Session I2: Information Flow CCS’17, October 30-November 3, 2017, Dallas, TX, USA Object Flow Integrity Wenhao Wang Xiaoyang Xu Kevin W. Hamlen [email protected] [email protected] [email protected] The University of Texas at Dallas The University of Texas at Dallas The University of Texas at Dallas ABSTRACT CFI and SFI frameworks work by statically instrumenting control- Object flow integrity (OFI) augments control-flow integrity (CFI) flow transfer instructions in vulnerable software with extra guard and software fault isolation (SFI) protections with secure, first-class code that validates each computed jump destination at runtime. support for binary object exchange across inter-module trust bound- The instrumentation can be performed at compile-time (e.g., [2, 4– aries. This extends both source-aware and source-free CFI and SFI 6, 32, 36, 43–46, 55, 57, 71]) or on sourceless binaries (e.g., [40, 48, 58, technologies to a large class of previously unsupported software: 62, 65, 72–74]). This facility to harden source-free binary software those containing immutable system modules with large, object- is important for securing software in-flight—allowing third parties oriented APIs—which are particularly common in component-based, to secure dynamically procured binary software on-demand in a event-driven consumer software. It also helps to protect these inter- way that is transparent to code producers and consumers—and for module object exchanges against confused deputy-assisted vtable securing the large quantity of software that is closed-source, or that corruption and counterfeit object-oriented programming attacks. incorporates software components (e.g., binary libraries) whose A prototype implementation for Microsoft Component Object source code is unavailable to code consumers. Model demonstrates that OFI is scalable to large interfaces on the While the past decade has witnessed rapid progress toward more order of tens of thousands of methods, and exhibits low overheads of under 1% for some common-case applications. Significant elements powerful, higher performance, and more flexible CFI enforcement of the implementation are synthesized automatically through a strategies, there still remain large classes of consumer software principled design inspired by type-based contracts. to which these technologies are extremely difficult to apply using existing methods. Such limitations often stem from many source- CCS CONCEPTS aware CFI algorithms’ need for full source code for the entire soft- • Security and privacy → Software security engineering; • ware ecosystem (e.g., even for the OS kernel, device drivers, and Software and its engineering → Classes and objects; Incre- complete runtime system) in order to properly analyze application mental compilers; control-flows, or the difficulty of analyzing complex flows common to certain well-entrenched consumer software paradigms, such as KEYWORDS GUI-interactive, event-driven, and component-based software ap- security; control-flow integrity; object-oriented programming; bi- plications. For example, although CFI has been applied successfully nary transformation to some large applications, in our experience no CFI/SFI algorithm published in the literature to date (see §6) successfully preserves and secures the full functionality of Windows Notepad—one of the 1 INTRODUCTION most ubiquitous consumer software products available. Control-flow integrity (CFI) [2] and software fault isolation (SFI) [61] The central problem is a lack of first-class support for archi- secure software against control-flow hijacking attacks by confining tectures in which immutable, trusted software components have its flows to a whitelist of permissible control-flow edges. Theap- huge object-oriented interfaces. Programs like Notepad interact with proach has proven successful against some of the most dangerous, users by displaying windows, monitoring mouse events, and send- cutting-edge attack classes, including return-oriented programming (ROP) [51] and other code-reuse attacks (CRAs) [5]. Attacks in these ing printer commands. At the binary level, this is achieved by calling families typically exploit dataflow vulnerabilities (e.g., buffer over- runtime system API methods that expect binary objects as input. flows) to corrupt code pointers and thereby redirect control to The app-provided binary object contains a virtual method table attacker-chosen program subroutines. By validating each impend- (vtable), whose members are subsequently called by the runtime ing control-flow target at runtime before it is reached, CFI guards system to notify the app of window, mouse, and printer events. The can often thwart these hijackings. call