ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Control-flow integrity
Full text PdfPdf (219 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 12th ACM conference on Computer and communications security table of contents
Alexandria, VA, USA
SESSION: Automated analysis table of contents
Pages: 340 - 353  
Year of Publication: 2005
ISBN:1-59593-226-7
Authors
Martín Abadi  University of California, Santa Cruz
Mihai Budiu  Microsoft Research, Silicon Valley
Úlfar Erlingsson  Microsoft Research, Silicon Valley
Jay Ligatti  Princeton University, Princeton, NJ
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 17,   Downloads (12 Months): 183,   Citation Count: 29
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1102120.1102165
What is a DOI?

ABSTRACT

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple, and its guarantees can be established formally even with respect to powerful adversaries. Moreover, CFI enforcement is practical: it is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. A theory of secure control flow. In Proceedings of the 7th International Conference on Formal Engineering Methods, 2005. A preliminary version appears as Microsoft Research Technical Report MSR-TR-05-17, February 2005.
 
2
Alfred V. Aho , Ravi Sethi , Jeffrey D. Ullman, Compilers: principles, techniques, and tools, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1986
 
3
Apple Computer. Prebinding notes, 2003. http://developer.apple.com/releasenotes/DeveloperTools/Prebinding.html.
 
4
D. Atkinson. Call graph extraction in the presence of function pointers. In Proceedings of the International Conference on Software Engineering Research and Practice, 2002.
 
5
K. Avijit, P. Gupta, and D. Gupta. TIED, LibsafePlus: Tools for runtime buffer overflow protection. In Proceedings of the Usenix Security Symposium, pages 45--56, 2004.
 
6
S. Basu and P. Uppuluri. Proxy-annotated control flow graphs: Deterministic context-sensitive monitoring for intrusion detection. In ICDCIT: Proceedings of the International Conference on Distributed Computing and Internet Technology, pages 353--362, 2004.
 
7
S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the Usenix Security Symposium, pages 105--120, 2003.
 
8
M. Bishop and M. Dilger. Checking for race conditions in file access. Computing Systems, 9(2):131--152, 1996.
 
9
D. Brumley and D. Song. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the Usenix Security Symposium, pages 57--72, 2004.
 
10
S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the Usenix Security Symposium, pages 177--192, 2005.
 
11
RAD: A Compile-Time Solution to Buffer Overflow Attacks, Proceedings of the The 21st International Conference on Distributed Computing Systems, p.409, April 16-19, 2001
 
12
C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the Usenix Security Symposium, 2001.
 
13
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the Usenix Security Symposium, pages 91--104, 2003.
 
14
C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the Usenix Security Symposium, pages 63--78, 1998.
 
15
Jedidiah R. Crandall , Frederic T. Chong, Minos: Control Data Attack Prevention Orthogonal to Memory Model, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.221-232, December 04-08, 2004, Portland, Oregon  [doi>10.1109/MICRO.2004.26]
 
16
Ulfar Erlingsson , Fred B. Schneider, IRM Enforcement of Java Stack Inspection, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.246, May 14-17, 2000
17
Úlfar Erlingsson , Fred B. Schneider, SASI enforcement of security policies: a retrospective, Proceedings of the 1999 workshop on New security paradigms, p.87-95, September 22-24, 1999, Caledon Hills, Ontario, Canada  [doi>10.1145/335169.335201]
 
18
H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 194--210, 2004.
 
19
Henry Hanping Feng , Oleg M. Kolesnikov , Prahlad Fogla , Wenke Lee , Weibo Gong, Anomaly Detection Using Call Stack Information, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.62, May 11-14, 2003
 
20
E. Florio. Gdiplus vuln - ms04-028 - crash test jpeg. full-disclosure at lists.netsys.com, 2004. Forum message, sent September 15.
 
21
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
 
22
M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In Proceedings of the Usenix Security Symposium, pages 55--66, 2001.
 
23
Jonathon T. Giffin , Somesh Jha , Barton P. Miller, Detecting Manipulated Remote Call Streams, Proceedings of the 11th USENIX Security Symposium, p.61-79, August 05-09, 2002
 
24
J. Giffin, S. Jha, and B. Miller. Efficient context-sensitive intrusion detection. In NDSS '04: Proceedings of the Network and Distributed System Security Symposium, 2004.
 
25
Rajeev Gopalakrishna , Eugene H. Spafford , Jan Vitek, Efficient Intrusion Detection using Automaton Inlining, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.18-31, May 08-11, 2005  [doi>10.1109/SP.2005.1]
 
26
Sudhakar Govindavajhala , Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.154, May 11-14, 2003
 
27
N. Hamid, Z. Shao, V. Trifonov, S. Monnier, and Z. Ni. A Syntactic Approach to Foundational Proof-Carrying Code. Technical Report YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University, New Haven, CT, 2002.
28
Norman Hardy , Norm Hardy, The Confused Deputy: (or why capabilities might have been invented), ACM SIGOPS Operating Systems Review, v.22 n.4, p.36-38, Oct. 1988
 
29
Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe, Secure Execution via Program Shepherding, Proceedings of the 11th USENIX Security Symposium, p.191-206, August 05-09, 2002
 
30
Milenko Drinic , Darko Kirovski, A Hardware-Software Platform for Intrusion Prevention, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.233-242, December 04-08, 2004, Portland, Oregon  [doi>10.1109/MICRO.2004.2]
 
31
L. Lam and T. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In RAID '04: Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pages 1--20, 2004.
 
