Over the Edge: Silently Owning Windows 10's Secure Browser

Presented at Black Hat USA 2016, Aug. 4, 2016, 5 p.m. (50 minutes).

Memory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now also a default-on feature inside the Windows 10 operating system. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page. We leverage this side channel to build a weird machine and read arbitrary data in the system from the browser. By controlling the alignment and reuse of data in memory, we perform a byte-by-byte disclosure of high-entropy sensitive data, such as 64-bit code pointers randomized by ASLR. Next, even without control over data alignment or reuse, we show how to disclose randomized 64-bit heap pointers using a novel birthday attack. To show these attack primitives are practical, we have built an end-to-end JavaScript-based exploit against the new Microsoft Edge browser, in absence of software vulnerabilities and with all defenses turned on. Our exploit combines our deduplication-based primitives with a reliable Rowhammer attack to gain arbitrary memory read and write access in the browser.

Presenters:

  • Erik Bosman - Vrije Universiteit Amsterdam
    Erik Bosman is a PhD student in the Systems and Network Security group at the Vrije Universiteit Amsterdam in the Netherlands. He is currently working on novel side-channel attacks for leaking sensitive information from the OS and applications. He has previously developed Signal Return-Oriented Programming, a highly portable exploitation technique that abuses signal frames for creating a weird machine that the attackers can program. His minemu system is the world fastest dynamic taint-tracker that can be used to protect binaries against memory corruption attacks.
  • Kaveh Razavi - Vrije Universiteit Amsterdam
    Kaveh Razavi is a security researcher at the Vrije Universiteit Amsterdam in the Netherlands. He is currently mostly interested in reliable exploitation and mitigation of hardware vulnerabilities and side-channel attacks on OS/hardware interfaces. He has previously been part of a CERT team specializing on operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from Sharif University of Technology, Tehran, an MSc from ETH Zurich and a PhD from Vrije Universiteit Amsterdam.
  • Herbert Bos - Vrije Universiteit Amsterdam
    Herbert Bos is a professor of Systems and Network Security at Vrije Universiteit Amsterdam in the Netherlands. Coming from a systems background, he drifted into security a few years ago and never left. Even so, he still does not understand crypto, and hides this by saying that he prefers to stay on the systems' side of security. He obtained a Ph.D. from Cambridge University Computer Laboratory (UK) and is very proud of his (ex-)students.
  • Cristiano Giuffrida - Vrije Universiteit Amsterdam
    Cristiano Giuffrida is an Assistant Professor in the Computer Science Department of the Vrije Universiteit Amsterdam. His research interests span across most aspects of systems security and reliability, including software security, side channels, and binary and malware analysis. He received a PhD cum laude from the Vrije Universiteit Amsterdam in 2014. He was awarded the Roger Needham Award at EuroSys and the Dennis M. Ritchie Award at SOSP for the best PhD dissertation in Computer Systems in 2015 (Europe and worldwide).

Links:

Similar Presentations: