Measuring COOP Attack Surface Reduction

Nowadays control-flow hijacking attacks represents the highest software-based security threat [16]. We want to develop a tool that can measure the exact attack surface reduction w.r.t. the attack, Counterfeit Object-Oriented Programming (COOP) [8]. This attack is particularly hard to defend against since traditional Control Flow Integrity (CFI) [1] approaches and hardware based shadow stacks [17] are useless. In this research we want to measure the real attack surface reduction after a COOP mitigation tool [9] was applied to a program binary by rewriting the binary. The goal of this research is first, to determine how much the attack surface was reduced (available gadgets [18] (assembly code chunks)) quantitatively after binary hardening and second, which gadgets are still available for each indirect call site (qualitatively) before and after hardening. First, the tool [9] (code available) used for binary hardening will be modified such that it counts the locations in binary code where the tool inserts the checks. Second, we will use a LLVM pass [20] (code available) to detect all available COOP gadgets in the source of an open source application (the same programs as before) by recompiling those with the new pass in place. Third, the source will be compiled with LLVM and DWARF [19] information such that binary code can be easily mapped to source code lines. This information is useful for the previous step. Four, a series of open source gadget finding tools [13, 15, 14, 18] will be used. These will be tailored such that these can be used to detect the COOP gadgets in a binary file and compare those to the previously found gadgets in steps 2 and 3. Thus, the overall idea of these steps is to map the hardened binary parts to source code in order to measure quantitatively (in percent) and qualitatively (per call site) the attack surface reduction w.r.t. COOP. Finally, for completeness reasons we will test our approach with a series of server applications and web browsers (as in [9]) by measuring the attack surface reduction.