Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley

Summary CFIXFI Enforce control flow to prevent software attacks [CCS 05] [ICFEM 05] Protect modules within a single address space [OSDI 06] 2 This work: add hardware support

Outline Control-Flow Integrity XFI: Protecting Modules Conclusions 3

CFI Motivation 4 Control flow Anatomy of many software attacks

CFI Idea 5 ExecutableControl-Flow Graph += Self-checking program

CFI Security Benefits Enforces CFG against attacker that controls whole data memory Defends against a large class of attacks – Buffer overflows – Stack smashing – Jump-to-libc – Pointer subterfuge Validated experimentally 6 Code Data Stack

Embedding a CFG Edge 7 jmpc r1, cfilabel 60 …. cfilabel jmp r dest:..... ? Traditional indirect jumpNew ISA: checked jump and label

Semantics 8 jmpc r1, Lcfilabel L cfi_register = L; jmp r1 if (cfi_register == L) cfi_register = 0 before any instruction except cfilabel if (cfi_register != 0) cfi_exception()

Evaluation 9 Binary Squeeze++ binary rewriter instrumentation algorithm Sim-alpha simulator Alpha CC Spec2k Sources Instrumented binary Performance data Linux

CFI Execution Overhead

Outline Control-Flow Integrity XFI: Protecting Modules Conclusions 11

XFI Motivation 12 OS KernelDriver Ring 0 (high privilege) Single address space Kernel heap Shared data structure

XFI Address Spaces 13 Host systemXFI Module Data R/O Data R/W Data Stacks Code Entry points Fastpath region AB Slowpath region Host heap

Memory Bounds Checks 14 Host systemXFI Module Data R/O Data R/W Data Code AB Host heap *(int*)x = 2; if (x < A + 0) goto SlowpathCheck; if (B – sizeof(int) < x) goto SlowpathCheck; retfromSlowCheck: *(int*)x = 2; 2 x

ISA Support for XFI 15 mrguard $r, L, H If ($r < $a + L) XFI_exception() if ($b – H < $r) XFI_exception() [$r – L, $r + H) [$a, $b) AB $r LH

Evaluation 16 Assembly Sim-alpha simulator Alpha CC Mediabench Sources Instrumented binary Performance data Linux Hand instrument Kernel Link Object files

Bounds Checks Overhead 17

Advantages of ISA Support Compared with software solutions: Reduce executable size Reduce pressure on fetch structures (I-cache, trace cache, br. predictors) Decrease register pressure (no intermediate results) Do not pollute condition flags Do not pollute the data cache to fetch code label [CFI only] 18

Conclusions ISA support is very simple ISA support does not stretch critical hw resources ISA support can reduce the cost of CFI and XFI enforcement 19

Backup Slides 20

21 MSR Silicon Valley

22 Our Neighbors Google NASA AMES Microsoft SVC

23 Were Going Into Architecture

Were Hiring Computer Architects 24 Exciting research opportunities A chance to influence industry A lot of creative freedom A great interdisciplinary team A brand new research group A great location research.microsoft.com/aboutmsr/labs/siliconvalley

CFI & XFI Toolchain 25 Compiler Executable Debugging information Program Binary rewriter Safe executable Unsafe code Execution Safe code Verifier Instrumentation algorithm Trusted computing base

CFI Software Implementation 26 jmpc r1, cfilabel if (*r1 != 50) then goto error; goto r1+4; …..data 50 ….

CFI Binary Size Increase 27