Memory corruption vulnerabilities are still a severe threat for software systems. To thwart the exploitation of such vulnerabilities, many different kinds of defenses have been proposed in the past. Most prominently, Control-Flow Integrity (CFI) has received a lot of attention recently. Several proposals were published that apply coarse-grained policies with a low performance overhead. However, their security remains questionable as recent attacks have shown. To ease the assessment of a given CFI implementation, we introduce a framework to discover code gadgets for code-reuse attacks that conform to coarse-grained CFI policies. For this purpose, binary code is extracted and transformed to a symbolic representation in an architecture-independent manner. Additionally, code gadgets are verified to provide the needed functionality for a security researcher. We show that our framework finds more CFI-compatible gadgets compared to other code gadget discovery tools. Furthermore, we demonstrate that code gadgets needed to bypass CFI solutions on the ARM architecture can be discovered by our framework as well.

中文翻译：

---

CFI 抗性代码小工具的自动多架构发现

内存损坏漏洞仍然是软件系统的严重威胁。为了阻止对此类漏洞的利用，过去提出了许多不同类型的防御措施。最突出的是，控制流完整性 (CFI) 最近受到了很多关注。发布了一些应用具有低性能开销的粗粒度策略的提案。然而，正如最近的攻击所表明的那样，它们的安全性仍然存在问题。为了简化对给定 CFI 实现的评估，我们引入了一个框架来发现符合粗粒度 CFI 策略的代码重用攻击的代码小工具。为此，以与体系结构无关的方式提取二进制代码并将其转换为符号表示。此外，代码小工具经过验证，可为安全研究人员提供所需的功能。我们表明，与其他代码小工具发现工具相比，我们的框架可以找到更多与 CFI 兼容的小工具。此外，我们证明了绕过 ARM 架构上的 CFI 解决方案所需的代码小工具也可以被我们的框架发现。