Untangle: Aiding Global Function Pointer Hijacking for Post-CET Binary Exploitation.

In this paper, we combine static code analysis and symbolic execution to bypass Intel’s Control-Flow Enforcement Technology (CET) by exploiting function pointer hijacking. We present Untangle, an open-source tool that implements and automates the discovery of global function pointers in exported library functions and their call sites. Then, it determines the constraints that need to be satisfied to reach those pointers. Our approach manages naive built-in types and complex parameters like structure pointers. We demonstrate the effectiveness of Untangle on 8 of the most used open source C libraries, identifying 57 unique global function pointers, reachable through 1488 different exported functions. Untangle can find and verify the correctness of the constraints for 484 global function pointer calls, which can be used as attack vectors for control-flow hijacking. Finally, we discuss current and future defense mechanisms against control-flow hijacking using global function pointers.