Breaking Control Flow Integrity by Abusing Modern C++
Black Hat USA 2025 · Day 1 · Briefings
C++20 coroutines — a language feature for suspendable, resumable functions used in async programming — create a class of heap-allocated objects with function pointers stored in writable memory, allowing attackers to bypass even hardware-enforced control flow integrity schemes. Researcher Marcos from CISPA demonstrates that coroutine frames, their resume and destroy pointers, and continuation pointers can be manipulated to chain arbitrary function calls with arbitrary arguments while evading Intel CET, Control Flow Guard, and 11 other CFI implementations — a technique that requires only a standard memory corruption primitive and works across GCC, Clang, and MSVC. ---
AI review
A PhD student finds that C++20 coroutines put function pointers in writable heap memory, eleven of thirteen CFI schemes don't instrument them, and Intel CET plus CFG both fall to a chained fake-frame attack with arbitrary arguments. This is a genuine new primitive, demonstrated live on SerenityOS with a real CVE. Full marks.