A code-reuse attack named coroutine frame-oriented programming (CFOP) is capable of exploiting C++ coroutines across three major compilers, namely Clang/LLVM, GCC and MSVC. CFOP even succeeds in environments that are protected by control flow integrity (CFI), exposing relevant gaps in 15 of these defense schemes.
Rather than injecting new code, CFOP chains together existing functions, achieving arbitrary code execution after corrupting coroutine-internal memory structures. This new exploitation technique has been discovered by researchers at the CISPA Helmholtz Center for Information Security, who have been the first to study C++ coroutines from a security perspective.
Devising a novel code-reuse attack, CISPA-researchers Marcos Sanchez Bajo and Professor Dr. Christian Rossow have demonstrated that all existing implementations of C++ coroutines can be exploited to bypass state-of-the-art CFI protections in both Linux and Windows. Called coroutine frame-oriented programming (CFOP), the attack results in a corruption of heap memory, allowing attackers to manipulate data and assume complete control over applications.
A relatively recent addition to C++, coroutines are already present in more than 130 unique popular GitHub repositories. “They’re being used to pause and resume functions,” Bajo explains, “which is very useful for asynchronous programming, for example in servers, databases and web browsers.”
Connecting C++ coroutine functions to corrupt heap memory
In more concrete terms, coroutines can, for instance, be used to create generators that produce a sequence of elements. Imagine a Fibonacci series, where each new number in the series is the sum of the two numbers that have gone before. After each new number in the series, the coroutine is paused until it is called to generate the next one.
In CFOP, entire C++ coroutines and other existing functions are used to create a code-reuse attack, as Bajo explains: “With code-reuse attacks in general, attackers take snippets of code that belong to the application anyway, so no new code is injected. They then form chains of these code snippets to manipulate the program’s execution flow. But bypassing CFI protections is a little more difficult. Instead of just taking snippets of code and creating chains, you have to take full coroutine functions and connect them in smart ways.”
Once the CFI protections are circumvented by hijacking a coroutine function in this…
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We 5guruayurveda.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on. For any glitch kindly connect at 5guruayurveda.com
