Hi,
I have referend the current implementation of CFI inside clang,
> https://clang.llvm.org/docs/ControlFlowIntegrity.html
Sounds like they only support CFI for indirect function calls ( like class
based virtual member functions, function pointers ,etc).
So through reverse engineering anybody can change the call flow inside a
function by simply injecting some call inside a function call, changing
it's disassembly ( through .wat format and using wat2wasm utility to
convert it back to the wasm).
I have injected some code like that for -fsanitize=cfi compiled binary and
I was able to build it back and run without any exceptions.
So currently CFI implementation only supports to indirect calls only? No
support for direct function calls ?
>>
#include <stdio.h>
#include <stdlib.h>
int A()
{
printf("A\n");
return 0;
}
int B()
{
printf("B\n");
return 0;
}
int callAOnly()
{
A();
return 0;
}
int man()
{
callA();
B();
return 0;
}
>>
So using wasm2wat and wat2wasm utilities I can inject a call to B() inside
callAOnly() and break the integrity. My question is that kind of direct
function call integrity checking is not still implemented in CFI
implementation of emscripten toolchain ? Or this is outside the scope of
CFI so I may have to use other techniques like checkusm. But the code
segment can't be read in WASM implementation so checksum is not possible.
Thanks,
Sandun.
--
You received this message because you are subscribed to the Google Groups
"emscripten-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/emscripten-discuss/92239828-1453-438f-be83-23790838a9e1n%40googlegroups.com.
