![Page 1: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/1.jpg)
Control Flow Integrity &Software Fault Isolation
David BrumleyCarnegie Mellon University
![Page 2: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/2.jpg)
2
Our story so far…
UnauthorizedControlInformationTampering
http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
![Page 3: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/3.jpg)
3
Adversary Model Matters!Cowan et al., USENIX Security 1998StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
“Programs compiled with StackGuard are safe from buffer overflow attack, regardless of
the software engineering quality of the program.”
What if the adversary is more powerful?How powerful is powerful enough?
![Page 4: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/4.jpg)
4
Reference Monitors
![Page 5: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/5.jpg)
5
FilesSocketsComputer Operations
PeopleProcessesComputer Operations
Op request
Op response
Subject Object
![Page 6: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/6.jpg)
6
Subject Object
Op request
Op response
Reference Monitor
Op request
Op response
Principles:1. Complete Mediation: The reference monitor must
always be invoked2. Tamper-proof: The reference monitor cannot be
changed by unauthorized subjects or objects3. Verifiable: The reference monitor is small enough to
thoroughly understand, test, and ultimately, verify.
Policy
![Page 7: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/7.jpg)
7
Inlined Referenced Monitor
Subject Object
Op request
Op response
Reference Monitor
Policy
Today’s Example: Inlining a control flow policy into a program
![Page 8: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/8.jpg)
8
Control Flow Integrity
Assigned Reading:
Control-Flow Integrity: Principles, Implementation and Applicationsby Abadi, Budiu, Erlingsson, and Ligatti
![Page 9: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/9.jpg)
9
Control Flow Integrity• protects against powerful adversary– with full control over entire data memory
• widely-applicable– language-neutral; requires binary only
• provably-correct & trustworthy– formal semantics; small verifier
• efficient– hmm… 0-45% in experiments; average 16%
![Page 10: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/10.jpg)
10
CFI Adversary Model
CAN
• Overwrite any data memory at any time– stack, heap, data segs
• Overwrite registers in current context
CANNOT
• Execute Data– NX takes care of that
• Modify Code– text seg usually read-only
• Write to %ip– true in x86
• Overwrite registers in other contexts– kernel will restore regs
![Page 11: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/11.jpg)
11
CFI OverviewInvariant: Execution must follow a path in a control flow graph (CFG) created ahead of run time.
Method:• build CFG statically, e.g., at compile time• instrument (rewrite) binary, e.g., at install time– add IDs and ID checks; maintain ID uniqueness
• verify CFI instrumentation at load time– direct jump targets, presence of IDs and ID checks, ID uniqueness
• perform ID checks at run time– indirect jumps have matching IDs
“static”
![Page 12: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/12.jpg)
12
Control Flow Graphs
![Page 13: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/13.jpg)
14
Defn Basic Block: A consecutive sequence of instructions / code such that• the instruction in each position always executes before
(dominates) all those in later positions, and• no outside instruction can execute between two
instructions in the sequence
control is “straight”(no jump targets except at the beginning,
no jumps except at the end)
Basic Block
1. x = y + z2. z = t + i
3. x = y + z4. z = t + i5. jmp 1
6. jmp 3
3 static basic blocks
1. x = y + z2. z = t + i3. x = y + z4. z = t + i5. jmp 1
1 dynamicbasic block
![Page 14: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/14.jpg)
15
CFG DefinitionA static Control Flow Graph is a graph where– each vertex vi is a basic block, and
– there is an edge (vi, vj) if there may be a transfer of control from block vi to block vj.
Historically, the scope of a “CFG” is limited to a function or procedure, i.e., intra-procedural.
![Page 15: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/15.jpg)
16
Call Graph
• Nodes are functions. There is an edge (vi, vj) if function vi calls function vj.
void orange(){1. red(1);2. red(2);3. green();}
void red(int x){green();...}
void green(){ green(); orange();}
orange red green
![Page 16: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/16.jpg)
17
Super Graph• Superimpose CFGs of all procedures over the
call graph
1: red1
2
3 2: red
A context sensitive super-graph for orange lines 1 and 2.
void orange(){1. red(1);2. red(2);3. green();}
void red(int x){..}
void green(){ green(); orange();}
![Page 17: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/17.jpg)
18
Precision: Sensitive or InsensitiveThe more precise the analysis, the more accurate it reflects the “real” program behavior.– More precise = more time to compute– More precise = more space – Limited by soundness/completeness tradeoff
Common Terminology in any Static Analysis:– Context sensitive vs. context insensitive– Flow sensitive vs. flow insensitive– Path sensitive vs. path insensitive
![Page 18: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/18.jpg)
19
Things I say
Soundness
If analysis says X is true, then X is true.
True Things
Things I say
Completeness
If X is true, then analysis says X is true.
True Things
Trivially Sound: Say nothing Trivially complete: Say everything
Sound and Complete: Say exactly the set of true things!
![Page 19: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/19.jpg)
21
Context SensitiveWhether different calling contexts are
distinguished
void yellow(){1. red(1);2. red(2);3. green();}
void red(int x){..}
void green(){ green(); yellow();}
Context sensitive distinguishes 2 different
calls to red(-)
![Page 20: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/20.jpg)
22
Context Sensitive Example
a = id(4);
b = id(5);
void id(int z){ return z; }
Context-Sensitive(color denotes matching call/ret)
a = id(4);
b = id(5);
void id(int z){ return z; }
Context-Insensitive(note merging)
Context sensitive can tell one call returns 4, the other 5
Context insensitive will say both calls return {4,5}
![Page 21: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/21.jpg)
23
Flow Sensitive• A flow sensitive analysis considers the order (flow) of
statements– Flow insensitive = usually linear-type algorithm– Flow sensitive = usually at least quadratic (dataflow)
• Examples: – Type checking is flow insensitive since a variable has a
single type regardless of the order of statements– Detecting uninitialized variables requires flow sensitivity
x = 4;....x = 5;
Flow sensitive can distinguish values of x, flow insensitive cannot
![Page 22: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/22.jpg)
24
Flow Sensitive Example
1. x = 4;....n. x = 5;
Flow sensitive:x is the constant 4 at line 1, x is the constant 5 at line n
Flow insensitive:x is not a constant
![Page 23: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/23.jpg)
25
Path SensitiveA path sensitive analysis maintains branch conditions along each execution path– Requires extreme care to make scalable– Subsumes flow sensitivity
![Page 24: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/24.jpg)
26
Path Sensitive Example
1. if(x >= 0)2. y = x;3. else4. y = -x;
path sensitive:y >= 0 at line 2,y > 0 at line 4
path insensitive:y is not a constant
![Page 25: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/25.jpg)
27
PrecisionEven path sensitive analysis approximates behavior due to:• loops/recursion • unrealizable paths
1. if(an + bn = cn && n>2 && a>0 && b>0 && c>0)2. x = 7;3. else4. x = 8;
Unrealizable path. x will always be 8
![Page 26: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/26.jpg)
28
Control Flow Integrity (Analysis)
![Page 27: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/27.jpg)
29
CFI OverviewInvariant: Execution must follow a path in a control flow graph (CFG) created ahead of run time.
Method:• build CFG statically, e.g., at compile time• instrument (rewrite) binary, e.g., at install time– add IDs and ID checks; maintain ID uniqueness
• verify CFI instrumentation at load time– direct jump targets, presence of IDs and ID checks, ID uniqueness
• perform ID checks at run time– indirect jumps have matching IDs
![Page 28: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/28.jpg)
30
Build CFG
Two possiblereturn sites due to
context insensitivity
direct calls
indirect calls
![Page 29: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/29.jpg)
31
Instrument Binary
• Insert a unique number at each destination• Two destinations are equivalent if CFG contains edges
to each from the same source
predicated call 17, R: transfer control to R only when R has label 17
predicated ret 23: transfer control to only label 23
![Page 30: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/30.jpg)
32
Verify CFI Instrumentation• Direct jump targets (e.g. call 0x12345678)
– are all targets valid according to CFG?
• IDs– is there an ID right after every entry point?– does any ID appear in the binary by accident?
• ID Checks– is there a check before every control transfer?– does each check respect the CFG?
easy to implement correctly => trustworthy
![Page 31: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/31.jpg)
33
What about indirect jumps and ret?
