Description:
The University of Texas at Dallas is seeking partners interested in broadening the software security technique of control-flow integrity (CFI) to support a much larger class of target application programs and architectures while further enhancing the security capabilities. Object Flow Integrity (OFI) is the first work to safely support inter-module object flows by extending CFI security protections to the significant realm of mainstream software in which one or more object-exchanging modules are immune to instrumentation. Despite the usefulness of CFI, it is often impractical to implement in component-driven settings, which comprise over 98% of the world's software market, as most CFI algorithms demand write-access to all system software components. OFI extends CFI frameworks to support such classes of consumer software, wherein control-flow transfer operation ("jump") instructions are contained in protected operating system (OS) files, and complex object-oriented Application Programming Interfaces (APIs), such as Component Object Model (COM). The deployment flexibility of prior CFI approaches is maintained by assuming there is no access to untrusted application or trusted system source code, rather, that only trusted interfaces are documented. Further, the OFI mediation strategy is source-agnostic, making it applicable to both source-aware and source-free CFI approaches.
The use of OFI augments CFI protections with secure, first-class support for binary object exchange across inter-module trust boundaries - accomplished with the introduction of tamper-proof proxy objects . Proxy objects implemented with OFI provide significant benefits over existing CFI protections by enabling prevention of Confused Deputy-assisted Counterfeit Object-Oriented Programming (CODE-COOP) attacks. Significantly, the prototype implementation of OFI for Microsoft COM indicates that the approach is feasible for object-oriented APIs without access to source code and scales effectively to large interfaces. Further evaluation shows that OFI provides all of these capabilities while exhibiting low overheads, under 1%, for several real-world consumer software applications.
Figure 1: Cross-module OFI control-flows.
Technical Summary:
Object Proxying
The OFI solution involves the use of proxy objects - each time an object flows across an inter-module trust boundary, OFI delivers a substitute proxy object to the callee. At a high-level, proxy objects are in-lined reference monitors (IRMs) that wrap and mediate access to the methods of the objects they proxy. To ensure the security of each computed jump instruction while maintaining acceptable overhead, OFI implements a recursive approach to object proxying: At object creation points, OFI substitutes the created objects with proxy objects whose methods are mediators that enforce CFI guards before falling through to the proxied object's original programming. Proxying occurs dynamically, on-demand, as each method is called by the various principals and with various object arguments. Further, proxy objects need no writable data, so they may be stored entirely within read-only memory - thwarting CODE-COOP attacks that attempt to deputize object recipients by corrupting proxy virtual method tables (VMTs).
Automated Mediator Synthesis
The ability to automatically synthesize mediator implementations for trusted interfaces (specified in a machine-readable format) becomes a practical necessity when interfaces comprise thousands of methods or more. As such, an innovative strategy was used: conscripting C++ compilers interpret interface-documenting header files and automatically synthesize mediation library code. This strategy achieves static reflective programming for C++ without modifying the compiler, language, or header files. Further, this allows mediation code for tens of thousands of API methods to be synthesized from just a few hundred lines of handwritten template code, keeping OFI's trusted computing base relatively small and manageable.
Security Evaluation - Hijacking Attacks
OFI is the first defensive work to focus on the CODE-COOP hijacking attack class. While OFI does not directly defend against COOP attacks (since it does not suggest better enforcement policies for CFI), it extends defenses that work against COOP to be effective in contexts where not all call sites can be instrumented with guard code. When coupled with a CFI defense enforcing a suitably semantics-aware policy, OFI addresses CODE-COOP attacks. As OFI completely mediates the interface between guarded and unguarded modules that share objects, it shields uninstrumented modules from counterfeit objects. In order to assess OFI's response to attacks, synthetic VMT corruption and COOP attacks were launched against programs rewritten by the prototype. In each case, the attack quickly results in a security abort and premature termination; no control-flow policy violations were observed.
Value Proposition:
Object Flow Integrity (OFI) extends CFI security protections to a significant portion of mainstream software, including complex object-oriented APIs – as shown through successful OFI-mediated CFI instrumentation in various COM programs, including Mozilla Firefox. As the first defensive work directed towards CODE-COOP attacks, OFI facilitates safe, transparent flow of binary objects across trust boundaries in multi-module processes with the use of proxy objects.
Applications:
- Software Security Engineering - Improves security of Commercial Off-The-Shelf (COTS) software products for operating systems with object-oriented APIs
- Improved VMT Protection - differs from traditional approaches by protecting software modules that cannot be instrumented; rendering existing approaches inapplicable (since they must instrument call sites where corrupted VMTs might be dereferenced to be effective)
- Hijacking Defense - OFI extends defenses that work against COOP to be effective in contexts where not all call sites can be instrumented with guard code.
Key Benefits:
- Scalable - Successfully applied to several interactive COM applications and to Mozilla Firefox with minimal overhead
- Versatile – Allows CFI to be effectively applied to commercial software without modifying the OS files
- Source-agnostic - Applicable to both source-aware or source-free CFI approaches
- Low Overhead - OFI proxies consist of only a fixed VMT and no data; all object proxies assigned to same VMT to efficiently implement entire proxy object pool
Stage of Development:
Prototype
Implementation of OFI extends the REINS system1 - chosen because it realizes fully source-free CFI and it supports Windows platforms. This allows an aggressive evaluation of OFI's design in contexts that lack the benefit of source code and that must support extensive, complex object-oriented APIs, such as Windows COM applications. Aside from adjusting the control-flow policy to incorporate OFI mediation, OFI extensions only inhabit the policy enforcement library portion of the architecture - no change to the disassembly, rewriting, verification, or linking stages was required. Implementation of OFI can be done in a modular fashion that does not significantly affect the underlying CFI system's internals.
Evaluation
Performance of OFI on CPU benchmarks exhibited no measurable overhead because CPU benchmarks do not typically access object-oriented system APIs within loops, which is where OFI introduces overhead. Therefore, the effectiveness of OFI was evaluated by testing the prototype with a set of COTS binary applications. The test binaries were chosen to be amenable to fully automated binary reverse engineering and instrumentation, yet reliant upon large, complex system APIs representative of consumer software - thereby an appropriate test for the practical feasibility of the OFI approach. Although the test binaries are small-to-moderate in size, the trusted interfaces that must be supported to accommodate them are large.
Results
CFI instrumentation alone could not support COM-dependent features of any tested target application – but with the OFI extensions, all features exhibited full functionality. Runtime overheads were demonstrated to modest and unnoticeable by users - the median overhead is 0.34%, with the greatest overhead being 1.82%. Scalability was demonstrated by applying the prototype to Mozilla Firefox (version 48.0.1) for Windows - a large, heavily multi-module software product. All browser functionalities tested exhibited full operation after OFI instrumentation, yielding an estimated overhead of just 0.84%.
Publication:
Wenhao Wang, Xiaoyang Xu, and Kevin W. Hamlen. Object Flow Integrity . In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS) , pp. 1909–1924, November 2017.
IP Status: Patent pending.
Licensing Opportunity: This technology is available for exclusive or non-exclusive licensing.
ID Number: 18001
Contact: otc@utdallas.edu
Sources:
- Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Securing Untrusted Code via Compiler-Agnostic Binary Rewriting. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC). 299–308.