Bypass Control Flow Guard Comprehensively

Presented at Black Hat USA 2015, Aug. 6, 2015, 12:10 p.m. (50 minutes)

Control Flow Guard (CFG) is an exploit mitigation technique that Microsoft enabled in Windows 8.1 Update 3 and Windows 10 technical preview. CFG checks the target of indirect call and raises an exception if the target is invalid, thus preventing a vital step of many exploit techniques.

This talk analyses the weak-point of CFG and presents a new technique that can be used to bypass CFG comprehensively and make the prevented exploit techniques exploitable again. Furthermore, this technique is based on a generic capability, thus more exploit techniques can be developed from that capability.

Presenters:

• Yunhai Zhang - NSFOCUS
  Yunhai Zhang is a security researcher of NSFOCUS security team. He has worked on computer security for 10 years. He won the Microsoft Mitigation Bypass Bounty in 2014.

Links:

• https://www.blackhat.com/us-15/briefings.html#bypass-control-flow-guard-comprehensively
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Bypass Control Flow Guard Comprehensively.mp4
• https://www.youtube.com/watch?v=K929gLPwlUs
• https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf

Similar Presentations:

• Black Hat Europe 2015 / Exploiting Adobe Flash Player in the Era of Control Flow Guard
• Black Hat Asia 2017 / Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data
• Black Hat Asia 2018 / Back To The Epilogue: How to Evade Windows' Control Flow Guard with Less than 16 Bytes