Skip to content
Adaptive Call-site Sensitive Control Flow Integrity
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cCFG update header Apr 11, 2019
cHelper update header Apr 11, 2019
cfiLibs update header Apr 11, 2019
dCFG update header Apr 11, 2019
documentation camera-ready uploaded Apr 24, 2019
llvm-project
utils update header Apr 11, 2019
.gitignore Initial commit Feb 28, 2019
.whitesource
LICENSE Initial commit Feb 28, 2019
README.md
run.sh fixes for large CFG table Mar 6, 2019
spec2006-cfilb.cfg

README.md

CFI-LB: Adaptive Call-site Sensitive Control Flow Integrity

CFI-LB: Adaptive Call-site Sensitive Control Flow Integrity will publish in EuroS&P' 2019. The source code is available here. The protoype is build with Clang/LLVM, Intel pin, Radare2, and Triton (Symbolic Execution Engine)(each of them have multiple dependencies). To build Clang/LLVM, it requires 20GB memory along, so please make sure your machine can support that load. The run.sh may ask for sudo permission to install dependent library and enable/disable ASLR for process memory dump to use in concolic process.

Project Structure

CFILB reference monitor implementation: cfilbLibs/

Reference monitor instrumentation: llvm-project/clang/lib/CodeGen/CGCall.cpp

Clang libtool to prepare the source: llvm-project/clang/tools/clangCodePrep/

Intel pin dynamic CFG generator: dCFG/

Intel pin process memory dump: cHelper/

LLVM static CFG generator: llvm-project/llvm/lib/Transforms/sCFG/

LLVM instrument CFG: llvm-project/llvm/lib/Transforms/instCFG

Symbol table extraction: utils/extract.py

Adaptive filter algorithm: utils/filter.py

Concolic process helper: utils/symHelper.py

Concolic CFG generator: cCFG/src/examples/symCFG

Run script to execute the CFILB process: run.sh

Makefile for CPU2006 Spec Benchmark: spec2006-cfilb.cfg

Overall Process

Step 1: A clang libtool will prepare the target code base.

Step 2: Copy the CFILB runtime library to the source directory.

Step 3: Build the source with clang (with reference monitor instrumentation) and generate the bitcode.

Step 4: Run a LLVM Pass analysis to calculate the static CFG and instrument the table back to bitcode.

Step 5: Build the binary from the step 4 bitcode. (This binary is protected with static CFG)

Step 6: Extract symbol table from the elf binary.

Step 7: Execute the binary with seed input using intel pin tool to generate dynamic CFG.

Step 8: Execute the binary with seed input using intel pin tool to dump memory for concolic process. (ASLR Disabled) [slow process]

Step 9: Run a radare2 python script to collect point of interest (POI) for concolic process.

Step 10: Run the concolic CFG generator (for each POI from step 9) with dump info from step 8. [can have crash issue, please report]

Step 11: Run a python script to apply the adaptive algorithm.

Step 12: Run another LLVM Pass to instrument the adaptive dynamic CFG table in the bitcode.

Step 13: Build the final binary from the step 12 bitcode. The binary will be named as: benchmarkname_cfg

Optional: Due to instrument CFG the code instruction address can be changed from concolic CFG, so there may be a repeat of step 11-13 with an additional check using a python script.

Installation Guideline

  1. Install required binary:
sudo apt install wget clang cmake subversion g++ gcc bash git python-pip libcapstone-dev libboost-all-dev libz3-dev
pip install pyelftools
pip install r2pipe
  1. Git clone the project:
git clone git@github.com:mustakcsecuet/CFI-LB.git
cd CFILB
# copy the project path and save it
EDITOR ~/.profile
export CFILB_PATH="$HOME/../CFI-LB"

Note: You can skip step 2, 3, 4, 6, and 7 if you have already configured Gold plugin for another compiler.

  1. Install required library for Gold plugin:
sudo apt-get install linux-headers-$(uname -r) csh gawk automake libtool bison flex libncurses5-dev
# Check 'makeinfo -v'. If 'makeinfo' does not exist
sudo apt-get install apt-file texinfo texi2html
sudo apt-file update
sudo apt-file search makeinfo
  1. Download binutils source code:
cd ~
git clone --depth 1 git://sourceware.org/git/binutils-gdb.git binutils
  1. Build binutils:
mkdir build
cd build
../binutils/configure --enable-gold --enable-plugins --disable-werror
make
  1. Build the compiler (use the binutils directory if you already have one):
cd $CFILB_PATH/llvm-project
mkdir build
cmake -DLLVM_BINUTILS_INCDIR="path_to_binutils/include"  -DLLVM_ENABLE_PROJECTS=clang -G "Unix Makefiles" ../llvm
make -j8
  1. Backup ar, nm, ld and ranlib:
cd ~
mkdir backup
cd /usr/bin/
cp ar ~/backup/
cp nm ~/backup/
cp ld ~/backup/
cp ranlib ~/backup/
  1. Replace ar, nm, ld and ranlib:
cd /usr/bin/
sudo cp ~/build/binutils/ar ./
sudo rm nm
sudo cp ~/build/binutils/nm-new ./nm
sudo cp ~/build/binutils/ranlib ./
sudo cp ~/build/gold/ld-new ./ld
  1. install LLVMgold.so to /usr/lib/bfd-plugins:
cd /usr/lib
sudo mkdir bfd-plugins
cd bfd-plugins
sudo cp $CFILB_PATH/llvm_project/build/lib/LLVMgold.so ./
sudo cp $CFILB_PATH/llvm_project/build/lib/libLTO.* ./
  1. Download intel-pin-3.5 source:
cd $CFILB_PATH
wget http://software.intel.com/sites/landingpage/pintool/downloads/pin-3.5-97503-gac534ca30-gcc-linux.tar.gz
tar -xvzf pin-3.5-97503-gac534ca30-gcc-linux.tar.gz
rm pin-3.5-97503-gac534ca30-gcc-linux.tar.gz
mv pin-3.5-97503-gac534ca30-gcc-linux intel-pin
  1. Build the dynamic CFG generation pin:
cd $CFILB_PATH/dCFG
make PIN_ROOT=../intel-pin/
make PIN_ROOT=../intel-pin/ obj-intel64/dCFG.so
  1. Build the dynamic process memory dump for concolic process:
cd $CFILB_PATH/cHelper
make PIN_ROOT=../intel-pin/
make PIN_ROOT=../intel-pin/ obj-intel64/sym-dump.so
  1. Build z3 solver from the source:
cd $CFILB
git clone https://github.com/Z3Prover/z3.git
cd z3
python scripts/mk_make.py
cd build
make
sudo make install
  1. Build the concolic system with Triton:
cd $CFILB_PATH/cCFG
mkdir build
cd build
cmake ..
sudo make -j2 install

Spec Benchmark Build Guideline

  1. Put spec2006-cfilb.cfg file into folder $CPU2006_HOME/config and analyze CPU2006 to generate bc files
cd $CPU2000_HOME
. ./shrc
rm -rf benchspec/CPU2006/*/exe/
runspec  --action=run --config=spec2006-cfilb.cfg --tune=base --size=test --iterations=1 --noreportable all
  1. Change the Makefile.spec in the build directory of the benchmark (e.g. ~/spec/benchspec/CPU2006/456.hmmer/build/build_base_amd64-m64-softbound-nn.0000/Makefile.spec):
# add cfilb.c in the source list, keep others same
SOURCES=cfilb.c ...
  1. Use the run.sh to start the system. It is a long process and will ask for user input.
You can’t perform that action at this time.