![Page 32: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/32.jpg)
34
ID Checks Check dest label
Check dest label
![Page 33: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/33.jpg)
35
PerformanceSize: increase 8% avgTime: increase 0-45%; 16% avg– I/O latency helps hide overhead
16%
45%
![Page 34: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/34.jpg)
36
CFI Adversary Model
CAN
• Overwrite any data memory at any time– stack, heap, data segs
• Overwrite registers in current context
CANNOT
• Execute Data– NX takes care of that
• Modify Code– text seg usually read-only
• Write to %ip– true in x86
• Overwrite registers in other contexts– kernel will restore regs
Assumptions areoften vulnerabilities!
![Page 35: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/35.jpg)
37
Let’s check our assumptions!• Non-executable Data– let’s inject code with desired ID…
• Non-writable Code– let’s overwrite the check instructions…– can be problematic for JIT compilers
• Context-Switching Preserves Registers– time-of-check vs. time-of-use– BONUS point: why don’t we use the RET
instruction to return?
![Page 36: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/36.jpg)
38
Time-of-Check vs. Time-of-Use
what if there is a context switch here?
![Page 37: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/37.jpg)
39
Security GuaranteesEffective against attacks based on illegitimate control-flow transfer– buffer overflow, ret2libc, pointer subterfuge, etc.
Allow data-only attacks since they respect CFG!– incorrect usage (e.g. printf can still dump mem)– substitution of data (e.g. replace file names)
Any check becomes non-circumventable.
![Page 38: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/38.jpg)
40
Software Fault Isolation• SFI ensures that a module only accesses
memory within its region by adding checks– e.g., a plugin can accesses only its own memory if(module_lower < x < module_upper) z = load[x];
• CFI ensures inserted memory checks are executed
SFI Check
![Page 39: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/39.jpg)
41
Inline Reference Monitors• IRMs inline a security policy into binary to
ensure security enforcement
• Any IRM can be supported by CFI + Software Memory Access Control– CFI: IRM code cannot be circumvented
+– SMAC: IRM state cannot be tampered
![Page 40: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/40.jpg)
42
Accuracy vs. SecurityThe accuracy of the CFG will reflect the level of enforcement of the security mechanism.
Indistinguishable sites, e.g., due to lack of context
sensitivity will be merged
![Page 41: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/41.jpg)
43
Context Sensitivity ProblemsSuppose A and B both call C.• CFI uses same return label in A and B.
How to prevent C from returning to B whenit was called from A?• Shadow Call Stack– an protected memory region for call stack– each call/ret instrumented to update shadow– CFI ensures instrumented checks will be run
![Page 42: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/42.jpg)
44
Proof of SecurityTheorem (Informal): Given state S0 with • non-writeable, well-instrumented code mem M0
Then for all runtime steps Si -> Si+1,• Si+1 is one of the allowed successors in the CFG,
or • Si+1 is an error state
We can make these sorts of statements precise with operational semantics.
![Page 43: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/43.jpg)
45
CFI SummaryControl Flow Integrity ensures that control flow follows a path in CFG– Accuracy of CFG determines level of enforcement– Can build other security policies on top of CFI
![Page 44: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/44.jpg)
46
Software Fault Isolation
Optional Reading:Efficient Software-Based Fault Isolationby Wahbe, Lucco, Anderson, Graham
![Page 45: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/45.jpg)
47
• Hardware– Memory Protection (virtual address translation, x86
segmentation)
• Software– Sandboxing– Language-Based
• Hardware + Software– Virtual machines
Isolation Mechanisms
Software Fault Isolation≈
Memory Protectionin Software
![Page 46: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/46.jpg)
48
SFI Goals• Confine faults inside distrusted extensions– codec shouldn’t compromise media player– device driver shouldn’t compromise kernel– plugin shouldn’t compromise web browser
• Allow for efficient cross-domain calls– numerous calls between media player and codec– numerous calls between device driver and kernel
![Page 47: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/47.jpg)
49
Main IdeaProcess Address Space
Module 1Fault Domain 1
Module 2Fault Domain 2
segment with id 2, e.g., with top bits
010
segment with id 1, e.g., with top bits
011
![Page 48: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/48.jpg)
50
Scheme 1: Segment Matching• Check every mem access for matching seg id• assume dedicated registers segment register (sr) and
data register (dr)– not available to the program (no big deal in Alpha)
Process Address Space
Module 1
Module 2
precondition: sr holds segment id 2
dr = addrscratch = (dr >> 29)compare scratch, srtrap if not equaldst = [dr]
![Page 49: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/49.jpg)
51
Safety
• Segment matching code must always be run to ensure safety.
