Let Me Unwind That For You: Exceptions to Backward-Edge Protection

Proceedings 2023 Network and Distributed System Security Symposium Pub Date : 1900-01-01 DOI:10.14722/ndss.2023.23295

Victor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, Cristiano Giuffrida

{"title":"Let Me Unwind That For You: Exceptions to Backward-Edge Protection","authors":"Victor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, Cristiano Giuffrida","doi":"10.14722/ndss.2023.23295","DOIUrl":null,"url":null,"abstract":"—Backward-edge control-ﬂow hijacking via stack buffer overﬂow is the holy grail of software exploitation. The ability to directly control critical stack data and the hijacked target makes this exploitation strategy particularly appealing for attackers. As a result, the community has deployed strong backward-edge protections such as shadow stacks or stack canaries, forcing attackers to resort to less ideal e.g., heap-based exploitation strategies. However, such mitigations commonly rely on one key assumption, namely an attacker relying on return address corruption to directly hijack control ﬂow upon function return. In this paper, we present exceptions to this assumption and show attacks based on backward-edge control-ﬂow hijacking without the direct hijacking are possible. Speciﬁcally, we demon- strate that stack corruption can cause exception handling to act as a confused deputy and mount backward-edge control- ﬂow hijacking attacks on the attacker’s behalf. This strategy provides overlooked opportunities to divert execution to attacker- controlled catch handlers (a paradigm we term Catch Handler Oriented Programming or CHOP) and craft powerful primitives such as arbitrary code execution or arbitrary memory writes. We ﬁnd CHOP-style attacks to work across multiple platforms (Linux, Windows, macOS, Android and iOS). To analyze the uncovered attack surface, we survey popular open-source pack- ages and study the applicability of the proposed exploitation techniques. Our analysis shows that suitable exception handling targets are ubiquitous in C++ programs and exploitable exception handlers are common. We conclude by presenting three end-to- end exploits on real-world software and proposing changes to deployed mitigations to address CHOP.","PeriodicalId":199733,"journal":{"name":"Proceedings 2023 Network and Distributed System Security Symposium","volume":"18 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2023 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2023.23295","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

—Backward-edge control-ﬂow hijacking via stack buffer overﬂow is the holy grail of software exploitation. The ability to directly control critical stack data and the hijacked target makes this exploitation strategy particularly appealing for attackers. As a result, the community has deployed strong backward-edge protections such as shadow stacks or stack canaries, forcing attackers to resort to less ideal e.g., heap-based exploitation strategies. However, such mitigations commonly rely on one key assumption, namely an attacker relying on return address corruption to directly hijack control ﬂow upon function return. In this paper, we present exceptions to this assumption and show attacks based on backward-edge control-ﬂow hijacking without the direct hijacking are possible. Speciﬁcally, we demon- strate that stack corruption can cause exception handling to act as a confused deputy and mount backward-edge control- ﬂow hijacking attacks on the attacker’s behalf. This strategy provides overlooked opportunities to divert execution to attacker- controlled catch handlers (a paradigm we term Catch Handler Oriented Programming or CHOP) and craft powerful primitives such as arbitrary code execution or arbitrary memory writes. We ﬁnd CHOP-style attacks to work across multiple platforms (Linux, Windows, macOS, Android and iOS). To analyze the uncovered attack surface, we survey popular open-source pack- ages and study the applicability of the proposed exploitation techniques. Our analysis shows that suitable exception handling targets are ubiquitous in C++ programs and exploitable exception handlers are common. We conclude by presenting three end-to- end exploits on real-world software and proposing changes to deployed mitigations to address CHOP.

查看原文本刊更多论文

让我来帮你解开:后边缘保护的例外

-通过堆栈缓冲区溢出后缘控制流劫持是软件开发的圣杯。直接控制关键堆栈数据和被劫持目标的能力使得这种利用策略对攻击者特别有吸引力。因此，社区部署了强大的后端保护，如影子堆栈或堆栈金丝雀，迫使攻击者采取不太理想的利用策略，如基于堆的利用策略。然而，这种缓解通常依赖于一个关键假设，即攻击者依赖返回地址损坏来直接劫持函数返回时的控制流。在本文中，我们提出了这种假设的例外情况，并展示了基于后缘控制流劫持而没有直接劫持的攻击是可能的。具体来说，我们认为堆栈损坏会导致异常处理充当一个混乱的代理，并代表攻击者进行反向控制流劫持攻击。这种策略提供了被忽视的机会，将执行转移到攻击者控制的catch处理程序(我们称之为catch Handler Oriented Programming或CHOP的范式)，并制作强大的原语，如任意代码执行或任意内存写入。我们发现，chop式攻击可以在多个平台(Linux、Windows、macOS、Android和iOS)上运行。为了分析未发现的攻击面，我们调查了流行的开源包，并研究了所提出的攻击技术的适用性。我们的分析表明，合适的异常处理目标在c++程序中无处不在，可利用的异常处理程序也很常见。最后，我们提出了对现实世界软件的三个端到端漏洞利用，并提出了对部署的缓解措施的更改，以解决CHOP问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2023 Network and Distributed System Security Symposium

自引率

0.00%

发文量