Let Me Unwind That For You: Exceptions to Backward-Edge Protection

Victor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, Cristiano Giuffrida

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Backward-edge control-flow hijacking via stack buffer overflow is the holy grail of software exploitation. The ability to directly control critical stack data and the hijacked target makes this exploitation strategy particularly appealing for attackers. As a result, the community has deployed strong backward-edge protections such as shadow stacks or stack canaries, forcing attackers to resort to less ideal e.g., heap-based exploitation strategies. However, such mitigations commonly rely on one key assumption, namely an attacker relying on return address corruption to directly hijack control flow upon function return.

In this paper, we present *exceptions* to this assumption and show attacks based on backward-edge control-flow hijacking *without* the direct hijacking are possible. Specifically, we demonstrate that stack corruption can cause exception handling to act as a *confused deputy* and mount backward-edge control-flow hijacking attacks on the attacker’s behalf. This strategy provides overlooked opportunities to divert execution to attacker-controlled catch handlers (a paradigm we term Catch Handler Oriented Programming or CHOP) and craft powerful primitives such as arbitrary code execution or arbitrary memory writes. We find CHOP-style attacks to work across multiple platforms (Linux, Windows, macOS, Android and iOS). To analyze the uncovered attack surface, we survey popular open-source packages and study the applicability of the proposed exploitation techniques. Our analysis shows that suitable exception handling targets are ubiquitous in C++ programs and exploitable exception handlers are common. We conclude by presenting three end-to-end exploits on real-world software and proposing changes to deployed mitigations to address CHOP.
Original languageEnglish
Title of host publicationNDSS Symposium 2023 Accepted Papers
PublisherThe Internet Society
Pages1-18
Number of pages18
ISBN (Electronic)1891562835
DOIs
Publication statusPublished - 3 Mar 2023
EventNetwork and Distributed System Security (NDSS) Symposium 2023 - San Diego, United States
Duration: 27 Feb 20233 Mar 2023

Conference

ConferenceNetwork and Distributed System Security (NDSS) Symposium 2023
Abbreviated titleNDSS 2023
Country/TerritoryUnited States
CitySan Diego
Period27/02/233/03/23

Fingerprint

Dive into the research topics of 'Let Me Unwind That For You: Exceptions to Backward-Edge Protection'. Together they form a unique fingerprint.

Cite this