The security industry has gone to great lengths to make exploitation more difficult. Yet we continue to see weaponized exploits used in malware campaigns and targeted attacks capable of bypassing OS and vendor exploit mitigation strategies. Many of these newly deployed mitigations target code- reuse attacks like return-oriented-programming. Unfortunately, the reality is that once attackers have control over code execution it's only a matter of time before they can circumvent these defenses, as the recent rise of EMET bypasses illustrates. We propose a new strategy to raise the bar significantly. Our approach blocks exploits before they gain execution, preventing the opportunity to bypass mitigations.
This presentation introduces a new cross-platform, hardware-assisted Control- Flow Integrity (CFI) approach to mitigate control-flow hijack attacks on the Intel architecture. Prior research has demonstrated the effectiveness of leveraging processor-provided features such as the Performance Monitoring Unit (PMU) in order to trap various events for detecting ROP behaviors. We extend and generalize this approach by fine-tuning low-level processor features that enable us to insert a CFI policy to detect and prevent abnormal branches in real-time. Our promising results have shown this approach capable of protecting COTS binaries from control-flow hijack attempts stemming from use- after-free and memory corruption vulnerabilities with acceptable overhead on modern Windows and Linux systems.
In this talk, we will cover our research methodology, results, and limitations. We will highlight novel solutions to major obstacles we faced, including: proper tracking of Windows thread context swapping; configuration of PMU interrupt delivery without tripping Microsoft's PatchGuard; efficient algorithms for discovery of valid branch destinations in PE and ELF files at run-time; and the impact of operating in virtualized environments. The effectiveness of our approach using hardware-assisted traps to monitor program execution and enforce CFI policies on mispredicted branches will be demonstrated in real-time. We will prevent weaponized exploits targeting Windows and Linux x86-64 operating systems that nominally bypass anti-exploit technologies like Microsoft's EMET tool. We will also present collected metrics on performance impact and the real-world applications of this technology.
Cody Pierce has been involved in computer and network security since the mid90s. For the past 13 years he has focused on discovery and remediation ofknown and unknown vulnerabilities. Instrumental in the success of HP's ZeroDay Initiative program, Cody has been exposed to hundreds of 0dayvulnerabilities, advanced threats, and the most current malware research. AtEndgame, Cody has lead a successful team tasked with analysing complexsoftware to identify unknown vulnerabilities and leveraged global situationalawareness to manage customer risk. A notable contributor to the vulnerabilityanalysis and reverse engineering community Cody has been a subject matterexpert in the media, referenced in industry literature, and has presented atnotable industry conferences. Cody holds a unique perspective at theintersection of the most advanced threats and the state of the art indefensive measures and trends.
Matt Spisak is a Senior Vulnerability Researcher at Endgame, where he isfocused on vulnerability discovery and researching innovative exploitmitigations. Having spent over a decade focused on mobile security andcellular technologies, Matt has become intimately familiar with most majoroperating systems and firmware components found in smartphones. His currentresearch interests include baseband, smart cards, iOS, and reading processormanuals. Prior to joining Endgame, Matt worked at the National Security Agencyand then briefly as a defense contractor.
Kenneth Fitch is a Senior Vulnerability Researcher at Endgame working ondiscovering vulnerabilities, inventing mitigation techniques, and developingnew research tools. Some of his research experience and interests includeembedded reverse engineering, automated binary analysis and visualization, andextreme fuzzing. Before joining Endgame in the private sector, Kenneth was afederal employee within the Department of Defense.