Automated Multi-Architectural Discovery of CFI-Resistant Code Gadgets

TL;DR

This paper presents a framework that automatically discovers code gadgets compatible with coarse-grained CFI policies across architectures, aiding security assessment of CFI implementations and revealing vulnerabilities.

Contribution

It introduces an architecture-independent framework for discovering CFI-compatible code gadgets, improving over existing tools and supporting ARM architecture analysis.

Findings

Finds more CFI-compatible gadgets than existing tools.

Successfully discovers gadgets for ARM architecture.

Enhances security assessment of CFI implementations.

Abstract

Memory corruption vulnerabilities are still a severe threat for software systems. To thwart the exploitation of such vulnerabilities, many different kinds of defenses have been proposed in the past. Most prominently, Control-Flow Integrity (CFI) has received a lot of attention recently. Several proposals were published that apply coarse-grained policies with a low performance overhead. However, their security remains questionable as recent attacks have shown. To ease the assessment of a given CFI implementation, we introduce a framework to discover code gadgets for code-reuse attacks that conform to coarse-grained CFI policies. For this purpose, binary code is extracted and transformed to a symbolic representation in an architecture-independent manner. Additionally, code gadgets are verified to provide the needed functionality for a security researcher. We show that our framework finds more CFI-compatible gadgets compared to other code gadget discovery tools. Furthermore, we demonstrate that code gadgets needed to bypass CFI solutions on the ARM architecture can be discovered by our framework as well.