Static-Dynamic Control Flow Integrity

CCFIR (Compact Control Flow Integrity and Randomization) has low performance overhead as an exploit mitigation, but it is hard to mitigate exploits by hijacking virtual function pointer, which are emerging in recent years. Because of the polymorphism of virtual functions, CCFIR can´t determine a unique spring board stub. We propose a new practical protection method named SDCFI (Static-Dynamic Control Flow Integrity), whose goal is to protect virtual function pointers from hijacking. Taking advantage of static analysis result of IDA and PIN dynamic instrumentation, SDCFI improves the accuracy of the disassembly and identifies indirect call target addresses at runtime. We observe that there are always double 0x90 bytes for alignment in the gap between two functions, which can be substituted by a two-byte checkmark. Using the checkmark, SDCFI can validate a target more simply and faster than traditional CFI. Based on these approaches, SDCFI can prevent control-flow hijacking attacks including ROP, because the gadgets of stack pivot can´t pass the validation. We evaluate our prototype implementation for Internet Explorer8 browser on Windows XP, which faces serious security threats since April 8, 2014. SDCFI protects most indirect call instructions in msthml.dll, and has low runtime overhead of 1.48% on average. Experiments on real-world exploits for IE8 browser also show that SDCFI can effectively mitigate exploits by hijacking virtual function pointer.