Control flow integrity support and scope
23 views
Skip to first unread message
Dhammika Perera
Jun 28, 2022, 3:50:39 AM6/28/22
to emscripten-discuss
Hi,
So through reverse engineering anybody can change the call flow inside a function by simply injecting some call inside a function call, changing it's disassembly ( through .wat format and using wat2wasm utility to convert it back to the wasm).
I have injected some code like that for -fsanitize=cfi compiled binary and I was able to build it back and run without any exceptions.
So currently CFI implementation only supports to indirect calls only? No support for direct function calls ?
>>
#include <stdio.h>
I have referend the current implementation of CFI inside clang,
Sounds like they only support CFI for indirect function calls ( like class based virtual member functions, function pointers ,etc).
So through reverse engineering anybody can change the call flow inside a function by simply injecting some call inside a function call, changing it's disassembly ( through .wat format and using wat2wasm utility to convert it back to the wasm).
I have injected some code like that for -fsanitize=cfi compiled binary and I was able to build it back and run without any exceptions.
So currently CFI implementation only supports to indirect calls only? No support for direct function calls ?
>>
#include <stdio.h>
#include <stdlib.h>
int A()
{
printf("A\n");
return 0;
}
int B()
{
printf("B\n");
return 0;
}
int callAOnly()
{
A();
return 0;
}
int man()
{
callA();
B();
return 0;
}
>>
So using wasm2wat and wat2wasm utilities I can inject a call to B() inside callAOnly() and break the integrity. My question is that kind of direct function call integrity checking is not still implemented in CFI implementation of emscripten toolchain ? Or this is outside the scope of CFI so I may have to use other techniques like checkusm. But the code segment can't be read in WASM implementation so checksum is not possible.
Thanks,
Sandun.
Brion Vibber
Jun 28, 2022, 4:02:32 AM6/28/22
to emscripten Mailing List
On Tue, Jun 28, 2022 at 12:50 AM Dhammika Perera <dhammikape...@gmail.com> wrote:
anybody can change the call flow inside a function by simply injecting some call inside a function call, changing it's disassembly ( through .wat format and using wat2wasm utility to convert it back to the wasm).
Yes, if you change the executable it may behave differently.
Or this is outside the scope of CFI
Yes.
so I may have to use other techniques like checkusm. But the code segment can't be read in WASM implementation so checksum is not possible.
Checksum your binary before you load it.
-- brion
Reply all
Reply to author
Forward
0 new messages