Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Assessing the Effectiveness of Binary-Level CFI Techniques

Ruturaj K. Vaidya, Prasad A. Kulkarni

TL;DR

Memory corruption enables control flow hijacking; although CFI provides protection, binary-level CFI struggles due to limited program information. The authors propose Binary-CFI, a modular framework that couples source-ground truth from the LLVM LTO pass with binary analysis from IDA Pro/Hex-Rays to model four type-based CFI policies. They introduce $RelativeCTR_T$, $RelativeCTR_F$, and CTR metrics to quantify per-call-site accuracy and overall target reductions against ground truth. Experiments on SPECint/SPECfp benchmarks and real-world apps reveal significant divergences between binary- and source-level results, especially when binaries are stripped, with stricter policies suffering more from type-recovery errors. The framework provides a systematic method to evaluate binary-level CFI, highlighting the need for improved binary analysis to enable robust binary-level CFI in practice.

Abstract

Memory corruption is an important class of vulnerability that can be leveraged to craft control flow hijacking attacks. Control Flow Integrity (CFI) provides protection against such attacks. Application of type-based CFI policies requires information regarding the number and type of function arguments. Binary-level type recovery is inherently speculative, which motivates the need for an evaluation framework to assess the effectiveness of binary-level CFI techniques compared with their source-level counterparts, where such type information is fully and accurately accessible. In this work, we develop a novel, generalized and extensible framework to assess how the program analysis information we get from state-of-the-art binary analysis tools affects the efficacy of type-based CFI techniques. We introduce new and insightful metrics to quantitatively compare source independent CFI policies with their ground truth source aware counterparts. We leverage our framework to evaluate binary-level CFI policies implemented using program analysis information extracted from the IDA Pro binary analyzer and compared with the ground truth information obtained from the LLVM compiler, and present our observations.

Assessing the Effectiveness of Binary-Level CFI Techniques

TL;DR

Memory corruption enables control flow hijacking; although CFI provides protection, binary-level CFI struggles due to limited program information. The authors propose Binary-CFI, a modular framework that couples source-ground truth from the LLVM LTO pass with binary analysis from IDA Pro/Hex-Rays to model four type-based CFI policies. They introduce , , and CTR metrics to quantify per-call-site accuracy and overall target reductions against ground truth. Experiments on SPECint/SPECfp benchmarks and real-world apps reveal significant divergences between binary- and source-level results, especially when binaries are stripped, with stricter policies suffering more from type-recovery errors. The framework provides a systematic method to evaluate binary-level CFI, highlighting the need for improved binary analysis to enable robust binary-level CFI in practice.

Abstract

Memory corruption is an important class of vulnerability that can be leveraged to craft control flow hijacking attacks. Control Flow Integrity (CFI) provides protection against such attacks. Application of type-based CFI policies requires information regarding the number and type of function arguments. Binary-level type recovery is inherently speculative, which motivates the need for an evaluation framework to assess the effectiveness of binary-level CFI techniques compared with their source-level counterparts, where such type information is fully and accurately accessible. In this work, we develop a novel, generalized and extensible framework to assess how the program analysis information we get from state-of-the-art binary analysis tools affects the efficacy of type-based CFI techniques. We introduce new and insightful metrics to quantitatively compare source independent CFI policies with their ground truth source aware counterparts. We leverage our framework to evaluate binary-level CFI policies implemented using program analysis information extracted from the IDA Pro binary analyzer and compared with the ground truth information obtained from the LLVM compiler, and present our observations.
Paper Structure (19 sections, 3 equations, 9 figures, 9 tables)

This paper contains 19 sections, 3 equations, 9 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Control Flow Integrity
  4. CFI Security Policy Comparison Metrics
  5. CFI Frameworks
  6. Binary Analysis
  7. Implementation
  8. Design Overview
  9. Type-Based CFI Policies
  10. Evaluation
  11. Benchmarks
  12. Experimental Configuration
  13. Evaluation Metric
  14. CFI Policy Comparison
  15. Limitations and Future Work
  16. ...and 4 more sections

Figures (9)

  • Figure 1: High-level overview of CFI techniques
  • Figure 2: Block Diagram of Binary-CFI
  • Figure 3: Indirect call-site targeting functions in binary hardened with four different policies --- ① TypeArmor, ② IFCC, ③ MCFI and ④ $\tau$CFI
  • Figure 4: Number of True Positive and False Positive Signatures (call-site and Function) According to Argument Count recuperated over all benchmarks in Settings I and II
  • Figure 5: Number of True Positive and False Positive Signatures (call-site and Function) According to Preliminary Types recuperated over all benchmarks in Settings I and II
  • ...and 4 more figures

Theorems & Definitions (2)

  • Definition 1
  • Definition 2