Presented at Black Hat USA 2015
Aug. 5, 2015, 1:50 p.m.
In the Summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap.
This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
- Hewlett-Packard Company
Simon Zuckerbraun is a security researcher with Hewlett-Packard Security Research (HPSR). In this role, Zuckerbraun analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. Zuckerbraun also engages in original vulnerability research for HPSR and has discovered numerous critical vulnerabilities, primarily in Microsoft Internet Explorer. Zuckerbraun has a B.A. in Mathematics from Princeton University.
Abdul-Aziz Hariri is a security researcher with Hewlett-Packard Security Research (HPSR). In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development.Prior to joining HP, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter.
- HP Zero Day Initiative
Brian Gorenc is the manager of Vulnerability Research with Hewlett-Packard Security Research (HPSR). In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which is the worlds largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the worlds most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Prior to joining HP, Gorenc worked for Lockheed Martin on the F-35 Joint Strike Fighter (JSF) program. In this role, he led the development effort on the Information Assurance (IA) products in the JSFs mission planning environment.