Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data

Presented at Black Hat Asia 2017, March 31, 2017, 10:15 a.m. (60 minutes)

Control Flow Guard (CFG) is a security mechanism to prevent indirect branches (indirect call/jmp) to redirect control flow to unexpected locations. It was originally released by Microsoft with Windows 8.1 and currently implemented in Window 10 as an enhanced security feature. CFG works by inserting a control-flow check-function before each critical indirect branch at compiling time, while the check-function will validate the target address using CFG bitmap at runtime.<br> <br> There have been previous studies reported - cases and methods to bypass CFG, including :<br><ul><li>"Bypass Control Flow Guard Comprehensively" by Yunhai Zhang's at Black Hat 2015, which discussed different attack surfaces and reported a universal bypass approach by making the read-only CF_check_function pointer writable using the destructor behavior of CustomHeap::Heap of Jscript9.</li><li>"Bypassing Control Flow Guard on Windows 8.1 Update3" by Francisco Falcon at Core Security blog, which reported a bypass case by finding unguarded indirect call in the JIT-generated code from Adobe Flash Player JIT compiler.</li></ul><br> Although there have been multiple updates of CFG which fixed most of the vulnerabilities reported, our study is able to find more weak spots that can lead to CFG's bypass under the most recently updated Windows 10, using a very efficient tool set we developed.<br> <br> We use performance-monitor-unit (PMU) based instrumentation tool to collect the context information of all indirect calls at runtime by triggering interrupt when each indirect call takes place. Then SPARK-based big data approach is used for data screening and analysis.<br> <br> Several most common applications, including IE11, Adobe Flash Player and Microsoft Edge, are analyzed under Windows 10 using this method. Results from different applications are obtained and will be presented in a comparative way. <br> <br> In summary, with such method and toolset, we are able to find multiple vulnerabilities that can lead to CFG's bypass in different applications running under Windows 10. This talk will present not only the results, but also the methodology and tools used to find such vulnerabilities.

Presenters:

• Ya Ou - Independent Security Researcher, Fortune 500 company
  Ya Ou is an independent security researcher. His work has been focusing on new exploit development, malware analysis and reverse engineering.
• Ke Sun - Independent Security Researcher, Fortune 500 company
  Dr. Ke Sun is an independent security researcher. He focuses on malware analysis and reverse engineering. Dr. Sun graduated from UCLA.

Links:

• https://www.blackhat.com/asia-17/briefings/schedule/#never-let-your-guard-down-finding-unguarded-gates-to-bypass-control-flow-guard-with-big-data-5383
• https://www.youtube.com/watch?v=oD0rKvJcGbs

Similar Presentations:

• Black Hat Europe 2015 / Exploiting Adobe Flash Player in the Era of Control Flow Guard
• Black Hat USA 2015 / Bypass Control Flow Guard Comprehensively
• SOURCE Seattle 2017 / Your Security X-Ray: A Systematic Approach of Finding Exploitable Spots with Big Data in Linux