Hi,
I have referend the current implementation of CFI inside clang,
Sounds like they only support CFI for indirect function calls ( like class based virtual member functions, function pointers ,etc).
So through reverse engineering anybody can change the call flow inside a function by simply injecting some call inside a function call, changing it's disassembly ( through .wat format and using wat2wasm utility to convert it back to the wasm).
I have injected some code like that for -fsanitize=cfi compiled binary and I was able to build it back and run without any exceptions.
So currently CFI implementation only supports to indirect calls only? No support for direct function calls ?
>>
#include <stdio.h>
#include <stdlib.h>
int A()
{
printf("A\n");
return 0;
}
int B()
{
printf("B\n");
return 0;
}
int callAOnly()
{
A();
return 0;
}
int man()
{
callA();
B();
return 0;
}
>>
So using wasm2wat and wat2wasm utilities I can inject a call to B() inside callAOnly() and break the integrity. My question is that kind of direct function call integrity checking is not still implemented in CFI implementation of emscripten toolchain ? Or this is outside the scope of CFI so I may have to use other techniques like checkusm. But the code segment can't be read in WASM implementation so checksum is not possible.
Thanks,
Sandun.