CFI

What three components make a process (running program) safe?

1. Memory safety, 2. Control-flow safety, and 3. Type Safety

What is Memory Safety?

All memory accesses are “correct”: respecting array bounds, not accessing another process’s memory, and not executing data as code

What is Control-Flow Safety?

All control transfers are those envisioned by the original program: no arbitrary jumps and no unexpected calls to library routines

What is Type Safety?

All function calls and operations have arguments of the correct type

What is the primary goal of Control Flow Integrity (CFI)?

Protecting against all control flow integrity attacks

What specific attack type is CFI designed to defeat?

Return Oriented Programming (ROP) attacks

What is a Control Flow Graph (CFG)?

A graph representation of all paths might be traversed during program execution

What is a Call Graph?

A representation showing which functions call which other functions in a program

What’s the difference between direct and indirect function calls?

Direct calls have fixed targets in the code; indirect calls use function pointers or other mechanisms where the target address is determined at runtime

Why are indirect calls and returns considered security risks?

They involve dynamic data on the stack tat can be altered, making them potential targets for control flow attacks

What are three main steps in implementing CFI?

1. Build a Control Flow Graph (CFG) at compile time, 2. Instrument the binary at install/load time, and 3. Perform ID checks at runtime

What is IRM in the context of CFI?

In-Line Reference Monitor - a method of rewriting the program by inserting instructions to check whether CFI properties are maintained

How does CFI maintain control flow integrity at runtime?

By adding label IDs and ID label checks, then ensuring indirect jumps must have matching IDs

What three methods can be used to pre-compute a CFG?

Source-code analysis, binary analysis, and execution profiling

What types of control transfers need monitoring in CFI?

Indirect calls (through function pointers) and returns from functions

Why don’t direct function calls need monitoring in CFI?

They’re hardcoded in the program and cannot be altered by attacks

How does CFI prevent ROP attacks?

By ensuring control transfers can only go to valid destinations according to the pre-computed Control Flow Graph

What are the three main challenges in implementing effective CFI?

1. Defining “Expected Behavior,” 2. Efficiently detecting deviations, and 3. Avoiding compromise of the detector

Why must the CFI detector itself be protected?

To ensure its determinations are trustworthy - if compromised, it cannot reliably detect attacks

What types of attacks does CFI efficiently detect and mitigate?

Buffer overflow, Return-Oriented Programming (ROP), return-to-libc attacks, and other control flow subversion techniques

What happens if CFI detects an unauthorized control transfer?

The program is typically terminated to prevent the potential attack from proceeding