Overwriting the Exception Handling Cache PointerDwarf Oriented Programming

Presented at DEF CON 20 (2012), Unknown date/time (Unknown duration)

This presentation describes a new technique for abusing the DWARF exception handling architecture used by the GCC tool chain. This technique can be used to exploit vulnerabilities in programs compiled with or linked to exception-enabled parts. Exception handling information is stored in bytecode format, executed by a virtual machine during the course of exception unwinding and handling. We show how a malicious attacker could gain control of those structures and inject bytecode for malicious purposes. This virtual machine is actually Turing-complete, which means that it can be made to run arbitrary attacker logic.


  • Rodrigo Rubira Branco - Vulnerability & Malware Research Labs, Qualys
    Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. Accepted speaker in lots of security and open-source related events as H2HC, HITB, XCon, VNSecurity, OLS, DEF CON, Hackito, Ekoparty, Troopers and others.
  • Sergey Bratus - Research Ass't Professor, Comp. Science, Dartmouth College
    Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He tries to help fellow academics to understand the value and relevance of hacker research. He enjoys wireless and wired network hacking, kernel rootkits and hardening patches, and spoke on various topics at Shmoocon, Toorcon, DEF CON, and Black Hat. He has a Ph.D. in Mathematics from Northeastern University, and worked at BBN Technologies on natural language processing research before coming to Dartmouth. Twitter: @sergeybratus
  • James Oakley - Programmer
    James Oakley came to computer programming by way of microcontroller programming. He enjoys hands-on work with low level systems. His interests include computer graphics, digital electronics, security, and operating systems. In his unprofessional time he enjoys backpacking, science fiction, and designing games. He graduated from the Computer Science program at Dartmouth College.