Understanding Code-Reuse Attacks and Reducing Attack Surface
Georgios Portokalidis came to MIT to talk about his recent work on understanding code-reuse attacks.
What is a code reuse attack? They are attacks repurposing existing components. In particular, they repurpose existing code to perform arbitrary computations. It is commonly used in control-flow hijacking vulnerabilities, which are memory corruption bugs that allow an attacker to take over a code pointer. It is an old technique that has gained popularity because of data-execution prevention techniques. For more information about these types of attacks, I refer you to the Wikipedia entry.
One way to mitigate this vulnerability is to use control-flow integrity (CFI). It aims to restrict indirect (aka implicit) control-flow transfers enforcing the control-flow graph. However, code-reuse is still possible under CFI. Nowadays, gadgets are large and may have side effects. More fine-grained versions of CFI are still vulnerable, which has been demonstrated through a series of papers. Although CFI is not a silver bullet, it does make life harder for attackers. Code pointer integrity is another great approach that helps mitigate this problem, and is a more “complete” version of CFI.
One main insight is that large software is “bloated.” A lot of library code is not used by the application.
There are multiple benefits for “debloating” software. First, it reduces the amount of code available for code-reuse attacks. Second, it assists in defenses. It reduces control-flow edges in coarse-grained CFI, and it reduces code that needs to be moved by re-randomization techniques.
However, there are still some challenges. First, it’s difficult to obtain correct and complete disassembly, but they use symbol information commonly available in modern OSes. They also assume that binaries are not obfuscated or malicious. Second, resolving all function call targets is hard, but they can use relocation information available in binaries compiled to support ASLR.
This is still work in progress, and the results look promising. I am excited to track this work and see what new results they have!
