Exploiting an uninitialized stack frame to manipulate control flow
The objective of this mission is to demonstrate arbitrary code execution through the use of uninitialized variables on the stack, despite CHERI protections. You will attack three different versions of the program:
-
A baseline RISC-V compilation, to establish that the vulnerability is exploitable without any CHERI protections.
-
A hardened CHERI-RISC-V compilation with stack clearing, which should be non-exploitable.
-
A baseline CHERI-RISC-V compilation with no stack clearing, which should be non-exploitable due to pointer tagging.
The success condition for an exploit, given attacker-provided input
overriding an on-stack buffer, is to modify control flow in the program
such that the success function is executed.
Program overview
Cookie monster is always hungry for more cookies. You can sate the monster's hunger by providing cookies as standard input. Cookies are provided as a pair of hexadecimal characters (case is ignored). Each cookie is stored at successive bytes in an on-stack character array. The character array aliases an uninitialized function pointer used in a subsequent function. A minus character ('-') can be used to skip over a character in the array without providing a new cookie. An equals sign ('=') can be used to skip over the number of characters in a pointer without providing any new cookies. Whitespace is ignored in the input line. Input is terminated either by a newline or end of file (EOF).
Building and running
The hardened CHERI-RISC-V version with stack clearing is built by
adding -ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
to the compiler command line.
Source code
stack-mission.c
/*
* SPDX-License-Identifier: BSD-2-Clause-DARPA-SSITH-ECATS-HR0011-18-C-0016
* Copyright (c) 2020 SRI International
*/
#include <assert.h>
#include <ctype.h>
#include <err.h>
#include <stdalign.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
void
success(void)
{
fprintf(stderr, "Exploit successful, yum!\n");
exit(42);
}
void
no_cookies(void)
{
fprintf(stderr, "No cookies??\n");
exit(1);
}
#pragma weak init_pointer
void
init_pointer(void *p)
{
}
static void __attribute__((noinline))
init_cookie_pointer(void)
{
void *pointers[12];
void (* volatile cookie_fn)(void);
for (size_t i = 0; i < sizeof(pointers) / sizeof(pointers[0]); i++)
init_pointer(&pointers[i]);
cookie_fn = no_cookies;
}
static void __attribute__((noinline))
get_cookies(void)
{
alignas(void *) char cookies[sizeof(void *) * 32];
char *cookiep;
int ch, cookie;
printf("Cookie monster is hungry, provide some cookies!\n");
printf("'=' skips the next %zu bytes\n", sizeof(void *));
printf("'-' skips to the next character\n");
printf("XX as two hex digits stores a single cookie\n");
printf("> ");
cookiep = cookies;
for (;;) {
ch = getchar();
if (ch == '\n' || ch == EOF)
break;
if (isspace(ch))
continue;
if (ch == '-') {
cookiep++;
continue;
}
if (ch == '=') {
cookiep += sizeof(void *);
continue;
}
if (isxdigit(ch)) {
cookie = digittoint(ch) << 4;
ch = getchar();
if (ch == EOF)
errx(1, "Half-eaten cookie, yuck!");
if (!isxdigit(ch))
errx(1, "Malformed cookie");
cookie |= digittoint(ch);
*cookiep++ = cookie;
continue;
}
errx(1, "Malformed cookie");
}
}
static void __attribute__((noinline))
eat_cookies(void)
{
void *pointers[12];
void (* volatile cookie_fn)(void);
for (size_t i = 0; i < sizeof(pointers) / sizeof(pointers[0]); i++)
init_pointer(&pointers[i]);
cookie_fn();
}
int
main(void)
{
init_cookie_pointer();
get_cookies();
eat_cookies();
return (0);
}