Breaking Payloads with Runtime Code Stripping and Image Freezing

Presented at Black Hat USA 2015, Aug. 6, 2015, 3:50 p.m. (50 minutes)

Fighting off attacks based on memory corruption vulnerabilities is hard and a lot of research was and is conducted in this area. In our recent work we take a different approach and looked into breaking the payload of an attack. Current attacks assume that they have access to every piece of code and the entire platform API. In this talk, we present a novel defensive strategy that targets this assumption. We built a system that removes unused code from an application process to prevent attacks from using code and APIs that would otherwise be present in the process memory but normally are not used by the actual application. Our system is only active during process creation time, and, therefore, incurs no runtime overhead and thus no performance degradation. Our system does not modify any executable files or shared libraries as all actions are executed in memory only. We implemented our system for Windows 8.1 and tested it on real world applications. Besides presenting our system we also show the results of our investigation into code overhead present in current applications.

Presenters:

• Collin Mulliner - Northeastern University
  Collin Mulliner is a systems security researcher with focus on software components close to the operating system and kernel. In the past, he spent most of his time working on mobile and embedded systems with an emphasis on mobile and smart phones. Collin is interested in vulnerability analysis and offensive security as he believes that in order to understand defense you first have to understand offense. Collin received a PhD from the Technische Universitaet Berlin in 2011, and a MS and BS in computer science from UC Santa Barbara and FH-Darmstadt. Lately, Collin switched his focus to the defensive side to work on mitigations and countermeasures. Collin is also co-author of The Android Hacker's Handbook.
• Matthias Neugschwandtner - IBM Zurich
  Matthias Neugschwandtner is a system security researcher working at the Cloud and Storage Security Group at IBM Research, Zurich. The main focus of his research lies on low-level system security. This encompasses program analysis, vulnerability detection and system hardening.He received his D.Sc. degree from Vienna University of Technology in 2014, where he worked at the Secure Systems Lab. During his studies he joined the System and Network Security Group at the Vrije Universiteit Amsterdam as a visiting researcher in 2011, and the Northeastern University Systems Security Lab in Boston in 2013.

Links:

• https://www.blackhat.com/us-15/briefings.html#breaking-payloads-with-runtime-code-stripping-and-image-freezing
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Breaking Payloads With Runtime Code Stripping And Image Freezing.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Breaking Payloads With Runtime Code Stripping And Image Freezing.mp4
• https://www.youtube.com/watch?v=sKCEtbMCVNM
• https://www.blackhat.com/docs/us-15/materials/us-15-Mulliner-Breaking-Payloads-With-Runtime-Code-Stripping-And-Image-Freezing.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Mulliner-Breaking-Payloads-With-Runtime-Code-Stripping-And-Image-Freezing-wp.pdf

Similar Presentations:

• Black Hat Europe 2018 / Container Attack Surface Reduction Beyond Name Space Isolation
• Summercon 2015 / You ain't executing this! Exploring Windows Security with Runtime Code Stripping and Process Freezing
• Black Hat USA 2017 / Taking DMA Attacks to the Next Level: How to do Arbitrary Memory Reads/Writes in a Live and Unmodified System Using a Rogue Memory Controller