Full Program »
Analyzing Control Flow Integrity with LLVM-CFI
Control-flow hijacking attacks are used to perform malicious computations.
Current solutions for assessing the attack surface after
a control flow integrity (CFI) policy was applied can measure only
indirect transfer averages in the best case without providing any
insights w.r.t. the absolute calltarget reduction per callsite, and gadget
availability. Further, tool comparison is underdeveloped or not
possible at all. CFI has proven to be one of the most promising
protections against control flow hijacking attacks, thus many efforts
have been made in the past to improve CFI in various ways.
However, there is a lack of systematic assessment of existing CFI
Therefore in this paper, we present LLVM-CFI, a static source code analysis framework for analyzing state-of-the-art static CFI protections based on the Clang/LLVM compiler framework. LLVM-CFI works by precisely modeling a CFI policy and then evaluating it within a unified approach. LLVM-CFI helps determine the level of security offered by different CFI protections, after the CFI protections were deployed, thus providing an important step towards exploit creation/prevention and stronger defenses. We have used LLVM-CFI to assess eight state-of-the-art static CFI defenses on real-world programs such as Google Chrome and Apache Httpd. LLVM-CFI provides a precise analysis of the residual attack surfaces, and accordingly ranks CFI policies against each other. LLVM-CFI also successfully paves the way towards construction of COOP-like code reuse attacks and elimination of the remaining attack surface by disclosing protected calltargets under eight restrictive CFI policies.