TU Darmstadt / ULB / TUbiblio

Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks

Conti, Mauro ; Crane, Stephen ; Davi, Lucas ; Franz, Michael ; Larsen, Per ; Liebchen, Christopher ; Negro, Marco ; Qunaibit, Mohaned ; Sadeghi, Ahmad-Reza (2015):
Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks.
In: 22nd ACM Conference on Computer and Communications Security (CCS),
[Conference or Workshop Item]

Abstract

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations.

In this paper we show how to exploit heap-based vulnerabilities to control the stack content including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduced stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.

Item Type: Conference or Workshop Item
Erschienen: 2015
Creators: Conti, Mauro ; Crane, Stephen ; Davi, Lucas ; Franz, Michael ; Larsen, Per ; Liebchen, Christopher ; Negro, Marco ; Qunaibit, Mohaned ; Sadeghi, Ahmad-Reza
Title: Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks
Language: German
Abstract:

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations.

In this paper we show how to exploit heap-based vulnerabilities to control the stack content including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduced stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.

Title of Book: 22nd ACM Conference on Computer and Communications Security (CCS)
Uncontrolled Keywords: ICRI-SC;Secure Things;Solutions;S2
Divisions: 20 Department of Computer Science
20 Department of Computer Science > System Security Lab
DFG-Collaborative Research Centres (incl. Transregio)
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres
Profile Areas
Profile Areas > Cybersecurity (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
Date Deposited: 04 Aug 2016 10:13
Identification Number: TUD-CS-2015-1168
Corresponding Links:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details