BGCFI: Efficient Verification in Fine-Grained Control-Flow Integrity Based on Bipartite Graph
Control-flow integrity (CFI) is considered a principled mitigation against control-flow hijacking even under the most powerful attacker who can arbitrarily write and read memory. However, existing schemes still demonstrated limitations in either guaranteeing high security level or achieving low perf...
Saved in:
| Published in: | Access, IEEE Vol. 11; pp. 4291 - 4305 |
|---|---|
| Main Authors: | , |
| Format: | Standard |
| Language: | English |
| Published: |
IEEE
2023
|
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Control-flow integrity (CFI) is considered a principled mitigation against control-flow hijacking even under the most powerful attacker who can arbitrarily write and read memory. However, existing schemes still demonstrated limitations in either guaranteeing high security level or achieving low performance and memory overhead. These limitations have restricted the application of CFI in real software. To improve its applicability similar to mandatory protection schemes such as DEP and ASLR, it is essential to improve both high security guarantee and low overhead. In this paper, we propose "BGCFI", which is a fine-grained CFI based on a Bipartite Graph. The relationship between an indirect branch and a valid target address at the branch is represented by an edge in the bipartite graph. The verification of the indirect branch is achieved by checking the existence of the corresponding edge in the bipartite graph. The verification method for fine-grained CFI results in more efficiency on both computational and memory overhead, while completely preserving high security guarantee. We demonstrate our results through the implementation of a proof-of-concept module and evaluation on the SPEC CPU 2017 suite and the Firefox browser. |
|---|---|
| AbstractList | Control-flow integrity (CFI) is considered a principled mitigation against control-flow hijacking even under the most powerful attacker who can arbitrarily write and read memory. However, existing schemes still demonstrated limitations in either guaranteeing high security level or achieving low performance and memory overhead. These limitations have restricted the application of CFI in real software. To improve its applicability similar to mandatory protection schemes such as DEP and ASLR, it is essential to improve both high security guarantee and low overhead. In this paper, we propose "BGCFI", which is a fine-grained CFI based on a Bipartite Graph. The relationship between an indirect branch and a valid target address at the branch is represented by an edge in the bipartite graph. The verification of the indirect branch is achieved by checking the existence of the corresponding edge in the bipartite graph. The verification method for fine-grained CFI results in more efficiency on both computational and memory overhead, while completely preserving high security guarantee. We demonstrate our results through the implementation of a proof-of-concept module and evaluation on the SPEC CPU 2017 suite and the Firefox browser. |
| Author | Lee, Dong Hoon Park, Moon Chan |
| AuthorAffiliation | Graduate School of Information Security, Korea University, Seoul, South Korea |
| AuthorAffiliation_xml | – name: Graduate School of Information Security, Korea University, Seoul, South Korea |
| Author_xml | – sequence: 1 givenname: Moon Chan surname: Park fullname: Park, Moon Chan organization: Graduate School of Information Security, Korea University, Seoul, South Korea – sequence: 2 givenname: Dong Hoon surname: Lee fullname: Lee, Dong Hoon organization: Graduate School of Information Security, Korea University, Seoul, South Korea |
