16.
03.
2018
An Overview Of Control-Flow Integrity Enforcement
Konrad Gube
TU Dresden
Hauptseminar-Vortrag, abweichender Raum: APB 3080
Address space layout randomization, stack canaries and NX protection
have made code injection attacks significantly harder, but failed to
fundamentally solve the problem of control-flow hijacking. Advanced
code reuse attacks have repeatedly been shown to bypass these
protections. Control-flow integrity (CFI) promises a more fundamental
solution: By keeping the control-flow within the confines of a valid
control-flow graph, CFI systems may be able to stop control-flow
hijacking altogether, instead of protecting against specific attacks
only.
Repeated attempts at "coarse-grained" CFI have demonstrated that the
precision of CFI enforcement is essential to its effectiveness. This
talk gives an overview of different CFI enforcement techniques and
attempts to compare them in regard to general approach, precision
and performance overhead.
|
