back

Code Pointer Integrity

... or how we battle the daemons of memory safety

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:01:24
Language
English
Abstract
Programs are full of bugs, leading to vulnerabilities. We'll discuss power and limitations of code-pointer integrity (CPI), a strong but practical security policy that enforces memory safety for all code pointers, protecting against any form of control-flow hijack attack (e. g., ROP or JOP).

Systems code is often written in low-level languages like C/C++, which offer many benefits but also delegate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed defence mechanisms (e. g., ASLR, DEP) are incomplete, and stronger defence mechanisms (e. g., CFI) often have high overhead and limited guarantees (and are therefore not generally deployed).

In this talk we discuss code-pointer integrity (CPI), a strong security policy that guarantees the integrity of all code pointers in a program (e.g., function pointers, saved return addresses) and thereby prevents all control-flow hijack attacks, including return-oriented programming and jump-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. Both CPI and CPS offer substantially better
security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient, resulting in very low to negligible performance overhead.

We will also discuss technical challenges in the CPI prototype implementation, practical challenges we faced when protecting a full FreeBSD distribution, and give more details on the scope of protection which will be interesting to hackers. The full prototype implementation is open-source, all changes to FreeBSD are open-source and we're working on integrating the patches into LLVM.

Talk ID
6050
Event:
31c3
Day
1
Room
Saal G
Start
8:30 p.m.
Duration
01:00:00
Track
Security & Hacking
Type of
lecture
Speaker
gannimo
Talk Slug & media link
31c3_-_6050_-_en_-_saal_g_-_201412272030_-_code_pointer_integrity_-_gannimo
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 2 years, 8 months ago