1. InfoconDB
  2. REcon
  3. REcon 2023
  4. Smashing Virtual Function Pointers on the Heights of Elbrus

Smashing Virtual Function Pointers on the Heights of Elbrus

Presented at REcon 2023, June 10, 2023, 4:30 p.m. (30 minutes)

Elbrus is a 40 year old Russian CPU family currently targeted at the Russian government and military market. This talk will use an old C++ virtual function pointer exploit technique as the basis for exploring Elbrus’s instruction set architecture, which contains some unique features such as very long instruction words (VLIWs) and register windowing. Elbrus is a Russian CPU architecture that first debuted in 1979. It was the first superscalar, out-of-order execution processor developed in the Soviet Union. The architecture was extended to be a VLIW architecture with Elbrus 3 in 1990, and the current iteration is known as Elbrus 2000, or E2K for short. Elbrus is designed in Russia but currently manufactured by TSMC in Taiwan because of a lack of Russian production facilities capable of producing chips at advanced technology nodes. The Elbrus project comes from the Moscow Center of SPARC Technologies (now shortened to just MCST). MCST currently produces new Elbrus chips and Elbrus-based PCs, laptops, and servers. The Russian military has reportedly ordered thousands of ruggedized laptops based on the Elbrus-1S+, although there appears to be very little deployment of these systems if any. There is currently very little public documentation on Elbrus because MCST controls most documentation under nondisclosure agreements. This means we don’t have full processor documentation like we normally would for a commercial CPU, but there are a few public resources. Thanks to a good neighbor we also had access to an Elbrus-1S+ machine and used it to play around with some code examples. This machine has a compiler called lcc, which is the MCST compiler based on gcc. The options for disassembly at the moment are limited to ldis, which is part of lcc, and objdump, which is part of the binutils package put out by the OpenE2K group. In Phrack no. 56 (circa AD 2000), “rix” published “Smashing C++ VPTRs.” This was a natural follow-on to the classic “Smashing the Stack for Fun and Profit” by Aleph One (Phrack no. 49,1996). rix’s article demonstrated how stack smashing could be used to exploit C++ programs when objects that have virtual function pointers (VPTRs) are created on the stack. Turns out this technique is still quite usable despite new security mitigations. So we first updated "Smashing C++ VPTRs." for 64-bit x86, and then compiled with lcc. Recompiling for Elbrus "just worked." So we'll use disassembled snippets from this example to explore the Elbrus architecture. The talk will cover the VLIW instruction formatting, the basic instruction set, register windowing, calls and branches, and the hidden Elbrus call stack.

Presenters:

  • evm
    evm is a reverse engineer and member of the Principal Staff at the Johns Hopkins University Applied Physics Laboratory (JHU/APL). He started out reversing in the Windows internals & trusted computing world, and now spends more time in embedded devices. His research interest is in accelerating software RE with architecture-agnostic methods. At APL he is the editor-in-chief of the internal 'zine devoted to RE and vulnerability research. In the real world he can sometimes be seen booklegging PoC || GTFO. He contributed to Symgrate (http://symgrate.com) and created the ALLSTAR dataset for cross-architecture RE research (https://allstar.jhuapl.edu). Chicken farmer and Jesus freak.

Links: