Control flow integrity (CFI) has received significant attention in the community to combat control hijacking attacks in the presence of memory corruption vulnerabilities. The challenges in creating a practical CFI has resulted in the development of a new type of CFI based on runtime type checking (RTC). RTC-based CFI has been implemented in a number of recent practical efforts such as GRSecurity Reuse Attack Protector (RAP) and LLVM-CFI. While there has been a number of previous efforts that studied the strengths and limitations of other types of CFI techniques, little has been done to evaluate the RTC-based CFI. In this work, we study the effectiveness of RTC from the security and practicality aspects. From the security perspective, we observe that type collisions are abundant in sufficiently large code bases but exploiting them to build a functional attack is not straightforward. Then we show how an attacker can successfully bypass RTC techniques using a variant of ROP attacks that respect type checking (called TROP) and also built two proof-of-concept exploits, one against Nginx web server and the other against Exim mail server. We also discuss practical challenges of implementing RTC. Our findings suggest that while RTC is more practical for applying CFI to large code bases, its policy is not strong enough when facing a motivated attacker.
翻译:控制流动完整性(CFI)在社区中受到高度重视,在记忆中腐败薄弱的情况下,打击劫持袭击; 创建实用的CFI的挑战导致根据运行时间型检查(RTC)开发了新型CFI; 以RTC为基础的CFI在最近一些实际努力中得到了实施,如GRS安全再使用攻击保护员(RAP)和LLVM-CFI等; 尽管以前曾作出一些努力,研究过其他类型的CFI技术的长处和局限性,但在评价基于RTC的CFI方面没有做多少工作; 在这项工作中,我们从安全和实用方面研究了RTC的有效性; 从安全角度,我们观察到,在足够大的代码基点上存在大量碰撞,但利用这种碰撞来建立功能性攻击并不是直截然的。 然后,我们展示攻击者如何成功地绕过RTC技术,使用一种尊重类型检查(称为TROP)的变式攻击,并且还建立了两种概念的利用,一种针对Nginx网络服务器,另一种是针对Exim邮件服务器的效用。 我们还认为,在不具有实际动机的CFIFI的大型数据库上有足够的实际发现。