Back To The Epilogue: How to Evade Windows' Control Flow Guard with Less than 16 Bytes

Presented at Black Hat Asia 2018, March 23, 2018, 2:15 p.m. (60 minutes)

Microsoft Control Flow Guard (CFG) is the Control Flow Integrity mechanism currently in place on all Windows operating systems, from Windows 8.1 to the most recent update of Windows 10, protecting more than 500 million machines.

We built an attack against Windows CFG that completely evades integrity checks and transfers control to any location, thus obtaining arbitrary code execution. We leverage a significant design tradeoff of CFG between precision, performance, and backwards compatibility; in particular, the latter one motivates 16-byte address granularity in some circumstances. This vulnerability, inherent to the CFG design, allows us to call gadgets that should not be allowed, and that we chain together to escape CFG.

These gadgets are more common that one would expect: we ran a thorough evaluation of Windows system libraries, and found many high value targets – exploitable gadgets in code loaded by almost all the applications on 32-bit systems and by high value targets (such as Edge and Internet Explorer) on 64-bit. Every application that loads these gadgets is exposed to our attack, which proves to be universal enough to be very practical.

In this talk, we will present how we noticed this design vulnerability, how we built our attack on top of it, and its prospected impact. On top of that, we show its real-world feasibility by using it as part of a remote code execution exploit against the Microsoft Edge web browser running on 64-bit Windows 10. All thanks to less than 16 bytes.

Presenters:

• Mauro Conti - Associate Professor, University of Padua
  Mauro Conti is an Associate Professor at the University of Padua, Italy. He obtained his Ph.D. from Sapienza University of Rome, Italy, in 2009. After his Ph.D., he was a Post-Doc Researcher at Vrije Universiteit Amsterdam, The Netherlands. He has been Visiting Researcher at GMU (2008), UCLA (2010), UCI (2012, 2013, and 2014), and TU Darmstadt (2013). He has been awarded with a Marie Curie Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD (2013). His main research interest is in the area of security and privacy. He is Senior Member of the IEEE.
• Daniele Lain - Research Assistant, University of Padua
  Daniele Lain is currently a research assistant at the University of Padua, member of SPRITZ Security and Privacy Research Group led by Prof. Mauro Conti. His main research interests are in the security and privacy domains, applying Machine Learning techniques in different S&P-related areas (such as users' biometrics and content consumptions patterns, and malware network communications).
• Andrea Biondo - BSc Student, University of Padua
  Andrea Biondo is a BSc student in Computer Science at the University of Padua, where he is part of the SPRITZ Security and Privacy Research Group, led by Prof. Mauro Conti. His interests are in reverse engineering and binary exploitation. He likes to break things and participates actively in bug bounties and CTF competitions.

Links:

• https://www.blackhat.com/asia-18/briefings/schedule/#back-to-the-epilogue-how-to-evade-windows-control-flow-guard-with-less-than-16-bytes-9499

Similar Presentations:

• Black Hat Europe 2015 / Hey Man Have You Forgotten to Initialize Your Memory?
• Black Hat Asia 2017 / Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data
• Black Hat USA 2015 / Bypass Control Flow Guard Comprehensively