Conti, Mauro ; Crane, Stephen ; Davi, Lucas ; Franz, Michael ; Larsen, Per ; Liebchen, Christopher ; Negro, Marco ; Qunaibit, Mohaned ; Sadeghi, Ahmad-Reza (2015)
Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks.
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations.
In this paper we show how to exploit heap-based vulnerabilities to control the stack content including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduced stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2015 |
| Autor(en): | Conti, Mauro ; Crane, Stephen ; Davi, Lucas ; Franz, Michael ; Larsen, Per ; Liebchen, Christopher ; Negro, Marco ; Qunaibit, Mohaned ; Sadeghi, Ahmad-Reza |
| Art des Eintrags: | Bibliographie |
| Titel: | Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks |
| Sprache: | Deutsch |
| Publikationsjahr: | Oktober 2015 |
| Buchtitel: | 22nd ACM Conference on Computer and Communications Security (CCS) |
| Zugehörige Links: | |
| Kurzbeschreibung (Abstract): | Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations. In this paper we show how to exploit heap-based vulnerabilities to control the stack content including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduced stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation. |
| Freie Schlagworte: | ICRI-SC;Secure Things;Solutions;S2 |
| ID-Nummer: | TUD-CS-2015-1168 |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Systemsicherheit DFG-Sonderforschungsbereiche (inkl. Transregio) DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) LOEWE LOEWE > LOEWE-Zentren LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen |
| Hinterlegungsdatum: | 04 Aug 2016 10:13 |
| Letzte Änderung: | 03 Jun 2018 21:31 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum