All binaries compiled by recent versions of GCC from C++ programs include complex data and dedicated code for exception handling support. The data structures describe the call stack frame layout in the DWARF format bytecode. The dedicated code includes an interpreter of this bytecode and logic to implement the call stack unwinding.
Despite being present in a large class of programs -- and therefore potentially providing a huge attack surface -- this mechanism is not widely known or studied. Of particular interest to us is that the exception handling mechanism provides the means for fundamentally altering the flow of a program. DWARF is designed specifically for calculating call frame addresses and register values. DWARF expressions are Turing-complete and may calculate register values based on any readable data in the address space of the process. The exception handling data is in effect an embedded program residing within every C++ process. This talk explores what can be accomplished with control of the debugging information without modifying the program's text or data. We also examine the exception handling mechanism and argue that it is rife for vulnerability finding, not least because the error states of a program are often those least well tested.