Revisiting Integrity-Based Exploit Mitigations for Memory-Unsafe Programs

One of the core problems in memory-unsafe programming languages such as C and C++ is that a malicious user can provide program inputs that corrupt sensitive data or steer the program off its intended control flow paths. Over the past two decades, researchers have been trying to tackle this problem from many different angles including (i) retrofitting full memory safety into C/C++, (ii) applying software diversity, and (iii) allowing exploits to take place but mitigating their effects.

Some of the most practical protections fall in the latter category. Code Pointer Integrity (CPI), for example, incurs just 8.6% overhead in C++ programs. The idea behind CPI is to move all code pointers in a program (i.e., return addresses, function pointers, etc.) out of the main virtual address space and into an isolated “safe zone”, where they cannot be corrupted. Although CPI showed great promise, it was never adopted, and hardly ever scrutinized. One of the few papers that shed doubt on the strong guarantees CPI seems to provide is van der Veen et al.’s 2017 Newton paper, which showed that CPI did not implement bounds checks correctly. Worse yet, a preliminary investigation conducted by Prof. Stijn Volckaert revealed that CPI’s bounds checks were almost entirely disabled. After enabling the bounds checks, CPI’s overhead increased by an order of magnitude, and most protected programs no longer functioned correctly.

The initial goal of this PhD project is to revisit CPI. Concretely, we want to (i) implement bounds checks correctly, (ii) explore techniques to eliminate or merge bounds checks where and when it can be done safely, (iii) explore the use of recently introduced hardware facilities such as Intel MPK and MPX to improve CPI’s protection guarantees, and (iv) investigate the applicability of CPI’s techniques to data-only attacks. The envisioned end results are a greatly improved and more practical variant of CPI, and a much better understanding of the design space for code pointer protection. Both of these results should result in publishable papers. A second goal of this project is to transplant the lessons learned from the work on CPI onto dedicated program data protections such as Data-Flow Integrity (DFI). DFI is a potential candidate for protection against the data-only attack vectors which have been rising in popularity in the past couple of years.