How to Survive the Hardware Assisted Control-Flow Integrity Enforcement

Presented at Black Hat Asia 2019, March 28, 2019, 11:45 a.m. (60 minutes)

Control-flow hijacking is a crucial step of modern vulnerability exploitation, which helps to convert a memory safety vulnerability into arbitrary code execution. The security industry has put in great efforts in combating the control-flow hijacking, however it turns out the pure software-based control-flow integrity solution (such as Microsoft's CFG) is inadequate to defeat those sophisticate control-flow hijacking attacks which may expect hardware assisted solution. Intel's Control-flow Enforcement Technology (CET) is such a solution which aims at preventing the exploits from hijacking the control-flow transfer instructions for both forward-edge (indirect call/jmp) and back-edge transfer (ret). The latest Windows 10 RS5 has introduced some new mitigation change to support Intel CET (the new PTE type for shadow stack), and this is a clear sign that Microsoft is taking serious steps to address the control-flow hijacking issue once for all. In this talk, we'll give a deep dive into Intel CET and its implementation on the latest Windows 10 x64 operating system (RS5 and 19H1). Moreover, we'll discuss possible ways that still achieve the control-flow hijacking when CET is enabled. We'll also provide demonstrations for the attacks discussed.

Presenters:

• Chong Xu - Head of Security Research, McAfee
  <span>Chong Xu received his Ph.D. degree in networking and security from Duke University. His current focus includes research and innovation on intrusion and prevention techniques as well as threat intelligence. He is the head of security research at the McAfee network security business unit, which leads McAfee vulnerability research, malware and APT detection, and botnet detection. Chong's team feeds security content and innovative protection solutions into McAfee's network IPS, host IPS, and sandbox products, as well as McAfee Global Threat Intelligence (GTI).</span>
• Bing Sun - Security Researcher, McAfee
  <span>Bing Sun is a security researcher and leads the IPS security research team of McAfee. He has extensive experiences in operating system kernel layer and information security R&D, with especially deep diving in advanced vulnerability exploitation and detection, Rootkits detection, firmware security, and virtualization technology.</span>
• Jin Liu - Security Researcher, Xfuture Security
  Jin Liu is a security researcher at Xfuture Security. Jin is mainly focused on vulnerability research, and he specializes in vulnerability analysis and exploitation, particularly in browser vulnerability research on Windows platform.

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#how-to-survive-the-hardware-assisted-control-flow-integrity-enforcement-13867
• https://www.youtube.com/watch?v=D4-YwGYYcTg

Similar Presentations:

• Black Hat Asia 2017 / The Power of Data-Oriented Attacks: Bypassing Memory Mitigation Using Data-Only Exploitation Techniques
• Black Hat USA 2022 / Go With the Flow: Enforcing Program Behavior Through Syscall Sequences and Origins
• 32C3 (2015) / New memory corruption attacks: why can't we have nice things?