32
D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the Usenix Security Symposium, pages 177--190, 2001.
 
33
E. Larson and T. Austin. High coverage detection of input-related security faults. In Proceedings of the Usenix Security Symposium, pages 121--136, 2003.
 
34
S. McCamant and G. Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, MIT Laboratory for Computer Science, 2005.
 
35
Microsoft Corporation. Changes to functionality in Microsoft Windows XP SP2: Memory protection technologies, 2004. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr%.mspx.
36
Greg Morrisett , David Walker , Karl Crary , Neal Glew, From system F to typed assembly language, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.85-97, January 19-21, 1998, San Diego, California, United States  [doi>10.1145/268946.268954]
 
37
D. Nebenzahl and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. In Proceedings of the IFIP International Information Security Conference, 2004.
38
George C. Necula, Proof-carrying code, Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.106-119, January 15-17, 1997, Paris, France  [doi>10.1145/263699.263712]
39
George C. Necula , Scott McPeak , Westley Weimer, CCured: type-safe retrofitting of legacy code, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.128-139, January 16-18, 2002, Portland, Oregon
 
40
N. Oh, P. P. Shirvani, and E. J. McCluskey. Control flow checking by software signatures. IEEE Transactions on Reliability, 51(2), 2002. Special Section on: Fault Tolerant VLSI Systems.
 
41
PaX Project. The PaX project, 2004. http://pax.grsecurity.net/.
 
42
Jonathan Pincus , Brandon Baker, Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, IEEE Security and Privacy, v.2 n.4, p.20-27, July 2004  [doi>10.1109/MSP.2004.36]
 
43
M. Prasad and T. Chiueh. A binary rewriting defense against stack based buffer overflow attacks. In Proceedings of the Usenix Technical Conference, pages 211--224, 2003.
 
44
N. Provos. Improving host security with system call policies. In Proceedings of the Usenix Security Symposium, pages 257--272, 2003.
 
45
George A. Reis , Jonathan Chang , Neil Vachharajani , Ram Rangan , David I. August, SWIFT: Software Implemented Fault Tolerance, Proceedings of the international symposium on Code generation and optimization, p.243-254, March 20-23, 2005  [doi>10.1109/CGO.2005.34]
 
46
O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of Network and Distributed System Security Symposium, 2004.
 
47
Kevin Scott , Jack Davidson, Safe Virtual Execution Using Software Dynamic Translation, Proceedings of the 18th Annual Computer Security Applications Conference, p.209, December 09-13, 2002
 
48
R. Sekar , M. Bendre , D. Dhurjati , P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.144, May 14-16, 2001
49
Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030124]
 
50
C. Small. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems, 1997.
 
51
A. Sovarel, D. Evans, and N. Paul. Where's the FEEB?: The effectiveness of instruction set randomization. In Proceedings of the Usenix Security Symposium, pages 145--160, 2005.
 
52
A. Srivastava, A. Edwards, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.
 
53
A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools. Technical Report WRL Research Report 94/2, Digital Equipment Corporation, 1994.
 
54
Standard Performance Evaluation Corporation. SPEC CPU2000 benchmark suite, 2000. http://www.spec.org/osg/cpu2000/.
55
G. Edward Suh , Jae W. Lee , David Zhang , Srinivas Devadas, Secure program execution via dynamic information flow tracking, Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, October 07-13, 2004, Boston, MA, USA
 
56
Nathan Tuck , Brad Calder , George Varghese, Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.209-220, December 04-08, 2004, Portland, Oregon  [doi>10.1109/MICRO.2004.20]
 
57
R. Venkatasubramanian, J. P. Hayes, and B. T. Murray. Low-cost on-line fault detection using control flow assertions. In Proceedings of 9th IEEE International On-Line Testing Symposium, 2003.
 
58
David Wagner , Drew Dean, Intrusion Detection via Static Analysis, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.156, May 14-16, 2001
59
David Wagner , Paolo Soto, Mimicry attacks on host-based intrusion detection systems, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586145]
60
Robert Wahbe , Steven Lucco , Thomas E. Anderson , Susan L. Graham, Efficient software-based fault isolation, ACM SIGOPS Operating Systems Review, v.27 n.5, p.203-216, Dec. 1993
 
61
J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium, 2003.
 
62
J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In Proceedings of the Symposium on Reliable and Distributed Systems, 2003.
 
63
J. Xu, Z. Kalbarczyk, S. Patel, and R. Iyer. Architecture support for defending against buffer overflow attacks, 2002.

