Code execution vulnerabilities persist in C++ programs due to the propensity for reuse attacks, a security concern known as code-reuse attacks, despite the presence of Control Flow Integrity (CFI).

Code execution vulnerabilities persist in C++ programs due to the propensity for reuse attacks, a security concern known as code-reuse attacks, despite the presence of Control Flow Integrity (CFI).

In a groundbreaking discovery, researchers at the CISPA Helmholtz Center for Information Security have unveiled a new code-reuse attack method called "Coroutine Frame-Oriented Programming" (CFOP). This attack can exploit C++ coroutines across Clang/LLVM, GCC, and MSVC compilers, potentially exposing significant security vulnerabilities.

The publication detailing this research, with the title "Await() a Second: Evading Control Flow Integrity by Hijacking C++ Coroutines," will be presented at the "Black Hat USA" conference in Las Vegas on August 7, 2025. An academic version of the paper will also be published at the 34th USENIX Security Symposium in Seattle, WA, USA on August 13-15, 2025.

CFOP is a sophisticated attack that bypasses Control Flow Integrity (CFI) protections in 15 defense mechanisms. It operates by damaging coroutine-internal memory structures to achieve the execution of arbitrary code. The attack method involves the use of entire C++ coroutines and other existing functions to create a code-reuse attack.

Control Flow Integrity mechanisms were designed to protect against code-reuse attacks, but they only cover the programming paradigms that existed at their creation. Coroutine Frame-Oriented Programming (CFOP) bypasses these protections in C++ coroutines by exploiting the mutation of coroutine-specific heap memory structures that store execution state. These structures are vulnerable due to typical issues like buffer overflows, allowing attackers to hijack how the program resumes coroutines and redirect control flow despite active CFI protections.

To mitigate this vulnerability, researchers suggest several approaches. These include enhancing CFI schemes to cover coroutine internal data structures, strengthening memory safety around coroutine frames, implementing input validation and hardening at the application level, and compiler and runtime enhancements to provide hardened coroutine implementations less susceptible to heap corruption or to provide dedicated integrity checks on coroutine state data.

The increasing popularity of C++ coroutines, which are present in more than 130 popular GitHub repositories and are used for asynchronous programming in servers, databases, and web browsers, has magnified the potential for CFOP. Marcos Sanchez Bajo and Prof. Dr. Christian Rossow, the scientific contacts for the CISPA Helmholtz Center for Information Security, have developed successful implementation alternatives for C++ coroutines and have reported these mitigations to Clang/LLVM, GCC, and MSVC in November 2024.

The CISPA Helmholtz Center for Information Security is located at Stuhlsatzenhaus 5, 66123 Saarbrücken. For more information, you can contact Marcos Sanchez Bajo at [email protected] or Prof. Dr. Christian Rossow at [email protected].

1. The groundbreaking code-reuse attack, Coroutine Frame-Oriented Programming (CFOP), revealed by CISPA Helmholtz Center for Information Security researchers, can cause significant security concerns in data-and-cloud-computing systems that utilize C++ coroutines, a technology widely used in servers, databases, and web browsers.
2. The publication on the CFOP attack, titled "Await() a Second: Evading Control Flow Integrity by Hijacking C++ Coroutines," suggests several mitigation strategies to combat this cybersecurity threat, including bolstering memory safety around coroutine frames and enhancing Control Flow Integrity schemes to cover coroutine internal data structures.

Read also: