Control-Flow Integrity for Mobile Devices

Control-flow attacks or runtime attacks (such as code injection, return-into-libc, and return-oriented programming attacks) are one of the major threats to software programs. Recently, these attacks have been applied to smartphone applications as well. In this project, we aim to develop a generic countermeasure against these attacks. In particular, we are interested in the design and implementation of a control-flow integrity (CFI) framework for smartphone platforms.

Control-Flow Attacks

The figure below shows a sample control-flow graph (CFG) of an application depicting valid execution paths a program may follow while it is executing. The CFG consists of the so-called basic blocks (BBLs), instruction sequences with a single entry, and exit instruction (e.g., return, call, or jump), where the exit instruction enables the transition from one BBL to another. Any attempt of the adversary to subvert the valid execution path can be represented as a deviation from the CFG (transition 1), which results in a control-flow or runtime attack. In particular, two typical control-flow attacks are illustrated at BBL3: (i) a code injection attack (transition 2a), and (ii) a code reuse attack (transition 2b).

MoCFI: A Control-Flow Integrity Framework for iOS

We developed a novel framework, MoCFI (Mobile CFI), that provides a general countermeasure against control-flow attacks on smartphone platforms by enforcing CFI. The general design of MoCFI is show in the figure below.

From a high-level point of view, our system is separated in two different phases: static analysis and runtime enforcement. The static tools perform the initial analysis of the compiled application binary file. In the preprocessing phase, we first decrypt and disassemble the binary (step 1). Afterwards, we analyze the application binary and its structure (step 2): We implemented a system to recover the control-flow graph (CFG) of a given iOS application. In particular, we extend PiOS (a data-flow analysis framework) to generate the CFG. We also employ a branch detector to identify all branches contained in the binary and extract all information that is necessary to enforce CFI at runtime. Finally, we monitor the application at runtime by applying our MoCFI shared library that rewrites the binary at load-time (step 3) and enforces control-flow restrictions while the application executes (step 4).
Our prototype is based on library injection and in-memory patching of code which is compatible to memory randomization, load-time code verification, and encryption.

Related Publications

MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, Ahmad-Reza Sadeghi. In: 19th Annual Network & Distributed System Security Symposium (NDSS), February 2012.

POSTER: Control-Flow Integrity for Smartphones. Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, Ahmad-Reza Sadeghi In: 18th ACM Conference on Computer and Communications Security (CCS'11), ACM, October 2011