TU Darmstadt / ULB / TUbiblio

Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks

Conti, Mauro and Crane, Stephen and Davi, Lucas and Franz, Michael and Larsen, Per and Liebchen, Christopher and Negro, Marco and Qunaibit, Mohaned and Sadeghi, Ahmad-Reza (2015):
Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks.
In: 22nd ACM Conference on Computer and Communications Security (CCS), [Conference or Workshop Item]

Abstract

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations.

In this paper we show how to exploit heap-based vulnerabilities to control the stack content including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduced stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.

Item Type: Conference or Workshop Item
Erschienen: 2015
Creators: Conti, Mauro and Crane, Stephen and Davi, Lucas and Franz, Michael and Larsen, Per and Liebchen, Christopher and Negro, Marco and Qunaibit, Mohaned and Sadeghi, Ahmad-Reza
Title: Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks
Language: German
Abstract:

Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations.

In this paper we show how to exploit heap-based vulnerabilities to control the stack content including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduced stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.

Title of Book: 22nd ACM Conference on Computer and Communications Security (CCS)
Uncontrolled Keywords: ICRI-SC;Secure Things;Solutions;S2
Divisions: 20 Department of Computer Science
20 Department of Computer Science > System Security Lab
DFG-Collaborative Research Centres (incl. Transregio)
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres
Profile Areas
Profile Areas > Cybersecurity (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
Date Deposited: 04 Aug 2016 10:13
Identification Number: TUD-CS-2015-1168
Related URLs:
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item