calls of an imperative program are executed or evaluated. The emphasis on explicit control flow distinguishes an '' ...
) of a program.


Background

A computer program commonly changes its control flow to make decisions and use different parts of the code. Such transfers may be ''direct'', in that the target address is written in the code itself, or ''indirect'', in that the target address itself is a variable in memory or a CPU register. In a typical function call, the program performs a direct call, but returns to the caller function using the stack – an indirect ''backward-edge'' transfer. When a
function pointer A function pointer, also called a subroutine pointer or procedure pointer, is a pointer referencing executable code, rather than data. Dereferencing the function pointer yields the referenced function, which can be invoked and passed arguments ...
is called, such as from a
virtual table In computer programming, a virtual method table (VMT), virtual function table, virtual call table, dispatch table, vtable, or vftable is a mechanism used in a programming language to support dynamic dispatch (or run-time method binding). Wh ...
, we say there is an indirect ''forward-edge'' transfer. Attackers seek to inject code into a program to make use of its privileges or to extract data from its memory space. Before executable code was commonly made read-only, an attacker could arbitrarily change the code as it is run, targeting direct transfers or even do with no transfers at all. After
W^X W^X (write xor execute, pronounced ''W xor X'') is a security policy in operating systems and software frameworks. It implements executable space protection by ensuring every memory page (a fixed-size block in a program’s virtual address spa ...
became widespread, an attacker wants to instead redirect execution to a separate, unprotected area containing the code to be run, making use of indirect transfers: one could overwrite the virtual table for a forward-edge attack or change the call stack for a backward-edge attack (
return-oriented programming Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable-space protection and code signing. In this technique, an attacker gains con ...
). CFI is designed to protect indirect transfers from going to unintended locations.


Techniques

Associated techniques include code-pointer separation (CPS), code-pointer integrity (CPI), stack canaries, shadow stacks, and
vtable In computer programming, a virtual method table (VMT), virtual function table, virtual call table, dispatch table, vtable, or vftable is a mechanism used in a programming language to support dynamic dispatch (or run-time method binding). Whe ...
pointer verification. These protections can be classified into either ''coarse-grained'' or ''fine-grained'' based on the number of targets restricted. A coarse-grained forward-edge CFI implementation, could, for example, restrict the set of indirect call targets to any function that may be indirectly called in the program, while a fine-grained one would restrict each indirect call site to functions that have the same type as the function to be called. Similarly, for a backward edge scheme protecting returns, a coarse-grained implementation would only allow the procedure to return to a function of the same type (of which there could be many, especially for common prototypes), while a fine-grained one would enforce precise return matching (so it can return only to the function that called it).


Implementations

Related implementations are available in
Clang Clang () is a compiler front end for the programming languages C, C++, Objective-C, Objective-C++, and the software frameworks OpenMP, OpenCL, RenderScript, CUDA, SYCL, and HIP. It acts as a drop-in replacement for the GNU Compiler ...
(LLVM in general), Microsoft's Control Flow Guard and Return Flow Guard, Google's Indirect Function-Call Checks and Reuse Attack Protector (RAP).


LLVM/Clang

LLVM/Clang provides a "CFI" option that works in the forward edge by checking for errors in
virtual table In computer programming, a virtual method table (VMT), virtual function table, virtual call table, dispatch table, vtable, or vftable is a mechanism used in a programming language to support dynamic dispatch (or run-time method binding). Wh ...
s and type casts. It depends on
link-time optimization Interprocedural optimization (IPO) is a collection of compiler techniques used in computer programming to improve performance in programs containing many frequently used functions of small or medium length. IPO differs from other compiler optimi ...
(LTO) to know what functions are supposed to be called in normal cases. There is a separate "
shadow call stack In computer security, a shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that "shadows" the program call stack. In the functio ...
" scheme that defends on the backward edge by checking for call stack modifications, available only for aarch64. Google has shipped
Android Android most commonly refers to: *Android (robot), a humanoid robot or synthetic organism designed to imitate a human * Android (operating system), a mobile operating system primarily developed by Google * Android TV, a operating system developed ...
with the
Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
compiled by Clang with
link-time optimization Interprocedural optimization (IPO) is a collection of compiler techniques used in computer programming to improve performance in programs containing many frequently used functions of small or medium length. IPO differs from other compiler optimi ...
(LTO) and CFI since 2018. SCS is available for Linux kernel as an option, including on Android.


Intel Control-flow Enforcement Technology

Intel Control-flow Enforcement Technology (CET) detects compromises to control flow integrity with a
shadow stack In computer security, a shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that "shadows" the program call stack. In the functi ...
(SS) and
indirect branch tracking Indirect branch tracking (IBT), also known as branch target identification (BTI), is a control flow integrity mechanism implemented on some Intel x86-64 and ARM-64 processors. IBT is designed to protect against computer security exploits that use ...
(IBT). The kernel must map a region of memory for the shadow stack not writable to user space programs except by special instructions. The shadow stack stores a copy of the return address of each CALL. On a RET, the processor checks if the return address stored in the normal stack and shadow stack are equal. If the addresses are not equal, the processor generates an INT #21 (Control Flow Protection Fault). Indirect branch tracking detects indirect JMP or CALL instructions to unauthorized targets. It is implemented by adding a new internal state machine in the processor. The behavior of indirect JMP and CALL instructions is changed so that they switch the state machine from IDLE to WAIT_FOR_ENDBRANCH. In the WAIT_FOR_ENDBRANCH state, the next instruction to be executed is required to be the new ENDBRANCH instruction (ENDBR32 in 32-bit mode or ENDBR64 in 64-bit mode), which changes the internal state machine from WAIT_FOR_ENDBRANCH back to IDLE. Thus every authorized target of an indirect JMP or CALL must begin with ENDBRANCH. If the processor is in a WAIT_FOR_ENDBRANCH state (meaning, the previous instruction was an indirect JMP or CALL), and the next instruction is not an ENDBRANCH instruction, the processor generates an INT #21 (Control Flow Protection Fault). On processors not supporting CET indirect branch tracking, ENDBRANCH instructions are interpreted as NOPs and have no effect.


Microsoft Control Flow Guard

Control Flow Guard (CFG) was first released for
Windows 8.1 Windows 8.1 is a release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 27, 2013, and broadly released for retail sale on October 17, 2013, about a year after the retail release of its pr ...
Update 3 (KB3000850) in November 2014. Developers can add CFG to their programs by adding the /guard:cf linker flag before program linking in Visual Studio 2015 or newer. As of
Windows 10 Creators Update Windows 10 Creators Update (also known as version 1703 and codenamed "Redstone 2") is the third major update to Windows 10 and the second in a series of updates under the Redstone codenames. It carries the build number 10.0.15063. PC version his ...
(Windows 10 version 1703), the Windows kernel is compiled with CFG. The Windows kernel uses
Hyper-V Hyper-V is a native hypervisor developed by Microsoft; it can create virtual machines on x86-64 systems running Windows. It is included in Pro and Enterprise editions of Windows (since Windows 8) as an optional feature to be manually enabled. A ...
to prevent malicious kernel code from overwriting the CFG bitmap. CFG operates by creating a per-process
bitmap In computing, a bitmap (also called raster) graphic is an image formed from rows of different colored pixels. A GIF is an example of a graphics image file that uses a bitmap. As a noun, the term "bitmap" is very often used to refer to a partic ...
, where a set bit indicates that the address is a valid destination. Before performing each indirect function call, the application checks if the destination address is in the bitmap. If the destination address is not in the bitmap, the program terminates. This makes it more difficult for an attacker to exploit a
use-after-free Dangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations. More generally, dangling references and wild references are ...
by replacing an object's contents and then using an indirect function call to execute a payload.


