{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,20]],"date-time":"2026-02-20T09:40:39Z","timestamp":1771580439468,"version":"3.50.1"},"reference-count":77,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T00:00:00Z","timestamp":1609545600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Union's Horizon 2020 research and innovation programme","award":["786669 (ReAct), and 830929 (CyberSec4Europe)"],"award-info":[{"award-number":["786669 (ReAct), and 830929 (CyberSec4Europe)"]}]},{"name":"RESTART programmes of the research, technological development and innovation of the Research Promotion Foundation","award":["ENTERPRISES\/0916\/0063 (PERSONAS)"],"award-info":[{"award-number":["ENTERPRISES\/0916\/0063 (PERSONAS)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2021,5,31]]},"abstract":"Unsafe programming systems are still very popular, despite the shortcomings due to several published memory-corruption vulnerabilities. Toward defending memory corruption, compilers have started to employ advanced software hardening such as Control-flow Integrity (CFI) and SafeStack. However, there is a broad interest for realizing compilers that impose memory safety with no heavy runtime support (e.g., garbage collection). Representative examples of this category are Rust and Go, which enforce memory safety primarily statically at compile time.<\/jats:p>\n \n Software hardening and Rust\/Go are promising directions for defending memory corruption, albeit combining the two is questionable. In this article, we consider hardened\n mixed<\/jats:italic>\n binaries, i.e., machine code that has been produced from different compilers and, in particular, from\n hardened<\/jats:italic>\n C\/C++ and Rust\/Go (e.g., Mozilla Firefox, Dropbox, npm, and Docker). Our analysis is focused on Mozilla Firefox, which outsources significant code to Rust and is open source with known public vulnerabilities (with assigned CVE). Furthermore, we extend our analysis in mixed binaries that leverage Go, and we derive similar results.\n <\/jats:p>\n \n The attacks explored in this article\n do not<\/jats:italic>\n exploit Rust or Go binaries that depend on some legacy (vulnerable) C\/C++ code. In contrast, we explore how Rust\/Go compiled code can stand as a vehicle for bypassing hardening in C\/C++ code. In particular, we discuss CFI and SafeStack, which are available in the latest Clang. Our assessment concludes that CFI can be completely nullified through Rust or Go code by constructing much simpler attacks than state-of-the-art CFI bypasses.\n <\/jats:p>","DOI":"10.1145\/3418898","type":"journal-article","created":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T11:26:59Z","timestamp":1609586819000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Exploiting Mixed Binaries"],"prefix":"10.1145","volume":"24","author":[{"given":"Michalis","family":"Papaevripides","sequence":"first","affiliation":[{"name":"University of Cyprus, Nicosia, Cyprus"}]},{"given":"Elias","family":"Athanasopoulos","sequence":"additional","affiliation":[{"name":"University of Cyprus, Nicosia, Cyprus"}]}],"member":"320","published-online":{"date-parts":[[2021,1,2]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"American Fuzzy Lop. Retrieved","year":"2019"},{"key":"e_1_2_1_2_1","volume-title":"Clang\u2014Control flow integrity. Retrieved","year":"2019"},{"key":"e_1_2_1_3_1","volume-title":"Clang - safestack. Retrieved","year":"2019"},{"key":"e_1_2_1_4_1","volume-title":"Go Channels. Retrieved","year":"2020"},{"key":"e_1_2_1_5_1","volume-title":"Retrieved","author":"Closures Go","year":"2020"},{"key":"e_1_2_1_6_1","volume-title":"Retrieved","author":"Goroutines Go","year":"2020"},{"key":"e_1_2_1_7_1","volume-title":"Retrieved","author":"Interfaces Go","year":"2020"},{"key":"e_1_2_1_8_1","volume-title":"Retrieved","year":"2020"},{"key":"e_1_2_1_9_1","volume-title":"Retrieved","year":"2020"},{"key":"e_1_2_1_10_1","volume-title":"Kernel Control Flow Integrity. Retrieved","year":"2019"},{"key":"e_1_2_1_11_1","unstructured":"[n.d.]. Mozilla Research\u2014Rust. Retrieved from https:\/\/research.mozilla.org\/rust\/. [n.d.]. Mozilla Research\u2014Rust. Retrieved from https:\/\/research.mozilla.org\/rust\/."},{"key":"e_1_2_1_12_1","volume-title":"Rust in Production. Retrieved","year":"2020"},{"key":"e_1_2_1_13_1","volume-title":"Stack Overflow: Developer Survey Results","year":"2020"},{"key":"e_1_2_1_14_1","volume-title":"Kraken JavaScript Benchmark. Retrieved","year":"2019"},{"key":"e_1_2_1_15_1","doi-asserted-by":"crossref","unstructured":"2014. Memory exploit mitigations #15179. Retrieved from https:\/\/github.com\/rust-lang\/rust\/issues\/15179. 2014. Memory exploit mitigations #15179. Retrieved from https:\/\/github.com\/rust-lang\/rust\/issues\/15179.","DOI":"10.5465\/ambpp.2014.15179abstract"},{"key":"e_1_2_1_16_1","unstructured":"2014. RFC: Memory exploit mitigation #145. Retrieved from https:\/\/github.com\/rust-lang\/rfcs\/pull\/145. 2014. RFC: Memory exploit mitigation #145. Retrieved from https:\/\/github.com\/rust-lang\/rfcs\/pull\/145."},{"key":"e_1_2_1_17_1","unstructured":"2014. Sanitize memory and CPU registers for sensitive data #17046. Retrieved from https:\/\/github.com\/rust-lang\/rust\/issues\/17046. 2014. Sanitize memory and CPU registers for sensitive data #17046. Retrieved from https:\/\/github.com\/rust-lang\/rust\/issues\/17046."},{"key":"e_1_2_1_18_1","volume-title":"Strengths and weaknesses of LLVM\u2019s safestack buffer overflow protection. Retrieved","year":"2019"},{"key":"e_1_2_1_19_1","unstructured":"2015. Update LLVM and add the safestack attribute to all generated functions. #26612. Retrieved from https:\/\/github.com\/rust-lang\/rust\/issues\/26612. 2015. Update LLVM and add the safestack attribute to all generated functions. #26612. Retrieved from https:\/\/github.com\/rust-lang\/rust\/issues\/26612."},{"key":"e_1_2_1_20_1","volume-title":"Disarming control flow guard using advanced code reuse attacks. Retrieved","year":"2019"},{"key":"e_1_2_1_21_1","volume-title":"Safe Rust code miscompilation due to a bug in LLVM\u2019s Global Value Numbering #45839. Retrieved","year":"2019"},{"key":"e_1_2_1_22_1","unstructured":"2018. CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia. Retrieved from https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1462682. 