Code reuse is the predominant attack strategy for exploiting memory corruption vulnerabilities in modern software. In response, Control Flow Integrity (CFI) has been adopted to restrict unintended control-flow transfers and mitigate these attacks. Intel Control-Flow Enforcement Technology (CET) is the most popular CFI implementation in modern x86_64 systems, providing hardware-based protection against conventional code reuse attacks such as ROP and SROP. Although advanced techniques have been proposed to bypass Intel CET, they typically require application-specific features or uncommon programming constructs, limiting their practical applicability. This paper introduces Segmentation Fault Oriented Programming (SFOP), a novel code reuse attack that exploits previously unidentified weaknesses in the interaction between Intel CET and the Linux signal handling subsystem. Unlike other code reuse techniques, SFOP does not require program-specific features, and can reliably exploit any vulnerable application on modern x86_64 Linux with Intel CET enabled. SFOP enables an attacker to execute arbitrarily many function calls with fully controlled arguments, turning a single memory corruption vulnerability into arbitrary code execution. We demonstrate the practical impact of SFOP through real-world exploits, and discuss mitigation strategies to prevent SFOP attacks.
IEEE Symposium on Security and Privacy (S&P)
2026-05-20
2026-05-15