IBV-CFI: Efficient fine-grained control-flow integrity preserving CFG precision

Hyerean Jang, Moon Chan Park, Dong Hoon Lee

Research output: Contribution to journalArticlepeer-review

Abstract

Control-flow integrity (CFI) is a software security solution that prevents software attacks such as control-flow hijacking by restricting the indirect control-flow transfers (ICT) to a pre-computed control-flow graph (CFG). Since the validity of ICTs are determined based on CFG on the CFI mechanism, CFG precision is an important factor in determining CFI security level. However, checking the validity of ICTs based on a precise CFG can incur significant runtime overhead. For this reason, many existing CFI schemes have used a runtime check mechanism that compromises the precision of the CFG. In this paper, we present an Index-based Bit Vector Control-Flow Integrity scheme (IBV-CFI), which performs an efficient runtime check while preserving CFG precision. IBV-CFI generates independent bit vectors for all ICTs and stores a valid target set for each ICT in the bit vector. Independent bit vectors accurately reflect the CFG, so they do not compromise the precision of CFG. In addition, it is possible to determine the validity of the target of the indirect branch through a simple bit value comparison, which enables an efficient runtime check. We implemented a prototype model, IBV-CFI, and performed performance measurements using the SPEC CPU 2017 benchmarks and three real-world applications. The results show that IBV-CFI introduces approximately 1.42% performance overhead.

Original languageEnglish
Article number101828
JournalComputers and Security
Volume94
DOIs
Publication statusPublished - 2020 Jul

Keywords

  • Computer architecture
  • Control-flow hijacking
  • Control-flow integrity
  • Security
  • Software security

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Fingerprint Dive into the research topics of 'IBV-CFI: Efficient fine-grained control-flow integrity preserving CFG precision'. Together they form a unique fingerprint.

Cite this