• Dedicated registers must not be writeable by module.
![Page 50: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/50.jpg)
52
Scheme 2: Sandboxing• Force top bits to match seg id and continue• No comparison is made
precondition: sr holds segment id 2
dr = (addr & mask)dr = (dr | sr)dst = [dr]
Process Address Space
Module 1
Module 2 Enforcetop bits in dr are sr
![Page 51: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/51.jpg)
53
Segment Matching vs. Sandboxing
Segment Matching
• more instructions
• can pinpoint exact point of fault where segment id doesn’t match
Sandboxing
• fewer instructions
• just ensures memory access stays in region(crash is ok)
![Page 52: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/52.jpg)
54
Communication between domains
RPC
![Page 53: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/53.jpg)
55
Native Client
Optional Reading:
Native Client: A Sandbox for Portable, Untrusted x86 Native Codeby Yee et al.
![Page 54: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/54.jpg)
56
NaCL: A Modern Day Example
• Two sandboxes: – an inner sandbox to mediate x86-specific runtime details (using
what technique?)– an outer sandbox mediates system calls
(Using what technique?)
Browser
HTMLJavaScript
NPAPI or RPC
NaCl runtime
Quake
![Page 55: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/55.jpg)
57
Security Goal• Achieve comparable safety to accepted
systems such as JavaScript.– Input: arbitrary code and data • support multi-threading, inter-module communication
– NaCL checks that code conforms to security rules, else refuses to run.
Quake NACL Static Analysis
Unverified
Verified
![Page 56: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/56.jpg)
58
Obligations
What do these obligations guarantee?
![Page 57: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/57.jpg)
59
Guarantees• Data integrity: no loads or stores outside of
sandbox– Think back to SFI paper
• Reliable disassembly• No unsafe instructions• Control flow integrity
![Page 58: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/58.jpg)
60
NACL Module At Runtime
Untrusted Code
4 KB RW protected for NULL ptrs
60 KB for trampoline/springboard
Transfer from trusted to
untrusted code, and vice-versa
![Page 59: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/59.jpg)
61
Performance - Quake
![Page 60: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/60.jpg)
62
Questions?
![Page 61: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/61.jpg)
END
![Page 62: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/62.jpg)
64
TOC/TOU• Time of Check/Time of Use bugs are a type of
race condition
$ open(“myfile”); monitor does complex check
monitor OK’s OS carries out action
$ ln –s myfile /etc/passwd monitor OK’s Action performed
time
![Page 63: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/63.jpg)
65
Software Mandatory Access ControlFine-grained SFI: SMAC can have different access checks at different instructions.
• isolated code region => no need for NX data
![Page 64: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/64.jpg)
66
Context Sensitivity ProblemsSuppose A calls Cand B calls C, D.• CFI uses same call label for C and D due to B.
How to prevent A from calling D?• duplicate C into CA and CB, or
• use more complicated labeling mechanism
![Page 65: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/65.jpg)
67
OptimizationsGuard Zones• unmapped pages
around segment toavoid checkingoffsets
Lazier SP Check• check SP only
before jumps
![Page 66: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/66.jpg)
68
Performance
store and jump
checked
load, store and
jump checked
![Page 67: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/67.jpg)
69
Is it counter-intuitive?• Slow down “common” case of intra-domain
control transfer in order to speed up inter-domain transfer– Check every load, store, jump within a domain
• Faster in practice than hardware when inter-domain calls are frequent– Context switches are expensive– Each cross-module call requires a context switch
![Page 68: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/68.jpg)
70
Differences between NaCL SFI and Wahbe SFI
• NaCL uses segments for data to ensure loads/stores are within a module– Do not need sandboxing overhead for these
instructions
• Others?• After reading Wahbe et al, how would you
implement inter-module communication efficiently?
![Page 69: Control Flow Integrity & Software Fault Isolation](https://reader033.vdocuments.net/reader033/viewer/2022061602/56816931550346895de07e1f/html5/thumbnails/69.jpg)
71
Performance – Micro Benchmarks