Paper Info
Title
Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks
Abstract
Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations. In this paper we show how to exploit heap-based vulnerabilities to control the stack contents including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduce stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1)~against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2)~against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.
Year
DOI
Venue
2015
10.1145/2810103.2813671
ACM Conference on Computer and Communications Security
Keywords
Field
DocType
stack corruption, control-flow integrity, code-reuse attacks
x86,Computer science,Memory corruption,Computer security,Control flow,Exploit,Compiler,Program analysis,Arbitrary code execution,Context switch
Conference
ISBN
Citations 
PageRank 
978-1-4503-3832-5
35
0.87
References 
Authors
39
9
Name
Order
Citations
PageRank
Mauro Conti12430203.80
Stephen Crane226913.24
Lucas Davi3171472.69
Michael Franz4144499.50
Per Larsen545923.26
Marco Negro6351.20
Christopher Liebchen72668.95
Mohaned Qunaibit8351.20
Ahmad-reza Sadeghi95463334.69