Research has shifted over the years when it comes to binary exploitation. With more accurate and practical implementations of Control-flow Integrity (CFI) , the question arises as to what attack surface is still available – and how to exploit it. In particular, what attacks can be performed when staying within the boundaries of a (perfect) CFI, or even without changing any control data (saved instruction pointers, function pointers, etc.)?
This project aims to gain a better view over various CFI implementations by automatically creating control-flow graphs of binaries according to various CFI policies. angr will be used as a framework to build these different control-flow graphs, and has a comprehensive set of tooling already available.
The project starts off with building a control-flow graph of a program restricted by arity: a callsite that calls a function with 3 arguments can only call functions that expect 3 arguments. Building on top of this, more fine-grained policies can be used such as matching variable types or context-sensitivity.
This project can help the global community with security research, as well as taking a step toward automating the creation of such exploits – commonly referred to as Automatic Exploit Generation (AEG). This project is looking for a skilled candidate with experience in C/C++ and assembly (x86/x86-64) on Linux-based executables. Other useful skills include prior use of control flow graphs, angr, DWARF debug information and/or static/dynamic analysis techniques.
 Automatic Exploit Generation, T. Avgerinos et al, Comm. ACM, 2014, https://dl.acm.org/doi/pdf/10.1145/2560217.2560219?download=true