A CFI countermeasure against GOT overwrite attacks

In the Unix-like system, the Global Offset Table (GOT) overwrite attack is a long-lasting control flow hijacking attack. The attack, by leveraging the dynamic symbol binding mechanism, overwrites any GOT entry into the attacker's target address to take the execution flow on the library function call. Recently, Full Relro (Relocation Read only), which arranges the GOT section as read-only at program startup, is regarded as most useful against the threat. However, it entails nontrivial loading overhead and is not applicable to libraries. Furthermore, many software packages are currently distributed without Full Relro. As a result, programs are still exposed to the risk of GOT attacks. In this paper, we propose a CFI-based protection scheme against the GOT overwrite attack. Using dynamically bound function symbols as branch identifiers, the scheme secures inter-module function calls on PLT (Procedure Linkage Table) effectively with little performance overhead. Our LLVM based implementation and evaluation on binutils-gdb show that the branch protection scheme is difficult to bypass, fast, and compatible with existing library programs.