idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
idw - Informationsdienst
Wissenschaft
A code-reuse attack named “Segmentation Fault Oriented Programming (SFOP)” exploits weaknesses in signal handling and Intel CET in Linux systems. SFOP is capable of bypassing Intel CET in any program by producing segmentation faults in sequence. The program under attack is first made to access a restricted area of memory and then repeatedly crashed by executing invalid instructions. Every time it receives a SIGSEGV signal in return, the attacker registers a signal handler that succeeds in crashing the program. SFOP is enabled by 12 priorly unknown weaknesses that affect Linux signals.
SFOP has been discovered by Marcos Bajo, Apostolos Chatzianagnostou, and Christian Rossow at the CISPA Helmholtz Center for Information Security, together with Ritvik Goyal at the Indian Institute of Technology Kanpur. According to Marcos Bajo, first author of the paper presenting SFOP, this new code-reuse attack is comparatively easy to exploit as it does not require any specific feature in the targeted program, being practicable across all programs run on a Linux system. SFOP achieves arbitrary code execution by busting Intel CET, a state-of-the-art Control Flow Integrity scheme (CFI). Bajo says, “Nowadays, computers are protected from code-reuse attacks by CFI defenses, which are meant to guarantee the correct program execution flow. What we tried in this attack is to achieve the same capabilities that were possible before the introduction of CFI schemes. The most important of these schemes that we target in SFOP is Intel CET. We say it is the most important because it is in both Windows and Linux by default – it has been in Intel processors since 2020. Every program that runs on your computer is protected by this defense.”
Spawning Sequences of Segmentation Faults
SFOP exploits segmentation faults that are triggered by a program’s attempts to access a restricted area of memory. When a segmentation fault occurs, the kernel sends a signal called SIGSEGV to the program, challenging the transgression. It is this moment that allows an attacker to launch SFOP, as Bajo says: “The one signal we are targeting is SIGSEGV, the segmentation fault signal. When the application is executing and it requests access to some memory that it shouldn’t have access to or executes an instruction that is invalid under CET, the kernel detects this and says ‘this is not allowed, I will stop you.’ At this moment, the signal is sent to the application and the application must react to it.”
In SFOP, the attacker leverages this mechanism, inserting pieces of code that act as signal handlers for the SIGSEGV signal and coordinate the program’s reaction to it. Bajo explains: “SFOP is really a chain of signal handlers. What the attacker is doing is registering signal handlers all the time so that the program stops what it’s doing, executes the code, crashes, then goes to next signal handler, executes it, crashes again, and so on. That’s why we call it segmentation fault oriented programming. The way it chains together small pieces of code is all the time producing segmentation faults, crashing the program.” Inserting a different piece of code each time, the attacker can achieve different things at every step of this chain, from opening a file to sending data.
Asynchronous Events as Breaking Points
In Linux systems, signals serve to inform a running program of asynchronous events, asking it, for instance, to terminate, pause, or resume a process. Such asynchronous events tend to pose challenges to CFI defenses, as Bajo points out: “We already had this experience from prior research that asynchronous mechanisms can be problematic for CFI schemes because they are not able to manage them well. Also, protections tend to be designed for either the programs or the kernel. But whenever there is a mechanism that moves between the programs and the kernel you can be suspicious that something may be going wrong with this.” While Intel CET was implemented properly in Linux systems, Bajo and his collaborators have detected a total of 12 new weaknesses in the kernel itself that affect signal handling in Linux and that taken together enable SFOP to achieve its full impact.
Patching SFOP Concerns the Linux Kernel
According to Bajo and his co-authors, SFOP is among “the low-hanging fruit” of code-reuse attacks as it is practicable across all programs running on a Linux system. “Signals are by default, they are ingrained in Linux, and you cannot easily disable them. Signals are not something that the programmer needs to prepare the program for. Rather, if you create any program, it will have them already”, Bajo points out. Patching SFOP has thus involved addressing the weaknesses they have found in the Linux kernel. Working together with the Linux kernel security team, Bajo, Chatzianagnostou, Rossow, and Goyal have already developed a number of patches that successfully mitigate SFOP. The CISPA research on SFOP will be presented at the IEEE Security Symposium on Security and Privacy, in San Francisco, CA, on May 20, 2026.
Marcos Bajo and Apostolos Chatzianagnostou
CISPA Helmholtz Center for Information Security
Stuhlsatzenhaus 5
66123 Saarbrücken, Germany
marcos.sanchez-bajo@cispa.de
apostolos.chatzianagnostou@cispa.de
Bajo, Marcos; Goyal, Ritvik; Chatzianagnostou, Apostolos; Rossow, Christian (2026) “Crashing through Defenses: Exploiting Segfaults and Chaining around Intel CET” In: 47th IEEE Security Symposium on Security and Privacy, 18-21 May 2026, San Francisco, CA, USA.
https://doi.org/10.60882/cispa.32304933
https://github.com/signal-sfop/sfop/ More information about SFOP, including all the code, artifacts and materials, are available in a GitHub repository.
SFOP: Exploiting Segfaults and Chaining around Intel CET
Copyright: CISPA/Janine Wichmann-Paulus
Merkmale dieser Pressemitteilung:
Journalisten, Studierende, Wissenschaftler
Informationstechnik
überregional
Forschungsergebnisse, Wissenschaftliche Publikationen
Englisch
Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.
Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).
Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.
Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).
Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).
