Code Pointer Integrity: ... or how we battle the daemons of memory safety

Presented at 31C3 (2014), Dec. 27, 2014, 8:30 p.m. (60 minutes)

Programs are full of bugs, leading to vulnerabilities. We'll discuss power and limitations of code-pointer integrity (CPI), a strong but practical security policy that enforces memory safety for all code pointers, protecting against any form of control-flow hijack attack (e. g., ROP or JOP). Systems code is often written in low-level languages like C/C++, which offer many benefits but also delegate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed defence mechanisms (e. g., ASLR, DEP) are incomplete, and stronger defence mechanisms (e. g., CFI) often have high overhead and limited guarantees (and are therefore not generally deployed). In this talk we discuss code-pointer integrity (CPI), a strong security policy that guarantees the integrity of all code pointers in a program (e.g., function pointers, saved return addresses) and thereby prevents all control-flow hijack attacks, including return-oriented programming and jump-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. Both CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient, resulting in very low to negligible performance overhead. We will also discuss technical challenges in the CPI prototype implementation, practical challenges we faced when protecting a full FreeBSD distribution, and give more details on the scope of protection which will be interesting to hackers. The full prototype implementation is open-source, all changes to FreeBSD are open-source and we're working on integrating the patches into LLVM.

Presenters:

• gannimo
  Mathias Payer is a security nerd and an assistant professor in computer science at Purdue university. His interests are related to system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. Mathias Payer sees himself as a hacker and he is interested in all areas of system security, both looking at new defence mechanisms and new attack vectors. His credo is that we have to protect applications even in the presence of vulnerabilities, with a specific focus on memory corruption. Next to publishing his research at academic conferences he is a frequent speaker at hacker conferences (27c3, 28c3, 2x 30c3, SyScan) and enjoys the relaxed atmosphere there. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH with a Dr. sc. ETH in 2012. The topic of his thesis is related to low-level binary translation and security. He analyzed different exploit techniques and wondered how we can enforce integrity for a subset of data (e.g., code pointers). All prototype implementations are open-source. In 2014, he started the b01lers Purdue CTF team.

Links:

• https://fahrplan.events.ccc.de/congress/2014/Fahrplan/events/6050.html

Similar Presentations:

• DEF CON 27 (2019) / HackPac: Hacking Pointer Authentication in iOS User Space
• 32C3 (2015) / New memory corruption attacks: why can't we have nice things?
• Black Hat USA 2015 / Return to Where? You Can't Exploit What You Can't Find