Implementation details

For all protected indirect function calls, the _guard_check_icall function is called, which performs the following steps: # Convert the target address to an offset and bit number in the bitmap. ## The highest 3 bytes are the byte offset in the bitmap ## The bit offset is a 5-bit value. The first four bits are the 4th through 8th low-order bits of the address. ## The 5th bit of the bit offset is set to 0 if the destination address is aligned with 0x10 (last four bits are 0), and 1 if it is not. # Examine the target's address value in the bitmap ## If the target address is in the bitmap, return without an error. ## If the target address is not in the bitmap, terminate the program.


Bypass techniques

There are several generic techniques for bypassing CFG: * Set the destination to code located in a non-CFG module loaded in the same process. * Find an indirect call that was not protected by CFG (either CALL or JMP). * Use a function call with a different number of arguments than the call is designed for, causing a stack misalignment, and code execution after the function returns (patched in Windows 10). * Use a function call with the same number of arguments, but one of pointers passed is treated as an object and writes to a pointer-based offset, allowing overwriting a return address. * Overwrite the function call used by the CFG to validate the address (patched in March 2015) * Set the CFG bitmap to all 1's, allowing all indirect function calls * Use a controlled-write primitive to overwrite an address on the stack (since the stack is not protected by CFG)


Microsoft eXtended Flow Guard

eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019. XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target function's stored hash.


See also

*
Buffer overflow protection Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavi ...


