Breaking active-set backward-edge CFI

Abstract

Hardware-Assisted Flow Integrity extension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides finegrained protection by confining return addresses to only target call sites in functions active on the call stack. We study whether the backward-edge policy in HAFIX is sufficient to prevent code-reuse exploits on real-world programs. In this paper, we present three general attacks that exploit weaknesses in HAFIX and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP. We then propose improvements to HAFIX we believe will improve its effectiveness against code-reuse attacks.