Repository files navigation

CFI-LB: Adaptive Call-site Sensitive Control Flow Integrity will publish in EuroS&P' 2019. The source code is available here. The protoype is build with Clang/LLVM, Intel pin, Radare2, and Triton (Symbolic Execution Engine)(each of them have multiple dependencies). To build Clang/LLVM, it requires 20GB memory along, so please make sure your machine can support that load. Therun.sh may ask for sudo permission to install dependent library and enable/disable ASLR for process memory dump to use in concolic process.

Join us in the slack

This project is licensed in GPLv3 with the following additional conditions:

1. If you plan to benchmark, compare, evaluate this project with intention to publish the results (including in a paper), you must contact us with your real identity, affiliation, and advisors, and a short description of how you will use our source code before using and/or downloading this project. In addition, you will provide an opportunity for us to comment on and help with technical and other issues related to this project you have during the development. Examples include but are not limited to failure to compile or incomplete protection.

2. If you use any part of this project (excluding third-party software) and published a paper about it, you agree to open-source your project within one month of the official paper publication.

If you do not agree to these conditions, please do not use our source code.

Justfication: this is a research prototype. Its sole purpose is to demonstrate that the original idea works. It is expected to have implementation flaws. We welcome efforts to re-produce/evaluate our results but request an opportunity to fix implementation flaws. Generally speaking, we value design flaws more but will try to fix implementation issues.If you plan to use this project in production, we would love to hear about it and provide help if needed.

CFILB reference monitor implementation: cfilbLibs/

Reference monitor instrumentation: llvm-project/clang/lib/CodeGen/CGCall.cpp

Clang libtool to prepare the source: llvm-project/clang/tools/clangCodePrep/

Intel pin dynamic CFG generator: dCFG/

Intel pin process memory dump: cHelper/

LLVM static CFG generator: llvm-project/llvm/lib/Transforms/sCFG/

LLVM instrument CFG: llvm-project/llvm/lib/Transforms/instCFG

Symbol table extraction: utils/extract.py

Adaptive filter algorithm: utils/filter.py

Concolic process helper: utils/symHelper.py

Concolic CFG generator: cCFG/src/examples/symCFG

Run script to execute the CFILB process: run.sh

Makefile for CPU2006 Spec Benchmark: spec2006-cfilb.cfg

Step 1: A clang libtool will prepare the target code base.

Step 2: Copy the CFILB runtime library to the source directory.

Step 3: Build the source with clang (with reference monitor instrumentation) and generate the bitcode.

Step 4: Run a LLVM Pass analysis to calculate the static CFG and instrument the table back to bitcode.

Step 5: Build the binary from the step 4 bitcode. (This binary is protected with static CFG)

Step 6: Extract symbol table from the elf binary.

Step 7: Execute the binary with seed input using intel pin tool to generate dynamic CFG.

Step 8: Execute the binary with seed input using intel pin tool to dump memory for concolic process. (ASLR Disabled) [slow process]

Step 9: Run a radare2 python script to collect point of interest (POI) for concolic process.

Step 10: Run the concolic CFG generator (for each POI from step 9) with dump info from step 8. [can have crash issue, please report]

Step 11: Run a python script to apply the adaptive algorithm.

Step 12: Run another LLVM Pass to instrument the adaptive dynamic CFG table in the bitcode.

Step 13: Build the final binary from the step 12 bitcode. The binary will be named as: benchmarkname_cfg

Optional: Due to instrument CFG the code instruction address can be changed from concolic CFG, so there may be a repeat of step 11-13 with an additional check using a python script.

1. Install required binary:

sudo apt install wget clang cmake subversion g++ gcc bash git python-pip libcapstone-dev libboost-all-dev libz3-devpip install pyelftoolspip install r2pipe

2. Git clone the project:

git clone git@github.com:mustakcsecuet/CFI-LB.gitcd CFILB# copy the project path and save itEDITOR ~/.profileexport CFILB_PATH="$HOME/../CFI-LB"

Note: You can skip step 2, 3, 4, 6, and 7 if you have already configured Gold plugin for another compiler.

3. Install required library for Gold plugin:

sudo apt-get install linux-headers-$(uname -r) csh gawk automake libtool bison flex libncurses5-dev# Check 'makeinfo -v'. If 'makeinfo' does not existsudo apt-get install apt-file texinfo texi2htmlsudo apt-file updatesudo apt-file search makeinfo

4. Download binutils source code:

cd ~git clone --depth 1 git://sourceware.org/git/binutils-gdb.git binutils

5. Build binutils:

mkdir buildcd build../binutils/configure --enable-gold --enable-plugins --disable-werrormake

6. Build the compiler (use the binutils directory if you already have one):

cd $CFILB_PATH/llvm-projectmkdir buildcmake -DLLVM_BINUTILS_INCDIR="path_to_binutils/include"  -DLLVM_ENABLE_PROJECTS=clang -G "Unix Makefiles" ../llvmmake -j8

7. Backup ar, nm, ld and ranlib:

cd ~mkdir backupcd /usr/bin/cp ar ~/backup/cp nm ~/backup/cp ld ~/backup/cp ranlib ~/backup/

8. Replace ar, nm, ld and ranlib:

cd /usr/bin/sudo cp ~/build/binutils/ar ./sudo rm nmsudo cp ~/build/binutils/nm-new ./nmsudo cp ~/build/binutils/ranlib ./sudo cp ~/build/gold/ld-new ./ld

9. install LLVMgold.so to /usr/lib/bfd-plugins:

cd /usr/libsudo mkdir bfd-pluginscd bfd-pluginssudo cp $CFILB_PATH/llvm_project/build/lib/LLVMgold.so ./sudo cp $CFILB_PATH/llvm_project/build/lib/libLTO.* ./

10. Download intel-pin-3.5 source:

cd $CFILB_PATHwget http://software.intel.com/sites/landingpage/pintool/downloads/pin-3.5-97503-gac534ca30-gcc-linux.tar.gztar -xvzf pin-3.5-97503-gac534ca30-gcc-linux.tar.gzrm pin-3.5-97503-gac534ca30-gcc-linux.tar.gzmv pin-3.5-97503-gac534ca30-gcc-linux intel-pin

11. Build the dynamic CFG generation pin:

cd $CFILB_PATH/dCFGmake PIN_ROOT=../intel-pin/make PIN_ROOT=../intel-pin/ obj-intel64/dCFG.so

12. Build the dynamic process memory dump for concolic process:

cd $CFILB_PATH/cHelpermake PIN_ROOT=../intel-pin/make PIN_ROOT=../intel-pin/ obj-intel64/sym-dump.so

13. Build z3 solver from the source:

cd $CFILBgit clone https://github.com/Z3Prover/z3.gitcd z3python scripts/mk_make.pycd buildmakesudo make install

14. Build the concolic system with Triton:

cd $CFILB_PATH/cCFGmkdir buildcd buildcmake ..sudo make -j2 install

1. Put spec2006-cfilb.cfg file into folder $CPU2006_HOME/config and analyze CPU2006 to generate bc files

cd $CPU2000_HOME. ./shrcrm -rf benchspec/CPU2006/*/exe/runspec  --action=run --config=spec2006-cfilb.cfg --tune=base --size=test --iterations=1 --noreportable all

2. Change the Makefile.spec in the build directory of the benchmark (e.g. ~/spec/benchspec/CPU2006/456.hmmer/build/build_base_amd64-m64-softbound-nn.0000/Makefile.spec):

# add cfilb.c in the source list, keep others sameSOURCES=cfilb.c ...

3. Use the run.sh to start the system. It is a long process and will ask for user input.