Control Flow Bending: On the Effectiveness of Control-Flow Integrity

References:

Attacks on Fully-Precise Static CFI

CFI with shadow stack.

Dispatcher function/gadgets:

Any function that contains a “write-what-where” primitive when the arguments are under the attacker’s control can be used as a dispatcher function. Alternatively, a function that can write to only limited addresses can still work as long as the return address is within the limits.

e.g. memcpy(). Assume we can control all the arguments to memcpy():

  1. point the source buffer to an attacker-controlled location;
  2. point the target buffer to the address where the memcpy()’s return address will be found;
  3. set the length to be the word size.
  4. invoke memcpy()

e.g. printf(): use %n format specifier, to write an arbitrary value to an arbitrary location –> printf() to overwrite its own return address.

??? how does printf() work? see Appendix B.

More

Created Jul 8, 2022 // Last Updated Jul 20, 2022

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?