CITED BY  29
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Michael E. Locasto , Angelos Stavrou , Gabriela F. Cretu , Angelos D. Keromytis, From STEM to SEAD: speculative execution for automated defense, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
Jedidiah R. Crandall , S. Felix Wu , Frederic T. Chong, Minos: Architectural support for protecting control data, ACM Transactions on Architecture and Code Optimization (TACO), v.3 n.4, p.359-389, December 2006
Mihai Budiu , Úlfar Erlingsson , Martín Abadi, Architectural support for software-based protection, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.42-51, October 21-21, 2006, San Jose, California
Hassen Saïdi, Guarded models for intrusion detection, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA
Stephen McCamant , Greg Morrisett, Evaluating SFI for a CISC architecture, Proceedings of the 15th conference on USENIX Security Symposium, p.15-15, July 31-August 04, 2006, Vancouver, B.C., Canada
David Walker , Lester Mackey , Jay Ligatti , George A. Reis , David I. August, Static typing for a faulty lambda calculus, ACM SIGPLAN Notices, v.41 n.9, September 2006
Nick L. Petroni, Jr. , Michael Hicks, Automated detection of persistent kernel control-flow attacks, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Stelios Sidiroglou , Sotiris Ioannidis , Angelos D. Keromytis, Band-aid patching, Proceedings of the 3rd conference on Third Workshop on Hot Topics in System Dependability, p.6-6, June 26, 2007, Edinburgh, UK
Matthias Jacob , Mariusz H. Jakubowski , Ramarathnam Venkatesan, Towards integral binary execution: implementing oblivious hashing using overlapped instruction encodings, Proceedings of the 9th workshop on Multimedia & security, September 20-21, 2007, Dallas, Texas, USA
Prateek Saxena , R Sekar , Varun Puranik, Efficient fine-grained binary instrumentationwith applications to taint-tracking, Proceedings of the sixth annual IEEE/ACM international symposium on Code generation and optimization, April 05-09, 2008, Boston, MA, USA
Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang , Marcus Peinado, Bouncer: securing software by blocking bad input, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
Rui Wang , XiaoFeng Wang , Zhuowei Li, Panalyst: privacy-aware remote error analysis on commodity software, Proceedings of the 17th conference on Security symposium, p.291-306, July 28-August 01, 2008, San Jose, CA
Chetan Parampalli , R. Sekar , Rob Johnson, A practical mimicry attack against powerful system-call monitors, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
Gong Rui , Chen Wei , Liu Fang , Dai Kui , Wang Zhiying, Control flow checking and recovering based on 8051 architecture, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil
Úlfar Erlingsson , Martín Abadi , Michael Vrable , Mihai Budiu , George C. Necula, XFI: software guards for system address spaces, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
Miguel Castro , Manuel Costa , Tim Harris, Securing software by enforcing data-flow integrity, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
Shufu Mao , Tilman Wolf, Hardware support for secure processing in embedded systems, Proceedings of the 44th annual conference on Design automation, June 04-08, 2007, San Diego, California
Karthik Pattabiraman , Vinod Grover , Benjamin G. Zorn, Samurai: protecting critical data in unsafe languages, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
Sergey Bratus , Michael E. Locasto , Ashwin Ramaswamy , Sean W. Smith, Traps, events, emulation, and enforcement: managing the yin and yang of virtualization-based security, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
Walter Chang , Brandon Streiff , Calvin Lin, Efficient and extensible security enforcement using dynamic data flow analysis, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
Xuejun Yang , Nathan Cooprider , John Regehr, Eliminating the call stack to save RAM, ACM SIGPLAN Notices, v.44 n.7, July 2009
Stelios Sidiroglou , Oren Laadan , Carlos Perez , Nicolas Viennot , Jason Nieh , Angelos D. Keromytis, ASSURE: automatic software self-healing using rescue points, ACM SIGPLAN Notices, v.44 n.3, March 2009
Santosh Nagarakatte , Jianzhou Zhao , Milo M.K. Martin , Steve Zdancewic, SoftBound: highly compatible and complete spatial memory safety for c, ACM SIGPLAN Notices, v.44 n.6, June 2009
Francesco Gadaleta , Yves Younan , Bart Jacobs , Wouter Joosen , Erik De Neve , Nils Beosier, Instruction-level countermeasures against stack-based buffer overflow attacks, Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems, p.7-12, March 31-31, 2009, Nuremberg, Germany
Ryan Riley , Xuxian Jiang , Dongyan Xu, Multi-aspect profiling of kernel rootkit behavior, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany
Avraham Shinnar , Marco Pistoia , Anindya Banerjee, A language for information flow: dynamic tracking in multiple interdependent dimensions, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, June 15-21, 2009, Dublin, Ireland
Daniel Ziener , Jurgen Teich, Concepts for run-time and error-resilient control flow checking of embedded RISC CPUs, International Journal of Autonomous and Adaptive Communications Systems, v.2 n.3, p.256-275, June 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.3 PROGRAMMING LANGUAGES
      D.3.4 Processors

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection


General Terms:
Languages, Security, Verification


Keywords:
binary rewriting, control-flow graph, inlined reference monitors, vulnerabilities

Collaborative Colleagues:
Martín Abadi: colleagues
Mihai Budiu: colleagues
Úlfar Erlingsson: colleagues
Jay Ligatti: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player