BCI-CFI: A context-sensitive control-flow integrity method based on branch correlation integrity

Context: As part of the arms race, one emerging attack methodology has been control-hijacking attacks, e.g., return-oriented programming (ROP). Control-flow integrity (CFI) is a generic and effective defense against most control-hijacking attacks. However, existing CFI mechanisms have poor security as demonstrated by their equivalence class (EC) sizes, which are sets of targets that CFI policies cannot distinguish. Adversaries can choose an illegitimate control transfer within an EC that is included in the resulting CFG and incorrectly allowed by CFI protection policies.Objective: The paper introduces a context-sensitive control-flow integrity method, which aims to improve the security of CFI and prevent ROP attacks. Method: The paper presents BCI-CFI, a context-sensitive CFI technique based on branch correlation integrity (BCI), which can effectively break down EC sizes and improve the security of CFI. BCI-CFI takes the branch correlation relationship (i.e., a new type of context for CFI) as contextual information to refine the CFI policy and identify the BCI pairs in the target program via static analysis. Furthermore, the paper introduces a state machine MCFI for BCI-CFI to conduct target validation for the indirect control-flow transfer (ICT) instructions in the target program at runtime.Results: Our results show that, (i) BCI-CFI prevented adversaries from manipulating the control data and launching ROP attacks, (ii) protected both forward and backward ICT in the target program, and improved the security and effectiveness of CFI, and (iii) BCI-CFI introduced a 19.67% runtime overhead on average and a maximum runtime overhead of 31.2%Conclusion: BCI-CFI is a context-sensitive CFI technique aiming to prevent adversaries from manipulating the control data of the target program to launch ROP attacks. BCI-CFI can reduce EC sizes and improve the security of CFI while incurring a moderate runtime overhead on average.