Ali José Mashtizadeh: 2015 Security Workshop

Recent attacks have demonstrated the continued effectiveness of control flow hijacking despite powerful defenses such as Control Flow Integrity (CFI). Most of the drawbacks of existing CFI systems come from the limits of static analysis and having to relax protection to remain practical. While CFI is a great ideal, a practical and accurate implementation of it has proven to be difficult.

We presents a cryptographic approach to control flow integrity (CCFI) that is both fine-grained and practical. It uses message authentication codes (MAC) to protect control flow elements such as return addresses, function pointers, and vtable pointers. MACs on these elements prevent even powerful attackers with arbitrary read/write access to memory from tampering with program control flow. Most importantly, the system enables finer-grained classification than was previously possible by classifying on runtime characteristics of a program. We implemented CCFI in Clang/LLVM, taking advantage of recently available cryptographic CPU instructions. We evaluate our system on several large software packages (including nginx, Apache and memcache) as well as all their dependencies. The cost of protection ranges from a 3--18% decrease in server request rate.

Ali José Mashtizadeh is a PhD student at Stanford University, advised by David Mazières. His work focuses distributed systems, operating systems and security. Previously, he was the technical lead for virtual machine live migration at VMware. He holds a M.Eng. and B.S. in Electrical Engineering from MIT.