References

{{reflist, refs= {{Cite web, url=http://clang.llvm.org/docs/ControlFlowIntegrity.html , title=Control Flow Integrity — Clang 3.9 documentation , website=clang.llvm.org , access-date=2016-06-01 {{Cite web , url=https://nebelwelt.net/blog/20141007-CFICPSCPIdiffs.html , title=On differences between the CFI, CPS, and CPI properties , last1=Payer , first1=Mathias , author-link1=Mathias Payer, last2=Kuznetsov , first2=Volodymyr , website=nebelwelt.net , access-date=2016-06-01 {{Cite web , url=http://www.darkreading.com/vulnerabilities---threats/adobe-flash-bug-discovery-leads-to-new-attack-mitigation-method/d/d-id/1323092 , title=Adobe Flash Bug Discovery Leads To New Attack Mitigation Method , website=Dark Reading , date=10 November 2015 , access-date=2016-06-01 {{Cite press release , url=http://www.prnewswire.com/news-releases/endgame-to-present-at-black-hat-usa-2016-300267060.html , title=Endgame to Present at Black Hat USA 2016 , last=Endgame , website=www.prnewswire.com , access-date=2016-06-01 {{Cite web , url=https://www.theregister.co.uk/2016/02/04/emets_win_10_revival_could_be_its_last_as_os_bakes_into_infosec/ , title=Microsoft's malware mitigator refreshed, but even Redmond says it's no longer needed , last=Pauli , first=Darren , website=
The Register ''The Register'' (often also called El Reg) is a British Technology journalism, technology news website co-founded in 1994 by Mike Magee (journalist), Mike Magee and John Lettice. The online newspaper's Nameplate_(publishing), masthead Logo, s ...
, access-date=2016-06-01
{{Cite web , url=http://www.networkworld.com/article/2985686/microsoft-subnet/derbycon-former-bluehat-prize-winner-will-bypass-control-flow-guard-in-windows-10.html , archive-url=https://web.archive.org/web/20150927052810/http://www.networkworld.com/article/2985686/microsoft-subnet/derbycon-former-bluehat-prize-winner-will-bypass-control-flow-guard-in-windows-10.html , url-status=dead , archive-date=September 27, 2015 , title=DerbyCon: Former BlueHat prize winner will bypass Control Flow Guard in Windows 10 , last=Smith , first=Ms. , website=Network World , date=23 September 2015 , access-date=2016-06-01 {{Cite book , last1=Tice , first1=Caroline , last2=Roeder , first2=Tom , last3=Collingbourne , first3=Peter , last4=Checkoway , first4=Stephen , last5=Erlingsson , first5=Úlfar , last6=Lozano , first6=Luis , last7=Pike , first7=Geoff , date=2014-01-01 , title=Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , pages=941–955 , isbn=9781931971157 , url=https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/tice {{Cite web , url=http://www.heise.de/security/meldung/PaX-Team-stellt-Schutz-vor-Code-Reuse-Exploits-vor-3197262.html , title=PaX Team stellt Schutz vor Code Reuse Exploits vor , last=Security , first=heise , website=Security , date=4 May 2016 , language=de-DE , access-date=2016-06-01 {{cite news , url=https://grsecurity.net/rap_faq.php , title=Frequently Asked Questions About RAP , access-date=2016-06-01 <-- MS CFG-specific entries --> {{Cite web , url=https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/ , title=Bypass Developed for Microsoft Memory Protection, Control Flow Guard , date=2015-09-22 , last=Mimoso , first=Michael , website=Threatpost {{! The first stop for security news , access-date=2016-06-01 {{Cite web , url=https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx , title=Control Flow Guard , website=MSDN , access-date=2017-01-19 {{Cite web, url=https://www.coresecurity.com/blog/exploiting-cve-2015-0311-part-ii-bypassing-control-flow-guard-on-windows-8-1-update-3 , title=Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3 , date=2015-03-25 , last=Falcón , first=Francisco , website=Core Security , access-date=2017-01-19 {{Cite web , url=http://www.powerofcommunity.net/poc2014/mj0011.pdf , title=Windows 10 Control Flow Guard Internals , website=Power of Community , access-date=2017-01-19 {{Cite web , url=https://documents.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf , title=Control Flow Guard , website=Trend Micro , access-date=2017-01-19 {{Cite web , url=https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf , title=Bypass Control Flow Guard Comprehensively , website=BlackHat , access-date=2017-01-19 {{Cite web , url=https://labs.bromium.com/2015/09/28/an-interesting-detail-about-control-flow-guard/ , title=An interesting detail about Control Flow Guard , website=Bromium , access-date=2017-01-19 {{Cite web , url=http://www.slideshare.net/_s_n_t/object-oriented-exploitation-new-techniques-in-windows-mitigation-bypass , title=Object Oriented Exploitation: New techniques in Windows mitigation bypass , website=Slideshare , last=Thomas , first=Sam , date=18 August 2016 , access-date=2017-01-19 {{Cite web , url=http://xlab.tencent.com/en/2016/11/02/return-flow-guard/ , title=Return Flow Guard , website=Tencent , date=2 November 2016 , access-date=2017-01-19 {{Cite web , url=https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/ , title=Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security , website=Microsoft Technet , date=16 June 2017 , access-date=2017-06-20 {{Cite web , url=http://alex-ionescu.com/publications/euskalhack/euskalhack2017-cfg.pdf , title=Universally Bypassing CFG Through Mutability Abuse , website=Alex Ionescu's Blog , access-date=2017-07-07 {{Cite web , url=https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf , title=Control-flow Enforcement Technology Specification , website=Intel Developer Zone , access-date=2021-01-05 , archive-date=2017-08-14 , archive-url=https://web.archive.org/web/20170814120442/https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf , url-status=dead {{Cite web , url=https://windows-internals.com/cet-on-windows/ , title=R.I.P ROP: CET Internals in Windows 20H1 , website=Winsider Seminars & Solutions Inc. , date=5 January 2020 , access-date=2021-01-05 {{Cite web , url=https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE37dMC , title=Advancing Windows Security , access-date=2021-05-19 {{Cite web , url=https://www.offensive-security.com/offsec/extended-flow-guard/ , title=EXTENDED FLOW GUARD UNDER THE MICROSCOPE , date=18 May 2021 , access-date=2021-05-19 {{Cite web , url=https://connormcgarr.github.io/examining-xfg/ , title=Exploit Development: Between a Rock and a (Xtended Flow) Guard Place: Examining XFG , date=23 August 2020 , access-date=2021-05-19 Computer security *