TUM Logo

Source Code and Backward Edge-based Protection Against Advanced Code Reuse Attacks

Source Code and Backward Edge-based Protection Against Advanced Code Reuse Attacks

Supervisor(s): Paul Muntean
Status: finished
Topic: Integrity Measures (CFI etc.)
Author: Matthias Neumayr
Submission: 2018-02-15
Type of Thesis: Masterthesis Bachelorthesis

Description

Motivation

As the threat potential of Code-Reuse Attacks (CRAs) is rising (NVD, OSVDB and Security Focus rank control-flow hijacking vulnerabilities as having the highest threath, see tables 3 and 4 in IFIP SEC'16 paper) we want to develop a tool that can mitigate such state-of-the-art attacks (e.g., the attack dubbed Counterfeit Object-Oriented Programming (COOP)[8]). This attack is particularly hard to defend against since traditional Control Flow Integrity (CFI) [1] approaches are useless. Based on source code recompilation techniques we want to harden the application binary in such a manner that it becomes very hard or even impossible for an attacker to perform her attack.

Task Description

Nowadays control-flow hijacking attacks represents the highest software-based secu- rity threat [16]. We want to develop a tool that can measure the exact attack surface reduction w.r.t. the attack, Counterfeit Object-Oriented Programming (COOP) [8]. This attack is particularly hard to defend against since traditional Control Flow In- tegrity (CFI) [1] approaches and hardware based shadow stacks [17] are useless. The goal of this research is first, to determine how much the attack surface was re- duced (e.g. after using the tool [9] ) (available gadgets [18] (assembly code chunks)) quantitatively after binary hardening and second, which gadgets are still available for each indirect call site (qualitatively) before and after hardening. First, the tool [9] (code available) used for binary hardening will be modified such that it counts the locations in binary code where the tool inserts the checks. Second, we will use a LLVM pass [20] (code available) to detect all available COOP gadgets in the source of an open source application (the same programs as before) by recompiling those with the new pass in place. Third, the source will be compiled with LLVM and DWARF [19] information such that binary code can be easily mapped to source code lines. This information is useful for the previous step. Four, a series of open source gadget finding tools [13, 15, 14, 18] will be used. These will be tailored such that these can be used to detect the COOP gadgets in a binary file and compare those to the previously found gadgets in steps 2 and 3. Thus, the overall idea of these steps is to map the hardened binary parts to source code in order to measure quantitatively (in percent) and qualitatively (per call site) the attack surface reduction w.r.t. COOP. Finally, for completeness reasons we will test our approach with a series of server applications and web browsers (as in [9]) by measuring the attack surface reduction.

Requirements

  • Very good C/C++ programming skills
  • LLVM refinement passes knowledge is a plus  

Thesis Description and Work Plan 

Thesis

Contact

Paul Muntean