Breaking Active-Set Backward-Edge Control-Flow Integrity

Michael Theodorides

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2017-78
May 12, 2017

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.pdf

Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs. In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP. We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.

Advisor: David Wagner


BibTeX citation:

@mastersthesis{Theodorides:EECS-2017-78,
    Author = {Theodorides, Michael},
    Title = {Breaking Active-Set Backward-Edge Control-Flow Integrity},
    School = {EECS Department, University of California, Berkeley},
    Year = {2017},
    Month = {May},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html},
    Number = {UCB/EECS-2017-78},
    Abstract = {Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs.
In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP.  We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.}
}

EndNote citation:

%0 Thesis
%A Theodorides, Michael
%T Breaking Active-Set Backward-Edge Control-Flow Integrity
%I EECS Department, University of California, Berkeley
%D 2017
%8 May 12
%@ UCB/EECS-2017-78
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html
%F Theodorides:EECS-2017-78