Research Article
eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense
@INPROCEEDINGS{10.1007/978-3-031-25538-0_39, author={Tianning Zhang and Miao Cai and Diming Zhang and Hao Huang}, title={eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense}, proceedings={Security and Privacy in Communication Networks. 18th EAI International Conference, SecureComm 2022, Virtual Event, October 2022, Proceedings}, proceedings_a={SECURECOMM}, year={2023}, month={2}, keywords={Code reuse attack SROP Signal security}, doi={10.1007/978-3-031-25538-0_39} }- Tianning Zhang
Miao Cai
Diming Zhang
Hao Huang
Year: 2023
eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense
SECURECOMM
Springer
DOI: 10.1007/978-3-031-25538-0_39
Abstract
Signal Return Oriented Programming (SROP) is a dangerous code reuse attack method. Recently, defense techniques have been proposed to defeat SROP attacks. In this paper, we leverage the signal nesting mechanism provided by current operating systems and propose a new variant of SROP attack called enhanced SROP (eSROP) attack. eSROP provides the ability of invoking arbitrary system calls, simulating Turing-complete computation, and even bypassing the fine-grained label-based CFI defense, without modifying the return address and instruction register in the signal frame. Because the signal returns to the interrupted instruction, the shadow stack defense can hardly detect our attack. Signal has strong flexibility which can interrupt the normal control flow. We leverage such flexibility to design a new code reuse attack. To evaluate eSROP, we perform two exploits on two real-world programs, namely Proftpd and Wu-ftpd. In our attacks, adversaries can invoke arbitrary system calls and obtain a root shell. Both attacks succeed within 10 min under strict system defense such as data execution prevention, address space layout randomization, and coarse-grained control flow integrity.
