Control-flow graphs for Automatic-Exploit Generation (completed)

Starting Date:
Prerequisites:
Will results be assigned to University: No

Research has shifted over the years when it comes to binary exploitation. With more accurate and practical implementations of Control-flow Integrity (CFI) [1][2], the question arises as to what attack surface is still available – and how to exploit it. In particular, what attacks can be performed when staying within the boundaries of a (perfect) CFI, or even without changing any control data (saved instruction pointers, function pointers, etc.)?

This project aims to gain a better view over various CFI implementations by automatically creating control-flow graphs of binaries according to various CFI policies. angr[3] will be used as a framework to build these different control-flow graphs, and has a comprehensive set of tooling already available.

The project starts off with building a control-flow graph of a program restricted by arity: a callsite that calls a function with 3 arguments can only call functions that expect 3 arguments. Building on top of this, more fine-grained policies can be used such as matching variable types or context-sensitivity.

This project can help the global community with security research, as well as taking a step toward automating the creation of such exploits – commonly referred to as Automatic Exploit Generation (AEG)[4]. This project is looking for a skilled candidate with experience in C/C++ and assembly (x86/x86-64) on Linux-based executables. Other useful skills include prior use of control flow graphs, angr, DWARF debug information and/or static/dynamic analysis techniques.

[1] https://nebelwelt.net/blog/20160913-ControlFlowIntegrity.html
[2] https://www.microsoft.com/en-us/research/wp-content/uploads/2005/11/ccs05.pdf
[3] https://angr.io/
[4] Automatic Exploit Generation, T. Avgerinos et al, Comm. ACM, 2014, https://dl.acm.org/doi/pdf/10.1145/2560217.2560219?download=true