How do exploit developers counter control-flow integrity (CFI) used to prevent ROP-based buffer overflow attacks?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
1













How do exploit developers counter control-flow integrity (CFI) used to prevent ROP-based buffer overflow attacks?




Originally, return-oriented programming (ROP) was invented to counter the no-execute (NX) protection of the stack, by jumping from different memory locations (executable) to execute code (gadgets).



However, control-flow integrity (CFI) is meant to prevent ROP-based execution by dynamically checking the destinations of jumps for validity, i.e., it is no longer possible to jump to arbitrary locations in executable code (only to the beginning of functions etc.)



How does exploit developers counter CFI to exploit NX-protected programs using buffer overflows?






exploit exploit-development







share|improve this question























  • @forest - I wasn't aware that there were different types of CFI. Although there is no way to bypass it for ROP, has something entirely different been invented that make buffer-overflows feasible? Or are buffer-overflows impossible, given that the CFI protecting is good enough.
    – user111854
    3 hours ago














up vote
2
down vote

favorite
1













How do exploit developers counter control-flow integrity (CFI) used to prevent ROP-based buffer overflow attacks?




Originally, return-oriented programming (ROP) was invented to counter the no-execute (NX) protection of the stack, by jumping from different memory locations (executable) to execute code (gadgets).



However, control-flow integrity (CFI) is meant to prevent ROP-based execution by dynamically checking the destinations of jumps for validity, i.e., it is no longer possible to jump to arbitrary locations in executable code (only to the beginning of functions etc.)



How does exploit developers counter CFI to exploit NX-protected programs using buffer overflows?






exploit exploit-development







share|improve this question























  • @forest - I wasn't aware that there were different types of CFI. Although there is no way to bypass it for ROP, has something entirely different been invented that make buffer-overflows feasible? Or are buffer-overflows impossible, given that the CFI protecting is good enough.
    – user111854
    3 hours ago












up vote
2
down vote

favorite
1









up vote
2
down vote

favorite
1






1






How do exploit developers counter control-flow integrity (CFI) used to prevent ROP-based buffer overflow attacks?




Originally, return-oriented programming (ROP) was invented to counter the no-execute (NX) protection of the stack, by jumping from different memory locations (executable) to execute code (gadgets).



However, control-flow integrity (CFI) is meant to prevent ROP-based execution by dynamically checking the destinations of jumps for validity, i.e., it is no longer possible to jump to arbitrary locations in executable code (only to the beginning of functions etc.)



How does exploit developers counter CFI to exploit NX-protected programs using buffer overflows?






exploit exploit-development







share|improve this question
















How do exploit developers counter control-flow integrity (CFI) used to prevent ROP-based buffer overflow attacks?




Originally, return-oriented programming (ROP) was invented to counter the no-execute (NX) protection of the stack, by jumping from different memory locations (executable) to execute code (gadgets).



However, control-flow integrity (CFI) is meant to prevent ROP-based execution by dynamically checking the destinations of jumps for validity, i.e., it is no longer possible to jump to arbitrary locations in executable code (only to the beginning of functions etc.)



How does exploit developers counter CFI to exploit NX-protected programs using buffer overflows?






exploit exploit-development




exploit exploit-development






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 3 hours ago

























asked 4 hours ago









user111854

12819




12819











  • @forest - I wasn't aware that there were different types of CFI. Although there is no way to bypass it for ROP, has something entirely different been invented that make buffer-overflows feasible? Or are buffer-overflows impossible, given that the CFI protecting is good enough.
    – user111854
    3 hours ago
















  • @forest - I wasn't aware that there were different types of CFI. Although there is no way to bypass it for ROP, has something entirely different been invented that make buffer-overflows feasible? Or are buffer-overflows impossible, given that the CFI protecting is good enough.
    – user111854
    3 hours ago















@forest - I wasn't aware that there were different types of CFI. Although there is no way to bypass it for ROP, has something entirely different been invented that make buffer-overflows feasible? Or are buffer-overflows impossible, given that the CFI protecting is good enough.
– user111854
3 hours ago




@forest - I wasn't aware that there were different types of CFI. Although there is no way to bypass it for ROP, has something entirely different been invented that make buffer-overflows feasible? Or are buffer-overflows impossible, given that the CFI protecting is good enough.
– user111854
3 hours ago










1 Answer
1






active

oldest

votes

















up vote
2
down vote













There are many types of CFI. However, CFI that supports both forward and backward edge protection, is deterministic, and is also fine-grained is very rare to come by (the only concrete example I know of is the commercial version of PaX RAP). Most CFI is coarse-grained, which means that a function can return not to only that one function, but to a number of functions with the same function signature (that is, the same return type and exact same arguments). Forward edges come from jumps and calls, whereas backward edges come from returns. The vast majority of CFI only supports one or the other (such as Microsoft's CFG or Clang's CFI), vastly limiting its capabilities.



