Exploiting the Hard-Working DWARF: Trojans with no Native Executable Code

All binaries compiled by recent versions of GCC from C++ programs include complex data and dedicated code for exception handling support. The data structures describe the call stack frame layout in the DWARF format byte-code. The dedicated code includes an interpreter of this bytecode and logic to implement the call stack unwinding. Despite being present in a large class of programs – and therefore poten-tially providing a huge attack surface – this mechanism is not widely known or studied. Of particular interest to us is that the exception handling mech-anism provides the means for fundamentally altering the flow of a program. DWARF is designed specifically for calculating call frame addresses and reg-ister values. DWARF expressions are Turing-complete and may calculate register values based on any readable data in the address space of the pro-cess. The exception handling data is in effect an embedded program residing within every C++ process. This paper explores what can be accomplished with control of the debugging information without modifying the program’s text or data. We also examine the exception handling mechanism and argue that it is rife for vulnerability finding, not least because the error states of a program are often those least well tested. We demonstrate the capabilities of this DWARF virtual machine and its suitableness for building a new type of backdoor as well as other implications it has on security.