home | about

control-flow integrity
Complete

Summary

Attacks

  • overwrite existing portion of code
10021003100410051006100710081009branchto1008normalcodenormalcode10021003100410051006100710081009branchto1008maliciouscodemaliciouscode
  • replace memory location used by direct jump
10021003100410051006...6000branchto6000othercode
  • replace memory location used by indirect jump
10021003100410051006...3000...6000branchto(3000)6000othercode

hijacking indirect jumps is called stack smashing

Attacker’s goals

  • compromise execution integrity
  • run malicious code

Concept

Control flow

  • incrementation of the program counter(PC)
  • direct branch - PC replaced by a constant value specified in the instruction, ie. branch or jump
  • indirect branch - PC replaced by a value fetched from memory

Call stack

  • LIFO
  • exists in memory
  • stack pointer($rsp) indexes the top of the stack
...parametersrafp$rbplocalvariables$rsp

simplified for cs2107

Calling functions

  • elements pushed onto the stack
    1. parameters
    2. return address, value of PC during the call instruction
    3. previous frame pointer
    4. local variables
  • jump to function and execute
  • pop all the elements
  • jump to return address
c
int foo(int a) {
	int b = 253;
	int c = 254;
}

int main() {
	foo(3);
}
...a=3rafp$rbpb=253c=254$rsp

similar to the stack in the environment model, for stack memory specifics see stack memory

Extra

Tikz template for drawing memory frames

latex
\usepackage{tikz}
\usetikzlibrary{positioning,arrows.meta}
\def\frameh{8mm}
\begin{document}

\begin{tikzpicture}[
		thick,
    frame/.style={draw, minimum width=3cm, minimum height=\frameh, align=center, node distance=0}
]

% Stack frames (grows downward)
\foreach \i [evaluate=\i as \label using int(1002+\i)] in {0,...,4} {
    \node[label=left:{\label},frame] (f\i) at (0,-\frameh*\i) {};
}

\node[frame] (f5) at (0,-\frameh*5) {};
\node[left=0.5 of f5] {...};
\node[frame] (f6) at (0,-\frameh*6) {};
\node[left=0.5 of f6] {6000};

\node at(f2) {branch to $\color{red}{6000}$};
\node at(f6) {other code};

\draw[->,cyan] (f0.east) to[bend left=75] (f1.east);
\draw[->,cyan] (f1.east) to[bend left=75] (f2.east);
\draw[->,cyan] (f2.east) to[bend left=75] (f6.east);

\end{tikzpicture}
\end{document}

Tikz template for drawing stack frames

latex
\usepackage{tikz}
\usetikzlibrary{positioning,arrows.meta}
\def\frameh{8mm}
\begin{document}

\begin{tikzpicture}[
		thick,
    frame/.style={draw, minimum width=3cm, minimum height=\frameh, align=center, node distance=0}
]

% Stack frames (grows downward)
\foreach \i in {0,...,5} {
    \node[frame] (f\i) at (0,\frameh*\i) {};
}

\node at(f0) {...};
\node at(f1) {a = 3};
\node at(f2) {ra};
\node at(f3) {fp};
\node[right=of f3] (rbp) {$\$$rbp};
\draw[->] (rbp) -- (f3);
\node at(f4) {b = 253};
\node at(f5) {c = 254};
\node[right=of f5] (rsp) {$\$$rsp};
\draw[->] (rsp) -- (f5);

\end{tikzpicture}
\end{document}