Another issue with CFI is that it is often probabilistic, using some secret value. Any infoleaks that expose that secret value could be used to break the CFI. Deterministic CFI does not suffer from this, but most deterministic CFI is very coarse-grained. In summary:



  • Most CFI is not both forward and backward edge, severely limiting its capabilities.


  • Most CFI is probabilistic, making it vulnerable to infoleaks that can break it.


  • Most CFI is coarse-grained, letting you return to groups of functions with the same signature.


You can learn a lot more about actual CFI implementations by checking out kCFI and PaX RAP, the only two which I know of that provide full forward and backward edge protection. Unfortunately, since CFI is such a complex topic and there's no one implementation or even technique for CFI, there's no way to answer exactly how an attacker can bypass it without specifying the implementation.






share|improve this answer






















  • Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
    – user111854
    1 hour ago










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196980%2fhow-do-exploit-developers-counter-control-flow-integrity-cfi-used-to-prevent-r%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













There are many types of CFI. However, CFI that supports both forward and backward edge protection, is deterministic, and is also fine-grained is very rare to come by (the only concrete example I know of is the commercial version of PaX RAP). Most CFI is coarse-grained, which means that a function can return not to only that one function, but to a number of functions with the same function signature (that is, the same return type and exact same arguments). Forward edges come from jumps and calls, whereas backward edges come from returns. The vast majority of CFI only supports one or the other (such as Microsoft's CFG or Clang's CFI), vastly limiting its capabilities.



Another issue with CFI is that it is often probabilistic, using some secret value. Any infoleaks that expose that secret value could be used to break the CFI. Deterministic CFI does not suffer from this, but most deterministic CFI is very coarse-grained. In summary:



  • Most CFI is not both forward and backward edge, severely limiting its capabilities.


  • Most CFI is probabilistic, making it vulnerable to infoleaks that can break it.


  • Most CFI is coarse-grained, letting you return to groups of functions with the same signature.


You can learn a lot more about actual CFI implementations by checking out kCFI and PaX RAP, the only two which I know of that provide full forward and backward edge protection. Unfortunately, since CFI is such a complex topic and there's no one implementation or even technique for CFI, there's no way to answer exactly how an attacker can bypass it without specifying the implementation.






share|improve this answer






















  • Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
    – user111854
    1 hour ago














up vote
2
down vote













There are many types of CFI. However, CFI that supports both forward and backward edge protection, is deterministic, and is also fine-grained is very rare to come by (the only concrete example I know of is the commercial version of PaX RAP). Most CFI is coarse-grained, which means that a function can return not to only that one function, but to a number of functions with the same function signature (that is, the same return type and exact same arguments). Forward edges come from jumps and calls, whereas backward edges come from returns. The vast majority of CFI only supports one or the other (such as Microsoft's CFG or Clang's CFI), vastly limiting its capabilities.



Another issue with CFI is that it is often probabilistic, using some secret value. Any infoleaks that expose that secret value could be used to break the CFI. Deterministic CFI does not suffer from this, but most deterministic CFI is very coarse-grained. In summary:



  • Most CFI is not both forward and backward edge, severely limiting its capabilities.


  • Most CFI is probabilistic, making it vulnerable to infoleaks that can break it.


  • Most CFI is coarse-grained, letting you return to groups of functions with the same signature.


You can learn a lot more about actual CFI implementations by checking out kCFI and PaX RAP, the only two which I know of that provide full forward and backward edge protection. Unfortunately, since CFI is such a complex topic and there's no one implementation or even technique for CFI, there's no way to answer exactly how an attacker can bypass it without specifying the implementation.






share|improve this answer






















  • Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
    – user111854
    1 hour ago












up vote
2
down vote










up vote
2
down vote









There are many types of CFI. However, CFI that supports both forward and backward edge protection, is deterministic, and is also fine-grained is very rare to come by (the only concrete example I know of is the commercial version of PaX RAP). Most CFI is coarse-grained, which means that a function can return not to only that one function, but to a number of functions with the same function signature (that is, the same return type and exact same arguments). Forward edges come from jumps and calls, whereas backward edges come from returns. The vast majority of CFI only supports one or the other (such as Microsoft's CFG or Clang's CFI), vastly limiting its capabilities.



Another issue with CFI is that it is often probabilistic, using some secret value. Any infoleaks that expose that secret value could be used to break the CFI. Deterministic CFI does not suffer from this, but most deterministic CFI is very coarse-grained. In summary:



  • Most CFI is not both forward and backward edge, severely limiting its capabilities.


  • Most CFI is probabilistic, making it vulnerable to infoleaks that can break it.


  • Most CFI is coarse-grained, letting you return to groups of functions with the same signature.


