Breaking Active-Set Backward-Edge Control-Flow Integrity

Michael Theodorides

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2017-78

May 12, 2017

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.pdf

Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs. In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP. We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.

Advisors: David Wagner

BibTeX citation:

@mastersthesis{Theodorides:EECS-2017-78,
    Author= {Theodorides, Michael},
    Title= {Breaking Active-Set Backward-Edge Control-Flow Integrity},
    School= {EECS Department, University of California, Berkeley},
    Year= {2017},
    Month= {May},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html},
    Number= {UCB/EECS-2017-78},
    Abstract= {Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs.
In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP.  We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.},
}

EndNote citation:

%0 Thesis
%A Theodorides, Michael 
%T Breaking Active-Set Backward-Edge Control-Flow Integrity
%I EECS Department, University of California, Berkeley
%D 2017
%8 May 12
%@ UCB/EECS-2017-78
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-78.html
%F Theodorides:EECS-2017-78