On the Effectiveness of Type-based Control Flow Integrity
release_tuaudgletvcahe5txlpdpstei4
by
Reza Mirzazade Farkhani, Saman Jafari, Sajjad Arshad, William
Robertson, Engin Kirda, Hamed Okhravi
2020
Abstract
Control flow integrity (CFI) has received significant attention in the
community to combat control hijacking attacks in the presence of memory
corruption vulnerabilities. The challenges in creating a practical CFI has
resulted in the development of a new type of CFI based on runtime type checking
(RTC). RTC-based CFI has been implemented in a number of recent practical
efforts such as GRSecurity Reuse Attack Protector (RAP) and LLVM-CFI. While
there has been a number of previous efforts that studied the strengths and
limitations of other types of CFI techniques, little has been done to evaluate
the RTC-based CFI. In this work, we study the effectiveness of RTC from the
security and practicality aspects. From the security perspective, we observe
that type collisions are abundant in sufficiently large code bases but
exploiting them to build a functional attack is not straightforward. Then we
show how an attacker can successfully bypass RTC techniques using a variant of
ROP attacks that respect type checking (called TROP) and also built two
proof-of-concept exploits, one against Nginx web server and the other against
Exim mail server. We also discuss practical challenges of implementing RTC. Our
findings suggest that while RTC is more practical for applying CFI to large
code bases, its policy is not strong enough when facing a motivated attacker.
In text/plain
format
Archived Files and Locations
application/pdf 1.4 MB
file_vb7xwthhnvhkjfh3alr34payn4
|
arxiv.org (repository) web.archive.org (webarchive) |
1810.10649v2
access all versions, variants, and formats of this works (eg, pre-prints)