Documente Academic
Documente Profesional
Documente Cultură
…
Prevent Code Integrity Guard Arbitrary Code Guard
arbitrary code
Images must be signed and load Prevent dynamic code generation,
generation from valid places modification, and execution
✓ Only valid, signed code pages can ✓ Code pages are immutable and ✓ Code execution stays “on the rails”
be mapped by the app cannot be modified by the app per the control-flow integrity policy
Example of such an attack provided by Yang Yu @ Black Hat USA 2014
Allow DLL to be
mapped
No
Configurable via Device Guard policy
✓ Code is immutable
✓ Only properly signed code
pages can be mapped
✓ Data cannot become code
Bypass Status
Non-enlightened Just-in-Time (JIT) compilers Mitigated in latest version of Edge on Windows 10 (Chakra, Adobe Flash, and WARP)
Corrupting mutable read-only memory Known limitation that we are exploring solutions for
✓ Stack cookies (/GS, etc) Security Must be robust against our threat model
• Only mitigates stack buffer overruns Cost must be within reason and
Performance
proportional to value
✓ Shadow/split stack solutions Compatibility Don’t break legacy apps
• E.g. SafeStack (http://clang.llvm.org/docs/SafeStack.html) Binary compatibility with previous and
Interoperability
future versions of Windows
✓ Fine-grained CFI solutions ABI compliant We can’t rebuild the world
• E.g. RAP (https://www.grsecurity.net/rap_announce.php) Agility Don’t paint ourselves into a corner
Cost for developers to enable should be
Developer friction
minimal (ideally zero)
✓ Control-flow Enforcement Technology (CET)
• Indirect branch tracking via ENDBRANCH
• Return address protection via a shadow stack
Preview specification:
https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-
enforcement-technology-preview.pdf
488b0424 mov rax,qword ptr [rsp]
6448890424 mov qword ptr fs:[rsp],rax
https://github.com/Microsoft/ChakraCore/commit/17f3d4a4852dcc9e48de7091685b1862afb9f307
• Create a NativeFloatArray fake_obj_arr which contains a fake object
• Use CVE-2016-3260 to leak its address
• Use CVE-2016-3260 to create a JavaScript variable fake_obj pointing to
fake_obj_arr + data_offset
• …and a few other steps we won’t be talking about today ☺
✓ Accepting a weaker threat model would ✓ Reminder: Microsoft has an ongoing
mean significant drop in ROI $100,000 USD bounty for defensive
ideas ☺
✓ Long-term impact on cost to exploit
would not be high enough to warrant ✓ https://technet.microsoft.com/en-
long-term cost of feature us/security/dn425049.aspx
https://aka.ms/bugbounty https://aka.ms/wdgsecurityjobs
Hyper-V bounty page: https://technet.microsoft.com/en-us/security/mt784431
Mitigation bypass bounty page: https://technet.microsoft.com/en-us/security/dn425049