Hardware-Assisted Flow Integrity eXtension (HAFIX) was proposed as a defense against code-reuse attacks that exploit backward edges (returns). HAFIX provides fine-grained protection by implementing Active-Set Backward-Edge CFI: confining return addresses to only target call sites in functions active on the call stack. We study whether the active-set backward-edge CFI policy is sufficient to prevent code-reuse exploits on real-world programs. In this thesis, we present five novel attacks that exploit weaknesses in active-set backward-edge CFI and demonstrate these attacks are effective in case studies examining Nginx web server, Exim mail server, and PHP. We then propose improvements to active-set backward-edge CFI that we believe will improve its effectiveness against code-reuse attacks.
Title
Breaking Active-Set Backward-Edge Control-Flow Integrity
Published
2017-05-12
Full Collection Name
Electrical Engineering & Computer Sciences Technical Reports
Other Identifiers
EECS-2017-78
Type
Text
Extent
38 p
Archive
The Engineering Library
Usage Statement
Researchers may make free and open use of the UC Berkeley Library’s digitized public domain materials. However, some materials in our online collections may be protected by U.S. copyright law (Title 17, U.S.C.). Use or reproduction of materials protected by copyright beyond that allowed by fair use (Title 17, U.S.C. § 107) requires permission from the copyright owners. The use or reproduction of some materials may also be restricted by terms of University of California gift or purchase agreements, privacy and publicity rights, or trademark law. Responsibility for determining rights status and permissibility of any use or reproduction rests exclusively with the researcher. To learn more or make inquiries, please see our permissions policies (https://www.lib.berkeley.edu/about/permissions-policies).