| BookMark | eNqNi70OgjAUhTvo4N8TuHRyA1tAA27SgDJj3AypctGbkFtSmhjf3g4-gGf5TnK-M2cTMgSMraUIpRTZ9qhUUddhJKI4jKM4kWkyY7f8pMrqwIuuwwcCOX4Fi75rh4Y4Ei-RIDhZ7dFyZchZ0wdlb968IgdPi-7Dcz360fs5Dto6dMD9Y3gt2bTT_QirHxdsUxYXdQ4QAJrRaWq1bcdG3IXPPslEKqDdRfHf4hepZkUg |
| ContentType | Standard |
| Copyright | 2013 IEEE |
| Copyright_xml | – notice: 2013 IEEE |
| DBID | ESBDL |
| DOI | 10.1109/ACCESS.2023.3234184 |
| DatabaseName | IEEE Xplore Open Access Journals |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: ESBDL name: IEEE Xplore Open Access Journals url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EndPage | 4305 |
| ExternalDocumentID | 0b0000649080ed52 |
| Genre | orig-research |
| GroupedDBID | ESBDL |
| ID | FETCH-ieee_standards_0b0000649080ed523 |
| IngestDate | Wed Jan 17 14:01:00 EST 2024 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-ieee_standards_0b0000649080ed523 |
| OpenAccessLink | https://ieeexplore.ieee.org/document/10005286 |
| ParticipantIDs | ieee_standards_0b0000649080ed52 |
| PublicationCentury | 2000 |
| PublicationDate | 2023 |
| PublicationDateYYYYMMDD | 2023-01-01 |
| PublicationDate_xml | – year: 2023 text: 2023 |
| PublicationDecade | 2020 |
| PublicationTitle | Access, IEEE |
| PublicationTitleAbbrev | Access |
| PublicationYear | 2023 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| Score | 3.4435315 |
| Snippet | Control-flow integrity (CFI) is considered a principled mitigation against control-flow hijacking even under the most powerful attacker who can arbitrarily... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 4291 |
| SubjectTerms | Bipartite graph Browsers Control systems control-data attack Control-flow hijacking control-flow integrity (CFI) Data models Flow production systems Security Static analysis Visualization |
| Title | BGCFI: Efficient Verification in Fine-Grained Control-Flow Integrity Based on Bipartite Graph |
| URI | https://ieeexplore.ieee.org/document/10005286 |
| Volume | 11 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://sdu.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV3PS8MwFA66gXhTVPxtDuJFMtf0J95s126CeNkQLzLaJpWBtMNt-O_7XpZ2tQymBy-lhPSl7RfeS74k7yPkGj2e50rOIPThkRzhsVhym3mJE8dGaglXKBHbofv86vVCK1wJJ67K_hVpKAOs8eTsH9CujEIB3APmcAXU4for3P1-ED3iPD9UySFwqf8F2s00N4f8RgQjS9ZHbQikd5d71Vn0UXwpfvAd5exufYhuAlcS_MkUW5lDb6rkKcqstUpsUXmZcsqoz1ErmrWAp_HwQmPPTw_VjQaF7g6acOBmg3CoLJbu06j5P4huRi2WYj6x9X5apTl9CALoZR1spGNyiKdLtbhGAuyuGsg6uELZlcKGeNvm4FXAnbXDod970rmkwOTdGoM_VHPUoGG0R3aGmqfZJ1syPyBvCpt7WiFD68jQSU7ryNA6MrRChipkKNSvkKEKmUNyE4WjYMDwRcYlRTQbNz_MPCKtvMjlMaHCwsRr3dgTcWylDk94lqaOnUk7SxJXOCfkaoOx0401zsjuCt5z0pp_LuQF2Z6JxaX-s9_KVijC |
| link.rule.ids | 782,786,27936,55140 |
| linkProvider | IEEE |
| linkToHtml | http://sdu.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LS8NAEB5sC-pJRcV39yDeNk3SZhO9mTRJg7GXFvEiIclOoCCp2Ab_vjvbqMfibQ_D7rA7zHu_Abgljee5aHNl-uhLjvR4jrbDvULkuVWOpCv1ENuZO331xiHB5PDfvzCIqJvP0KClruXLZdlQqmxg6cKUJzrQI0NvdqEXzvxx2qIJWeb94DEIFOMGDQU3hrZS0Rq29G9uijYb0cE_DzyE3Vkb2R_BDtbH8ObHQZQ8sFADPSha9qIkpmrzbGxRs0h5iTymOQ8oWbDpO-fR-_KLJRoIQjnZzFeWSjJF7y8-SFLWyGLCqT6BuyicBxNOLGU_SYVVZmqfTlCxzkSpYshT6NbLGs-AyRFBdZm5J_N8VAq7sKuyFE6FTlUUrhTn0N-y2cVWij7sTebPaZYm06dL2KdL3mQjrqC7_mzwGjor2dy0r_INsd2Rsw |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=BGCFI%3A+Efficient+Verification+in+Fine-Grained+Control-Flow+Integrity+Based+on+Bipartite+Graph&rft.jtitle=Access%2C+IEEE&rft.au=Park%2C+Moon+Chan&rft.au=Lee%2C+Dong+Hoon&rft.date=2023-01-01&rft.pub=IEEE&rft.volume=11&rft.spage=4291&rft.epage=4305&rft_id=info:doi/10.1109%2FACCESS.2023.3234184&rft.externalDocID=0b0000649080ed52 |