Taking Back Control: Closing the Gap Between C/C++ and Machine Semantics

Nathan H. Burow
2019
Control-flow hijacking attacks allow adversaries to take over seemingly benign software, e.g., a web browser, and cause it to perform malicious actions, i.e., grant attackers a shell ona system. Such control-flow hijacking attacks exploit a gap between high level language semantics and the machine language that they are compiled to. In particular, systemssoftware such as web browsers and servers are implemented in C/C++ which provide no runtime safety guarantees, leaving memory and type safety
more » ... ry and type safety exclusively to programmers. Compilers are ideally situated to perform the required analysis and close the semantic gap between C/C++ and machine languages by adding instrumentation to enforce full or partial memory safety.In unprotected C/C++, adversaries must be assumed to be able to control to the contents of any writeable memory location (arbitrary writes), and to read the contents of any readable memory location (arbitrary reads). Defenses against such attacks range from enforcing full memory safety to protecting only select information, normally code pointers to prevent control-flow hijacking attacks. We advance the state of the art for control-flow hijackingdefenses by improving the enforcement of full memory safety, as well as partial memory safety schemes for protecting code pointers.We demonstrate a novel mechanism for enforcing full memory safety, which denies attackers both arbitrary reads and arbitrary writes at half the performance overhead of theprior state of the art mechanism. Our mechanism relies on a novel metadata scheme for maintaining bounds information about memory objects. Further, we maintain the applicationbinary interface (ABI), support all C/C++ language features, and are mature enough to protect all of user space, and in particular libc.Backwards control-flow transfers, i.e., returns, are a common target for attackers. In particular, return-oriented-programming (ROP) is a code-reuse attack technique built around corrupting return addresses. Shadow stacks prevent ROP attacks by providi [...]
doi:10.25394/pgs.7499441.v1 fatcat:7at2etzwfrepvd5vfakfiiddf4