2018. CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia. Retrieved from https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1462682."},{"key":"e_1_2_1_23_1","volume-title":"Enabling Windows exploit mitigations by default in Rust programs? Retrieved","year":"2019"},{"key":"e_1_2_1_24_1","volume-title":"As input parameters. Retrieved","year":"2019"},{"key":"e_1_2_1_25_1","volume-title":"Retrieved","year":"2019"},{"key":"e_1_2_1_26_1","volume-title":"Community makes Rust an easy choice for npm. Retrieved","year":"2020"},{"key":"e_1_2_1_27_1","volume-title":"GDB: The GNU Project Debugger. Retrieved","year":"2019"},{"key":"e_1_2_1_28_1","unstructured":"2019. Implications of rewriting a browser component in rust. Retrieved from https:\/\/hacks.mozilla.org\/2019\/02\/rewriting-a-browser-component-in-rust\/. 2019. Implications of rewriting a browser component in rust. Retrieved from https:\/\/hacks.mozilla.org\/2019\/02\/rewriting-a-browser-component-in-rust\/."},{"key":"e_1_2_1_29_1","unstructured":"2019. Multiprocess Firefox. Retrieved from https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Multiprocess_Firefox. 2019. Multiprocess Firefox. Retrieved from https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Multiprocess_Firefox."},{"key":"e_1_2_1_30_1","volume-title":"Rust\u2014Foreign function interface. Retrieved","year":"2019"},{"key":"e_1_2_1_31_1","unstructured":"2019. Rust 2019: Security. Retrieved from https:\/\/snf.github.io\/2019\/01\/10\/rust-2019-security\/. 2019. Rust 2019: Security. Retrieved from https:\/\/snf.github.io\/2019\/01\/10\/rust-2019-security\/."},{"key":"e_1_2_1_32_1","volume-title":"The rust programming language. Retrieved","year":"2019"},{"key":"e_1_2_1_33_1","volume-title":"Abstraction without overhead: Traits in rust. Retrieved","author":"Turon Aaron","year":"2019"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/1929820.1929836"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3176258.3176330"},{"key":"e_1_2_1_37_1","volume-title":"Changes to functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory protection technologies, data execution prevention","author":"Andersen Starr"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241140"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23412"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23371"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23209"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3139645.3139660"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1133981.1134000"},{"key":"e_1_2_1_44_1","volume-title":"Go: Memory Safety with Bounds Check. Retrieved","author":"Blanchon Vincent","year":"2020"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831154"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.5555\/1267549.1267554"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/2671225.2671251"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813646"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813646"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.43"},{"key":"e_1_2_1_51_1","volume-title":"Proceedings of the Black Hat Europe Conference (Black Hat Europe\u201916)","author":"Goktas Enes","year":"2016"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818025"},{"key":"e_1_2_1_53_1","volume-title":"Getting to go: The journey of go\u2019s garbage collector. Retrieved","author":"Hudson Rick","year":"2020"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23287"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3158154"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.5555\/2685048.2685061"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.5555\/3026959.3026979"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23224"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2692956.2663188"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2544173.2509515"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277272"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/1543135.1542504"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837855.1806657"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866371"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241105"},{"key":"e_1_2_1_66_1","unstructured":"PaX Team. 2003. Address Space Layout Randomization (ASLR). Retrieved from http:\/\/pax.grsecurity.net\/docs\/aslr.txt. PaX Team. 2003. Address Space Layout Randomization (ASLR). Retrieved from http:\/\/pax.grsecurity.net\/docs\/aslr.txt."},{"key":"e_1_2_1_68_1","volume-title":"Patina: A formalization of the rust programming language. Master\u2019s Thesis","author":"Reed Eric Christopher","year":"2015"},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23477"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.51"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.5555\/2342821.2342849"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.13"},{"key":"e_1_2_1_74_1","volume-title":"Millions of Binaries Later: A Look Into Linux Hardening in the Wild. Retrieved","author":"Petsios Theofilos","year":"2019"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.5555\/2671225.2671285"},{"key":"e_1_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.60"},{"key":"e_1_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.44"},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.5555\/2534766.2534796"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3418898","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3418898","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:28Z","timestamp":1750197748000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3418898"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,2]]},"references-count":77,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2021,5,31]]}},"alternative-id":["10.1145\/3418898"],"URL":"https:\/\/doi.org\/10.1145\/3418898","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1,2]]},"assertion":[{"value":"2020-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-01-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}