sites that target untrusted code, and that CFI algorithms must instrument, are therefore not exclusively located within the untrusted Permission to make digital or hard copies of all or part of this work for personal or app code classroom use is granted without fee provided that copies are not made or distributed —many are within trusted system libraries that cannot be for profit or commercial advantage and that copies bear this notice and the full citation modified (or sometimes even examined) by the instrumentation on the first page. Copyrights for components of this work owned by others than the process, since they are part of the protected runtime system. author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission Most CFI algorithms demand write-access to all system soft- and/or a fee. Request permissions from [email protected]. ware components that may contain unguarded, computed jumps— CCS’17, October 30 – November 3, 2017, Dallas, TX, USA © 2017 Copyright held by the owner/author(s). Publication rights licensed to Associa- including the OS, all dynamically loaded libraries, and all future tion for Computing Machinery. updates to them—in order to ensure safety. In component-driven ACM ISBN 978-1-4503-4946-8/17/10...$15.00 https://doi.org/10.1145/3133956.3133986 settings, where modules are dynamically procured on-demand via 1 1909 Session I2: Information Flow CCS’17, October 30-November 3, 2017, Dallas, TX, USA a distributed network or cloud, this is often impractical. Unfortu- Untrusted Module 1 h i;:::; h i nately, such settings comprise >98% of the world’s software mar- CoCreateInstance( clsid iid1 , &o1); 2 o !Show(:::); ket,1 including many mission-critical infrastructures that incorpo- 1 Trusted Module rate consumer software components. 3 o1!QueryInterface(hiid2 i, &o2); One approach for coping with this pervasive problem has been to 4 o2!GetOptions(:::); secure objects passed to uninstrumented modules at call sites within 5 o2!Release(); ! the instrumented modules, before the trusted module receives them 6 o1 GetResult(&o3); 7 o !GetDisplayName(:::); (e.g., [57]). But this approach fails when trusted modules retain 3 8 o3!Release(); persistent references to the object, or when their code executes 9 o1!Release(); concurrently with untrusted module code. In these cases, verifying the object at the point of exchange does not prevent the untrusted Listing 1: Code that opens a file-save dialog box module from subsequently modifying the vtable pointer to which the trusted module’s reference points (e.g., as part of a data corrup- of optimizing the performance of the underlying CFI enforcement tion attack). We refer to such attacks as COnfused DEputy-assisted mechanism, deriving suitable control-flow policies for CFI mecha- Counterfeit Object-Oriented Programming (CODE-COOP) attacks, nisms to enforce (cf., [54]), or obtaining accurate native code dis- since they turn recipients of counterfeit objects [54] into confused assemblies without source code (cf., [66]). Our goal is to enhance deputies [31] who unwittingly invoke policy-prohibited code on existing CFI/SFI systems with support for a much larger class of behalf of callers. target application programs and architectures without exacerbating Faced with such difficulties, many CFI systems conservatively any of these challenges, which are the focuses of related works. resort to disallowing untrusted module accesses to trusted, object- In summary, our contributions are as follows: oriented APIs to ensure safety. This confines such approaches to • We introduce a general methodology for safely exchanging architectures with few trusted object-oriented system APIs (e.g., binary objects across inter-module trust boundaries in CFI/SFI- Linux), applications that make little or no use of such APIs (e.g., protected programs without varying trusted module code. benchmark or command-line utilities), or platforms where the ma- • A prototype implementation for Microsoft COM demonstrates jority of the OS can be rewritten (e.g., ChromeOS [57]). The ma- that the approach is feasible for large, complex, object-oriented jority of present-day software architectures that fall outside these APIs on the order of tens of thousands of methods. restrictive parameters have remained unsupported or receive only • A significant portion of the implementation is shown to besyn- incomplete CFI security. thesizable automatically through a novel approach to reflective To bridge this longstanding gap, we introduce object flow integrity C++ programming. (OFI)—a systematic methodology for imbuing CFI and SFI systems • Experimental evaluation indicates that OFI imposes negligi- with first-class support for immutable, trusted