GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mustakimur → OS-CFI

mustakimur / OS-CFI

Licence: GPL-2.0 license
Origin-sensitive Control Flow Integrity (OS-CFI) - USENIX Security 2019

Programming Languages

C++
36643 projects - #6 most used programming language
LLVM
166 projects
assembly
5116 projects
c
50402 projects - #5 most used programming language
objective c
16641 projects - #2 most used programming language
Objective-C++
1391 projects

Labels

llvmclangcontrol-flow-graphsecurity-toolscontrol-flow-integrity

Projects that are alternatives of or similar to OS-CFI

CFI-LB
Adaptive Callsite-sensitive Control Flow Integrity - EuroS&P'19
Stars: ✭ 13 (-51.85%)
Mutual labels:  llvm, clang, control-flow-integrity
clangbuilder
Building Clang ♡ Utility and Environment
Stars: ✭ 101 (+274.07%)
Mutual labels:  llvm, clang
Chromium Clang
Chromium browser compiled with the Clang/LLVM compiler.
Stars: ✭ 77 (+185.19%)
Mutual labels:  llvm, clang
los
Los是一个c/c++语言编译型的虚拟机。它使用llvm/clang作为其前端,losld做后端对源代码进行编译,生成los指令文件。Los is a c/c++-compiled virtual machine. It uses llvm/clang as its front end, losld does the backend to compile the source code, and generates the los directive file.
Stars: ✭ 46 (+70.37%)
Mutual labels:  llvm, clang
codebrowser
Woboq CodeBrowser
Stars: ✭ 985 (+3548.15%)
Mutual labels:  llvm, clang
TON-Compiler
Clang compiler for Free TON Virtual Machine
Stars: ✭ 56 (+107.41%)
Mutual labels:  llvm, clang
EmbedSanitizer
EmbedSantizer is a runtime race detection tool which extends ThreadSanitizer to detect data races in 32-bit ARM applications.
Stars: ✭ 16 (-40.74%)
Mutual labels:  llvm, clang
Constexpr Everything
Rewrite C++ code to automatically apply `constexpr` where possible
Stars: ✭ 178 (+559.26%)
Mutual labels:  llvm, clang
dumb-obfuscator
Tutorial on how to write the dumbest obfuscator I could think of.
Stars: ✭ 147 (+444.44%)
Mutual labels:  llvm, clang
flextool
C++ compile-time programming (serialization, reflection, code modification, enum to string, better enum, enum to json, extend or parse language, etc.)
Stars: ✭ 32 (+18.52%)
Mutual labels:  llvm, clang
sycl
SYCL for Vitis: Experimental fusion of triSYCL with Intel SYCL oneAPI DPC++ up-streaming effort into Clang/LLVM
Stars: ✭ 80 (+196.3%)
Mutual labels:  llvm, clang
Checkedc
Checked C is an extension to C that lets programmers write C code that is guaranteed by the compiler to be type-safe. The goal is to let people easily make their existing C code type-safe and eliminate entire classes of errors. Checked C does not address use-after-free errors. This repo has a wiki for Checked C, sample code, the specification, a…
Stars: ✭ 2,692 (+9870.37%)
Mutual labels:  llvm, clang
Cmake Scripts
A selection of useful scripts for use in CMake projects, include code coverage, sanitizers, and dependency graph generation.
Stars: ✭ 202 (+648.15%)
Mutual labels:  llvm, clang
linux
Linux kernel source tree
Stars: ✭ 234 (+766.67%)
Mutual labels:  llvm, clang
Clang Expand
🐉 A clang tool for happy refactoring without source-code gymnastics
Stars: ✭ 182 (+574.07%)
Mutual labels:  llvm, clang
vuo
A realtime visual programming language for interactive media.
Stars: ✭ 103 (+281.48%)
Mutual labels:  llvm, clang
adorad
Fast, Expressive, & High-Performance Programming Language for those who dare
Stars: ✭ 54 (+100%)
Mutual labels:  llvm, clang
Webassembly Examples
From Simple To Complex. A complete collection of webassembly examples.
Stars: ✭ 177 (+555.56%)
Mutual labels:  llvm, clang
Dstep
A tool for converting C and Objective-C headers to D modules
Stars: ✭ 177 (+555.56%)
Mutual labels:  llvm, clang
MetaCG
MetaCG offers an annotated whole program call-graph tool for Clang/LLVM.
Stars: ✭ 21 (-22.22%)
Mutual labels:  llvm, clang
View All Similar Projects ➔

