Automated Multi-Architectural Discovery of CFI-Resistant Code Gadgets
This addresses the security evaluation of CFI defenses for software systems, though it is incremental as it builds on existing gadget discovery methods.
The authors tackled the problem of assessing the security of coarse-grained Control-Flow Integrity (CFI) implementations by developing a framework to discover code gadgets for attacks that comply with these policies, resulting in finding more CFI-compatible gadgets compared to existing tools and demonstrating effectiveness on ARM architecture.
Memory corruption vulnerabilities are still a severe threat for software systems. To thwart the exploitation of such vulnerabilities, many different kinds of defenses have been proposed in the past. Most prominently, Control-Flow Integrity (CFI) has received a lot of attention recently. Several proposals were published that apply coarse-grained policies with a low performance overhead. However, their security remains questionable as recent attacks have shown. To ease the assessment of a given CFI implementation, we introduce a framework to discover code gadgets for code-reuse attacks that conform to coarse-grained CFI policies. For this purpose, binary code is extracted and transformed to a symbolic representation in an architecture-independent manner. Additionally, code gadgets are verified to provide the needed functionality for a security researcher. We show that our framework finds more CFI-compatible gadgets compared to other code gadget discovery tools. Furthermore, we demonstrate that code gadgets needed to bypass CFI solutions on the ARM architecture can be discovered by our framework as well.