{"title":"通过窗口:Xtensa的寄存器窗口溢出的利用","authors":"Kai Lehniger, P. Langendörfer","doi":"10.1109/ITNAC55475.2022.9998407","DOIUrl":null,"url":null,"abstract":"While the name Xtensa is still mostly unknown to the public, the architecture plays a big role in the field of Internet of Things (IoT), be it in the form of custom designs or broadly used microcontrollers such as the ESP32 used inside millions of devices. This paper describes a newly discovered vulnerability that uses the window overflow exception handlers of an Xtensa LX processor to leak and manipulate data. To show its severity, an exploit is demonstrated that allows to disable Stack Canaries, a common protection against stack buffer overflows. Requirements and potential possibilities to escalate the vulnerability, including code-reuse attacks to completely compromise the attacked device. Finally, a countermeasure is introduced with a <0.5% runtime overhead in our worst-case scenario.","PeriodicalId":205731,"journal":{"name":"2022 32nd International Telecommunication Networks and Applications Conference (ITNAC)","volume":"113 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Through the Window: On the exploitability of Xtensa's Register Window Overflow\",\"authors\":\"Kai Lehniger, P. Langendörfer\",\"doi\":\"10.1109/ITNAC55475.2022.9998407\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"While the name Xtensa is still mostly unknown to the public, the architecture plays a big role in the field of Internet of Things (IoT), be it in the form of custom designs or broadly used microcontrollers such as the ESP32 used inside millions of devices. This paper describes a newly discovered vulnerability that uses the window overflow exception handlers of an Xtensa LX processor to leak and manipulate data. To show its severity, an exploit is demonstrated that allows to disable Stack Canaries, a common protection against stack buffer overflows. Requirements and potential possibilities to escalate the vulnerability, including code-reuse attacks to completely compromise the attacked device. Finally, a countermeasure is introduced with a <0.5% runtime overhead in our worst-case scenario.\",\"PeriodicalId\":205731,\"journal\":{\"name\":\"2022 32nd International Telecommunication Networks and Applications Conference (ITNAC)\",\"volume\":\"113 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-11-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 32nd International Telecommunication Networks and Applications Conference (ITNAC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ITNAC55475.2022.9998407\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 32nd International Telecommunication Networks and Applications Conference (ITNAC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ITNAC55475.2022.9998407","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Through the Window: On the exploitability of Xtensa's Register Window Overflow
While the name Xtensa is still mostly unknown to the public, the architecture plays a big role in the field of Internet of Things (IoT), be it in the form of custom designs or broadly used microcontrollers such as the ESP32 used inside millions of devices. This paper describes a newly discovered vulnerability that uses the window overflow exception handlers of an Xtensa LX processor to leak and manipulate data. To show its severity, an exploit is demonstrated that allows to disable Stack Canaries, a common protection against stack buffer overflows. Requirements and potential possibilities to escalate the vulnerability, including code-reuse attacks to completely compromise the attacked device. Finally, a countermeasure is introduced with a <0.5% runtime overhead in our worst-case scenario.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
