This repository contains the source code release accompanying our paper "Let Me Unwind That For You: Exceptions to Backward-Edge Protection".
In a nutshell, CHOP is a binary exploit technique which relies on confusing the unwinder when operating on corrupted metadata (e.g., after a stack-based buffer overflow). This allows an attacker to hijack control-flow even with traditional backwards-edge defenses, such as canaries or shadowstacks, in-place.
For more details, please read our paper or browse this repository!
The crawler for our large-scale data set is located in analysis. However, if you want to replicate our work using the same dataset as in our paper, you download our crawled packages directly here (~67GB).
Alternatively, you could also directly download a mirror of our database here (~2.9GB) and use the pgsql_import.sh script to import it after unpacking. But be warned: this database was created at the beginning of the project and grew over time. As such, it may include outdated fields and tables which are not used by the current analysis scripts.
Our paper will be published at the Network and Distributed System Security Symposium 2023. Please use the following bibtex to refer to our work:
@inproceedings{duta_chop_2023,
title = {{Let Me Unwind That For You: Exceptions to Backward-Edge Protection}},
booktitle = {{Symposium on Network and Distributed System Security (NDSS)}},
author = {Duta, Victor and Freyer, Fabian and Pagani, Fabio and Muench, Marius and Giuffrida, Cristiano},
year = {2023}
}
We also presented our findings at BlackHat EU'22. You can find the slides here and a recording will (likely) be available at a later time.
We presented exception handling internals at Recon'22. These internals are useful background for understanding CHOP attacks. You can find the recording here and the slides here.