Abstract | ||
---|---|---|
Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations. In this paper we show how to exploit heap-based vulnerabilities to control the stack contents including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduce stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1)~against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2)~against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.
|
Year | DOI | Venue |
---|---|---|
2015 | 10.1145/2810103.2813671 | ACM Conference on Computer and Communications Security |
Keywords | Field | DocType |
stack corruption, control-flow integrity, code-reuse attacks | x86,Computer science,Memory corruption,Computer security,Control flow,Exploit,Compiler,Program analysis,Arbitrary code execution,Context switch | Conference |
ISBN | Citations | PageRank |
978-1-4503-3832-5 | 35 | 0.87 |
References | Authors | |
39 | 9 |
Name | Order | Citations | PageRank |
---|---|---|---|
Mauro Conti | 1 | 2430 | 203.80 |
Stephen Crane | 2 | 269 | 13.24 |
Lucas Davi | 3 | 1714 | 72.69 |
Michael Franz | 4 | 1444 | 99.50 |
Per Larsen | 5 | 459 | 23.26 |
Marco Negro | 6 | 35 | 1.20 |
Christopher Liebchen | 7 | 266 | 8.95 |
Mohaned Qunaibit | 8 | 35 | 1.20 |
Ahmad-reza Sadeghi | 9 | 5463 | 334.69 |