Description
Despite countermeasures in modern Operating System ( OS ), attacks that target function
pointers to redirect the execution flow of a program are still frequent. Control Flow
Integrity ( CFI), a mechanism that aims to prevent unwanted alterations to the control
flow, has emerged as an effective defense against such attacks. Newer CFI measures
however rely on specialized hardware that is not widely supported by hardware vendors.
This thesis proposes a novel approach to protecting the integrity of function pointers
without relying on specialized hardware. We use dual-reference tables to store conatexts
of dynamic forward-edge function pointers stored on the heap. Each function has a
dual-reference table that stores these contexts for pointers to that function. Before these
pointers are used to redirect the control flow, their context needs to match with the
context stored in the respective dual-reference table. This way alterations to function
pointers are detected before the control flow is redirected by an adversary. The tables
itself are protected by storing them in shadow memory.
Furthermore we provide a prototype implementation of the approach called "FlowWatch",
which uses memory addresses of function pointers as the context. Our evaluation of
FlowWatch yields notable performance overhead, however we discuss potential techniques
that optimize the approach.
|
