Michael Theodorides
EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2017-78
May 12, 2017
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.pdf
Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs. In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP. We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.
Advisor: David Wagner
BibTeX citation:
@mastersthesis{Theodorides:EECS-2017-78, Author = {Theodorides, Michael}, Title = {Breaking Active-Set Backward-Edge Control-Flow Integrity}, School = {EECS Department, University of California, Berkeley}, Year = {2017}, Month = {May}, URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html}, Number = {UCB/EECS-2017-78}, Abstract = {Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs. In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP. We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.} }
EndNote citation:
%0 Thesis %A Theodorides, Michael %T Breaking Active-Set Backward-Edge Control-Flow Integrity %I EECS Department, University of California, Berkeley %D 2017 %8 May 12 %@ UCB/EECS-2017-78 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html %F Theodorides:EECS-2017-78