Skip to main content
eScholarship
Open Access Publications from the University of California

DCFI: Control Flow Integrity for Modern Windows Applications

  • Author(s): Hawkins, Byron
  • Advisor(s): Demsky, Brian
  • et al.
Creative Commons Attribution 4.0 International Public License
Abstract

Control flow integrity or CFI has emerged as an important technique for

preventing attacks on software. Previous approaches relied on static

analysis and thus largely target static binaries and are limited in how

tightly they can constrain a program's runtime behavior. Unfortunately,

modern Windows applications make extensive use of dynamically generated

code. We introduce a new dynamic analysis based approach in DCFI to

control flow integrity that precisely learns a program's behavior by

monitoring previous executions. DCFI is the first approach to

demonstrate CFI in the presence of dynamic code generation and/or

self-modifying code and is immune to recent variations on ROP attacks

that thwart previous CFI approaches. DCFI underapproximates the legal

executions of software applications and thus can potentially build

tighter constraints than static approaches. As DCFI's knowledge of a

program becomes more complete, it tightens its constraints on a

program's execution, making successful attacks progressively more

difficult.

We have implemented DCFI in DynamoRIO. Our experiences using DCFI

indicate that it can protect modern desktop applications with dynamic

code generation engines including the latest versions of Microsoft Word,

Microsoft Excel, Microsoft PowerPoint, Microsoft Outlook, Google Chrome,

and Adobe Acrobat. Experiments also show that DCFI effectively detects

known exploits.

Main Content
Current View