You can learn a lot more about actual CFI implementations by checking out kCFI and PaX RAP, the only two which I know of that provide full forward and backward edge protection. Unfortunately, since CFI is such a complex topic and there's no one implementation or even technique for CFI, there's no way to answer exactly how an attacker can bypass it without specifying the implementation.






share|improve this answer














There are many types of CFI. However, CFI that supports both forward and backward edge protection, is deterministic, and is also fine-grained is very rare to come by (the only concrete example I know of is the commercial version of PaX RAP). Most CFI is coarse-grained, which means that a function can return not to only that one function, but to a number of functions with the same function signature (that is, the same return type and exact same arguments). Forward edges come from jumps and calls, whereas backward edges come from returns. The vast majority of CFI only supports one or the other (such as Microsoft's CFG or Clang's CFI), vastly limiting its capabilities.



Another issue with CFI is that it is often probabilistic, using some secret value. Any infoleaks that expose that secret value could be used to break the CFI. Deterministic CFI does not suffer from this, but most deterministic CFI is very coarse-grained. In summary:



  • Most CFI is not both forward and backward edge, severely limiting its capabilities.


  • Most CFI is probabilistic, making it vulnerable to infoleaks that can break it.


  • Most CFI is coarse-grained, letting you return to groups of functions with the same signature.


You can learn a lot more about actual CFI implementations by checking out kCFI and PaX RAP, the only two which I know of that provide full forward and backward edge protection. Unfortunately, since CFI is such a complex topic and there's no one implementation or even technique for CFI, there's no way to answer exactly how an attacker can bypass it without specifying the implementation.







share|improve this answer














share|improve this answer



share|improve this answer








edited 3 hours ago

























answered 3 hours ago









forest

24.9k127893




24.9k127893











  • Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
    – user111854
    1 hour ago
















  • Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
    – user111854
    1 hour ago















Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
– user111854
1 hour ago




Thank you @forest for a very good answer. Why don't Microsoft use PaX RAP then? Is it because the program suffers to much w.r.t. time and size?
– user111854
1 hour ago

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196980%2fhow-do-exploit-developers-counter-control-flow-integrity-cfi-used-to-prevent-r%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

White Anglo-Saxon Protestant

Image
White Anglo-Saxon Protestants ( WASPs ) are a social group of wealthy and well-connected white Americans, of Protestant and predominantly British ancestry, who trace their ancestry to the American colonial period. Until at least the 1960s, this group has dominated American society and culture and dominated in the leadership of the Whig and Republican parties. They usually are very well placed in major financial, business, legal and academic institutions and had close to a monopoly of elite society due to intermarriage and nepotism. [1] During the latter half of the twentieth century, outsider ethnic and racial groups grew in influence and WASP dominance weakened. Americans are increasingly criticizing the WASP hegemony and disparaging WASPs as the epitome of "the Establishment". The Random House Unabridged Dictionary (1998) says the term is "Sometimes Disparaging and Offensive". [2] [3] The term WASP is often used as a pejorative to classify their historical dom...
Read more

BuddyTV

BuddyTV Owner David Niu, Andy Liu Created by Various contributors Website www.buddytv.com Launched July 31, 2007 Current status Offline BuddyTV was an entertainment-based website based in Seattle, Washington, which generated content about television programs and sporting events. The website published information about celebrity and related entertainment news through a series of articles, entertainment profiles, actor biographies and user forums. [1] On 31 December 2014, Smart TV manufacturer VIZIO acquired BuddyTV's parent Advanced Media Research Group, Inc., in order to expand content and service offerings. [2] The site was shut down on 22 May 2018. [3] Contents 1 History 2 Business model 3 Impact 4 See also 5 References 6 External links History BuddyTV was co-founded in 2005 by Andy Liu and David Niu. The pair graduated from the University of Pennsylvania with a Master of Business Administration. They sold their previous company, NetConversions, to aQuantive in 2004...
Read more

Conflict (narrative)

Image
Conflict in narrative comes in many forms. "Man versus man", such as is depicted here in the battle between King Arthur and Mordred, is particularly common in traditional literature, fairy tales and myths. [1] In works of narrative, conflict is the challenge main characters need to solve to achieve their goals. Traditionally, conflict is a major literary element that creates challenges in a story by adding uncertainty to if the goal would be achieved. A narrative is not limited to a single conflict. While conflicts may not always resolve in narrative, the resolution of a conflict creates closure or fulfillment, which may or may not occur at a story's end. Contents 1 Basic nature 2 Classification 2.1 Man against man 2.2 Man against nature 2.3 Man against self 2.4 Man against society 3 History 4 See also 5 References 6 External links Basic nature Conflict in literature refers to the different drives of the characters or forces involved. Conflict may be internal o...
Read more