Vulnerabilities take many forms in security. It can be an unprotected return address, a writable function pointer or a local variable value that can impact your control flow. It is challenging yet very important to reach deep into the code flow and find all these weak spots in a systematic and automatic manner.
In this work, we build a framework with performance-monitor-unit (PMU) based instrumentation tool and SPARK-based bigdata analysis to accomplish the task mentioned above and provide comprehensive results regarding the exploitabilities of Linux applications: PMU-based instrumentation tool is configured to have hardware interrupt triggered at each occurrence of the selected event (such as indirect call, indrect jmp, ret, etc) and collect the related context data including code blocks, registers values, page table entries and so on. SPARK-based bigdata analysis is used to screen and process the huge amount of data collected during runtime and search for exploitable spots per defined policies.
We have demonstrated the effectiveness of this framework on Windows platform by finding multiple Microsoft Control Flow Guard (CFG) bypass vulnerabilities. We focused on memory-based indirect calls and were able to identify different types of implementation flaws of CFG that can lead to its bypass. (Microsoft Acknowledgement: https://technet.microsoft.com/en-us/security/dn469163.aspx)
In this work, we extend our scope to Linux platform and improve the analysis coverage by (1) increasing the context data collected at each PMU interrupt and (2) increasing the number of screening policies.
With these improvements, more vulnerabilities types can be identified besides memory-based indirect call, such as writable and executable code block (W^X bypass), exploitable register-based indirect call/jmp, valid gadgets from legal entry points, etc. With such information, the effectiveness and residual risk of mitigation techniques impacting Linux platform can also be evaluated, such as the recently released Reuse Attack Protector (RAP) by Grsecurity. RAP uses complier-implemented XOR stack canary for return address protection and type-based indirect branch track for control flow protection. Yet there are still aspects that are not covered and this work will provide results to analyze to assess their residual risks.
In summary, the goal of this research is to provide both the approach and results for identifying the exploitable weakness in a systematic way. This framework can provides both the coverage and depth in security analysis and has the potential of being scaled up and/or being customized for more research tasks.