Origin-sensitive Control Flow Integrity

We propose a new context for CFI, origin sensitivity, that can effectively break down large ECs and reduce the average and largest EC size. Origin-sensitive CFI (OS-CFI) takes the origin of the code pointer called by an ICT as the context and constrains the targets of the ICT with this context. It supports both C-style indirect calls and C++ virtual calls. Additionally, we leverage common hardware features in the commodity Intel processors (MPX and TSX) to improve both security and performance of OS-CFI. Our evaluation shows that OS-CFI can substantially reduce the largest and average EC sizes (by 98% in some cases) and has strong performance – 7.6% overhead on average for all C/C++ benchmarks of SPEC CPU2006 and NGINX.

Note: Intel MPX is deprecated in latest CPU and kernel, so some part of code will require to adjust for latest.

Join us in the slack

IMPORTANT

This is a research prototype. Its sole purpose is to demonstrate that the original concept works. It is expected to have implementation flaws or can be broken/deprecated to latest sysyem. We welcome efforts to re-produce/evaluate our results but request an opportunity to fix any technical flaws. Generally speaking, we value design flaws more but will try to fix technical issues too.

If you plan to use this project in production, we would love to hear about it and provide help if needed (Join our slack channel).

This project is licensed in GPLv3 with the following additional conditions:

  1. If you plan to benchmark, compare, evaluate this project with intention to publish the results (including in a paper), you must first contact us with your real identity, affiliation, and advisors, and a short description of how you will use our source code (before any claim). In addition, you should provide an opportunity for us to comment on and help with technical and other issues related to this project. Examples include but are not limited to failure to compile or incomplete protection.

  2. If you use any part of this project (excluding third-party software) and published a paper about it, you agree to open-source your project within one month of the paper (of any publicly available location) publication.

Note: If you do not agree to these conditions, please do not use our source code.

Project Structure

  • llvm-src: LLVM/Clang 7.0 Source Directory.
    • clang/lib/CodeGen: Fake reference monitor and metadata update Instrumentation.
    • llvm/lib/Transforms/instCFG: CFG, optimization, and original reference monitor instrumentation.
  • oscfi-lib-src: OSCFI reference monitor and metadata source code.
  • svf-src: Modified DDA to generate CFG and tag locations (for label-as-value).
  • pyScript: Python code works on DDA generated CFG to reconstruct the original CFG.
  • testSuite: Stores sample cases to test the project.
  • run.sh: Bash script to run the OSCFI on any targeted project.

Overall Process

  • Step 1: Copy OSCFI monitor codes.
  • Step 2: Build the target project with OSCFI clang/clang++.
  • Step 3: Run SVF-SUPA (DDA) from OSCFI to generate the CFG. It also creates labels for translation (also known as label-as-value).
  • Step 4: Build the binary. Later, dump the section 'cfg_label_tracker' from the binary. Finally, run a python script to reconstruct the CFG.
  • Step 5: Instrument the CFG using a LLVM pass.
  • Step 6: Repeat step 4 and 5 to reconstruct the CFG due to optimization effect.
  • Step 7: Build the final binary (secured by OSCFI).

Docker Installation

To build a docker image, we have provided a Dockerfile. Follow the following commands to build and run:

docker build -t <any-name>/oscfi:1.0 .
docker run -it <any-name>/oscfi:1.0 /bin/bash

Manual Installation

The following guideline assumes a fresh ubuntu:21.04 docker container has been used. We recommend to use the docker installation guideline (check above).

