Control Flow Integrity (CFI) and Java Security: Concepts and Mechanisms

What does Control Flow Integrity (CFI) enforce?

CFI enforces the integrity of a program's execution flow path.

How can CFI detect changes in execution flow?

CFI can detect undefined changes in the path of execution by an adversary.

What types of attacks does CFI help mitigate?

CFI efficiently detects and mitigates buffer overflow, Return Oriented Programming (ROP), and return-to-libc attacks.

What is a Control Flow Graph (CFG)?

A CFG is a representation that defines the paths that may be traversed through a program during its execution.

How is a CFG built in CFI?

A CFG is built statically at compile time and instrumented at install time.

What is the purpose of ID checks in CFI?

ID checks ensure that indirect jumps have matching IDs to maintain control flow integrity.

What is a Basic Block in the context of CFI?

A Basic Block is a consecutive sequence of instructions where control is straight, with no jump targets except at the beginning.

What is a Call Graph?

A Call Graph depicts the relationships between functions, indicating which functions invoke others.

How does CFI monitor indirect calls?

CFI monitors indirect calls and returns because they are done through dynamic data on the stack.

What is an In-line Reference Monitor (IRM)?

An IRM rewrites a program by inserting instructions to check whether CFI attributes are maintained.

What is the challenge of labeling in CFI?

The challenge is to ensure that labels for indirect transfers are unique and correctly match expected targets.

What assumptions must be made for CFI to work effectively?

CFI requires unique IDs, non-writable code memory, and non-executable data.

What is the Java security model based on?

The Java security model is based on a customizable 'sandbox' where Java programs can run safely.

What is a POLICY file in Java?

A POLICY file is a configuration file used by the Java Runtime Environment to determine the granted permissions for each Java program.

What does the Bytecode Verifier check?

The Bytecode Verifier checks that variables are initialized, access rules are followed, and no illegal data conversions occur.

What is the purpose of signed applets in Java?

Signed applets contain a signature that the browser verifies through a certificate authority to ensure trust.

What is the role of protection domains in Java security?

Protection domains associate a code source with the permissions granted, determined by the class loader.

What is the significance of unique IDs in CFI?

Unique IDs prevent conflicts during ID checking, which is crucial for maintaining control flow integrity.

What does it mean for code memory to be non-writable in CFI?

Non-writable code memory prevents the CFI implementation code from becoming corrupted.

Why is it important for data to be non-executable in CFI?

Non-executable data prevents attackers from adding executable malicious code to the data portion.

What is the challenge of defining 'expected behavior' in behavior-based detection?

The challenge lies in accurately defining what constitutes 'expected behavior' for a program.

What is the purpose of monitoring indirect calls and returns in CFI?

Monitoring is necessary because indirect calls and returns can be altered through dynamic data on the stack.

How can CFI be compromised?

CFI can be compromised if the detector itself is not secure or if the randomness of secrets is insufficient.

What is the consequence of a return address being overridden in CFI?

If a return address is overridden, it may redirect execution to unintended locations, potentially leading to security breaches.

What is the role of randomness in CFI?

Randomness is used to ensure that labels and secrets maintain unpredictability, enhancing security.

What happens if the expected label does not match in CFI?

If the expected label does not match, the program will abort to prevent unauthorized execution.

What is the significance of the Java Development Kit (JDK) 1.0 sandbox?

The JDK 1.0 sandbox allows trusted code unrestricted access while limiting untrusted code to specific operations.