[llvm-dev] llvm cfi
慕冬亮 via llvm-dev
llvm-dev at lists.llvm.org
Mon Aug 31 22:10:27 PDT 2015
2015-09-01 11:38 GMT+08:00 John Criswell <jtcriswel at gmail.com>:
> On 8/31/15 10:43 PM, 慕冬亮 via llvm-dev wrote:
> I want to create an experiment to show the effectiveness of cfi :
> For example ,
> I first need a program with vulnerability so that we can hijack its
> control flow;
> then I enforce cfi of llvm and we can't hijack its control flow.
> Do you have any advice for me?
> The CFI implementation we updated to work with x86-64 for the KCoFI
> project is available at https://github.com/jtcriswell/SVA. You'll need
> to create the exploit code (and potentially the vulnerability) yourself.
> If you read the literature on CFI and memory safety (some of which is
> cataloged at http://sva.cs.illinois.edu/menagerie), you should be able to
> find programs and vulnerabilities that have been used in such experiments.
> I think there are lots of program fragment in the literature. Is there any
complete program to show that cfi can protect control flow?
It's just a basic theory display, not academic paper！
> That said, doing an experiment will not show that CFI is effective; it
> will only show that CFI stops that one particular attack that you are
> demonstrating. While this was done in past research papers, it was only
> done because it was one of the few methods of evaluating CFI available.
> More recent work is showing the deficiencies of evaluating CFI in this way
> (in a nutshell, simple CFI defenses can be thwarted).
> Determining how to measure the effectiveness of defenses against
> code-reuse attacks (such as Return-Oriented programming, Return to Libc
> attacks, and Non-Control data attacks)
I don't think Non-Control data attacks is a kind of code-reuse attack. It
is better to call it Data-Oriented attacks.
> is an active area of research. My students and I are working to devise
> methods of evaluating defenses, but as the work is in its very early
> stages, that's all I can say about it at present.
> This is an interesting topic I think.
Thank you for your reply.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the llvm-dev