Following commands are for preparing basic tools:

apt update
apt upgrade
apt install git cmake g++ python python3-pip wget

Following commands are for preparing radare2 (a binary diassembler):

wget https://radare.mikelloc.com/get/4.5.0-git/radare2\_4.5.0-git\_amd64.deb
dpkg -i radare2\_4.5.0-git\_amd64.deb
pip install r2pipe
rm radare2\_4.5.0-git\_amd64.debrm radare2\_4.5.0-git\_amd64.deb

Following commands are for configuring the build:

git clone https://github.com/mustakimur/OS-CFI.git
echo "export OSCFI_PATH=\\"/home/OS-CFI\\"" >> ~/.profile
source ~/.profile

Following commands are for preparing Gold plugin build:

apt-get install linux-headers-5.11.0-17-generic csh gawk automake libtool bison flex libncurses5-dev
apt-get install apt-file texinfo texi2html
apt-file update
apt-file search makeinfo

Following commands are for building binutils required for Gold plugin:

cd /home
git clone --depth 1 git://sourceware.org/git/binutils-gdb.git binutils
mkdir binutils-build
cd binutils-build
../binutils/configure --disable-gdb --enable-gold --enable-plugins --disable-werror
make

Following commands are for building compiler with Gold plugin:

cd $OSCFI_PATH/
mkdir llvm-obj
cd llvm-obj/
cmake -DLLVM_BINUTILS_INCDIR="/home/binutils/include" -G "Unix Makefiles" ../llvm-src
make -j8

Following commands are for replacing existing binaries with Gold plugin binaries:

cd /home
mkdir backup
cd /usr/bin/

cp ar /home/backup/
cp nm /home/backup/
cp ld /home/backup/
cp ranlib /home/backup/

cp /home/binutils-build/binutils/ar ./
rm nm
cp /home/binutils-build/binutils/nm-new ./nm
cp /home/binutils-build/binutils/ranlib ./
cp /home/binutils-build/gold/ld-new ./ld

cd /usr/lib
cd bfd-plugins
cp $OSCFI_PATH/llvm-obj/lib/LLVMgold.so ./
cp $OSCFI_PATH/llvm-obj/lib/libLTO.* ./

Following commands are for building SVF-SUPA (for CFG generation):

cd $OSCFI_PATH/svf-src

export LLVM_SRC="$OSCFI_PATH/llvm-src"
export LLVM_OBJ="$OSCFI_PATH/llvm-obj"
export LLVM_DIR="$OSCFI_PATH/llvm-obj"
export PATH=$LLVM_DIR/bin:$PATH

mkdir debug-build
cd debug-build
cmake -D CMAKE_BUILD_TYPE:STRING=Debug ../
make -j4

export PATH=$OSCFI_PATH/svf-src/debug-build/bin:$PATH

Spec Benchmark Build Guideline [deprecated: update soon]

  1. Put spec2006-oscfi.cfg file into folder $CPU2006_HOME/config and analyze CPU2006 to generate bc files
cd $CPU2006_HOME
. ./shrc
rm -rf benchspec/CPU2006/*/exe/
runspec  --action=run --config=spec2006-oscfi.cfg --tune=base --size=test --iterations=1 --noreportable all
  1. Change the Makefile.spec in the build directory of the benchmark (e.g. ~/spec/benchspec/CPU2006/456.hmmer/build/build_base_amd64-m64-softbound-nn.0000/Makefile.spec):
# add oscfi.c, mpxrt.c, mpxrt-utils.c in the source list, keep others same
SOURCES=oscfi.c mpxrt.c mpxrt-utils.c ...
  1. Use the run.sh to start the system.

Sample Tests

  • Vulnerable code exploitation prevented by OS-CFI:
cd testSuite
./test_run.sh
  • For CPU2006spec 456.hmmer benchmark:
./test_hmmer.sh < inHmmer
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].