Capturing 0day Exploits with PERFectly Placed Hardware Traps

Presented at Black Hat USA 2016, Aug. 3, 2016, 10:20 a.m. (50 minutes)

The security industry has gone to great lengths to make exploitation more difficult. Yet we continue to see weaponized exploits used in malware campaigns and targeted attacks capable of bypassing OS and vendor exploit mitigation strategies. Many of these newly deployed mitigations target code-reuse attacks like return-oriented-programming. Unfortunately, the reality is that once attackers have control over code execution it's only a matter of time before they can circumvent these defenses, as the recent rise of EMET bypasses illustrates. We propose a new strategy to raise the bar significantly. Our approach blocks exploits before they gain execution, preventing the opportunity to bypass mitigations.

This presentation introduces a new cross-platform, hardware-assisted Control-Flow Integrity (CFI) approach to mitigate control-flow hijack attacks on the Intel architecture. Prior research has demonstrated the effectiveness of leveraging processor-provided features such as the Performance Monitoring Unit (PMU) in order to trap various events for detecting ROP behaviors. We extend and generalize this approach by fine-tuning low-level processor features that enable us to insert a CFI policy to detect and prevent abnormal branches in real-time. Our promising results have shown this approach capable of protecting COTS binaries from control-flow hijack attempts stemming from use-after-free and memory corruption vulnerabilities with acceptable overhead on modern Windows and Linux systems.

In this talk, we will cover our research methodology, results, and limitations. We will highlight novel solutions to major obstacles we faced, including: proper tracking of Windows thread context swapping; configuration of PMU interrupt delivery without tripping Microsoft's PatchGuard; efficient algorithms for discovery of valid branch destinations in PE and ELF files at run-time; and the impact of operating in virtualized environments. The effectiveness of our approach using hardware-assisted traps to monitor program execution and enforce CFI policies on mispredicted branches will be demonstrated in real-time. We will prevent weaponized exploits targeting Windows and Linux x86-64 operating systems that nominally bypass anti-exploit technologies like Microsoft's EMET tool. We will also present collected metrics on performance impact and the real-world applications of this technology.

Presenters:

• Kenneth Fitch - Endgame
  Kenneth Fitch is a Senior Vulnerability Researcher at Endgame working on discovering vulnerabilities, inventing mitigation techniques, and developing new research tools. Some of his research experience and interests include embedded reverse engineering, automated binary analysis and visualization, and extreme fuzzing. Before joining Endgame in the private sector, Kenneth was a federal employee within the Department of Defense.
• Matt Spisak - Endgame
  Matt Spisak is a Senior Vulnerability Researcher at Endgame, where he is focused on vulnerability discovery and researching innovative exploit mitigations. Having spent over a decade focused on mobile security and cellular technologies, Matt has become intimately familiar with most major operating systems and firmware components found in smartphones. His current research interests include baseband, smart cards, iOS, and reading processor manuals. Prior to joining Endgame, Matt worked at the National Security Agency and then briefly as a defense contractor.
• Cody Pierce - Endgame
  Cody Pierce has been involved in computer and network security since the mid 90s. For the past 13 years he has focused on discovery and remediation of known and unknown vulnerabilities. Instrumental in the success of HP's Zero Day Initiative program, Cody has been exposed to hundreds of 0day vulnerabilities, advanced threats, and the most current malware research. At Endgame, Cody has lead a successful team tasked with analysing complex software to identify unknown vulnerabilities and leveraged global situational awareness to manage customer risk. A notable contributor to the vulnerability analysis and reverse engineering community Cody has been a subject matter expert in the media, referenced in industry literature, and has presented at notable industry conferences. Cody holds a unique perspective at the intersection of the most advanced threats and the state of the art in defensive measures and trends.

Links:

• https://www.blackhat.com/us-16/briefings.html#capturing-0day-exploits-with-perfectly-placed-hardware-traps
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Capturing 0Day Exploits With Perfectly Placed Hardware Traps.mp4
• https://www.youtube.com/watch?v=0gjaM1UYK8o
• https://www.blackhat.com/docs/us-16/materials/us-16-Pierce-Capturing-0days-With-PERFectly-Placed-Hardware-Traps.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-Pierce-Capturing-0days-With-PERFectly-Placed-Hardware-Traps-wp.pdf

Similar Presentations:

• Black Hat Europe 2016 / Towards a Policy-Agnostic Control-Flow Integrity Implementation
• 32C3 (2015) / New memory corruption attacks: why can't we have nice things?
• Black Hat USA 2014 / The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Techniques