Abstract
Backward-edge control-flow hijacking via stack
buffer overflow is the holy grail of software exploitation. The
ability to directly control critical stack data and the hijacked
target makes this exploitation strategy particularly appealing
for attackers. As a result, the community has deployed strong
backward-edge protections such as shadow stacks or stack
canaries, forcing attackers to resort to less ideal e.g., heap-based
exploitation strategies. However, such mitigations commonly rely
on one key assumption, namely an attacker relying on return
address corruption to directly hijack control flow upon function
return.
In this paper, we present exceptions to this assumption and
show attacks based on backward-edge control-flow hijacking
without the direct hijacking are possible. Specifically, we demon-
strate that stack corruption can cause exception handling to
act as a confused deputy and mount backward-edge control-
flow hijacking attacks on the attacker’s behalf. This strategy
provides overlooked opportunities to divert execution to attacker-
controlled catch handlers (a paradigm we term Catch Handler
Oriented Programming or CHOP) and craft powerful primitives
such as arbitrary code execution or arbitrary memory writes.
We find CHOP-style attacks to work across multiple platforms
(Linux, Windows, macOS, Android and iOS). To analyze the
uncovered attack surface, we survey popular open-source pack-
ages and study the applicability of the proposed exploitation
techniques. Our analysis shows that suitable exception handling
targets are ubiquitous in C++ programs and exploitable exception
handlers are common. We conclude by presenting three end-to-
end exploits on real-world software and proposing changes to
deployed mitigations to address CHOP.
buffer overflow is the holy grail of software exploitation. The
ability to directly control critical stack data and the hijacked
target makes this exploitation strategy particularly appealing
for attackers. As a result, the community has deployed strong
backward-edge protections such as shadow stacks or stack
canaries, forcing attackers to resort to less ideal e.g., heap-based
exploitation strategies. However, such mitigations commonly rely
on one key assumption, namely an attacker relying on return
address corruption to directly hijack control flow upon function
return.
In this paper, we present exceptions to this assumption and
show attacks based on backward-edge control-flow hijacking
without the direct hijacking are possible. Specifically, we demon-
strate that stack corruption can cause exception handling to
act as a confused deputy and mount backward-edge control-
flow hijacking attacks on the attacker’s behalf. This strategy
provides overlooked opportunities to divert execution to attacker-
controlled catch handlers (a paradigm we term Catch Handler
Oriented Programming or CHOP) and craft powerful primitives
such as arbitrary code execution or arbitrary memory writes.
We find CHOP-style attacks to work across multiple platforms
(Linux, Windows, macOS, Android and iOS). To analyze the
uncovered attack surface, we survey popular open-source pack-
ages and study the applicability of the proposed exploitation
techniques. Our analysis shows that suitable exception handling
targets are ubiquitous in C++ programs and exploitable exception
handlers are common. We conclude by presenting three end-to-
end exploits on real-world software and proposing changes to
deployed mitigations to address CHOP.
| Original language | English |
|---|---|
| Title of host publication | 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, February 27 - March 3, 2023 |
| Publisher | The Internet Society |
| Pages | 1-18 |
| Number of pages | 18 |
| ISBN (Electronic) | 9781891562839 |
| Publication status | Published - 2023 |
Funding
We thank the anonymous reviewers for their feedback. We’d also like to thank Gregor Kopf for finding and pointing out CVE-2009-4009. This work was supported by EKZ through the AVR “Memo” project and by NWO through projects “TROPICS”, “Theseus”, and “INTERSECT”.
| Funders | Funder number |
|---|---|
| EKZ | |
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek |
Fingerprint
Dive into the research topics of 'Let Me Unwind That For You: Exceptions to Backward-Edge Protection'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver