Understanding a New Memory Corruption Defense: Use-after-Free (UaF) Mitigation and Bypass

Presented at ShmooCon XI (2015), Unknown date/time (Unknown duration)

Memory corruption has plagued computers for decades. These software bugs can often be transformed into working cyber-attacks. High-level protections, such as anti-virus, have done little to stop the tide. Recent low-level protections such as non-executable memory and module randomization have helped. Yet a new variant called return-oriented programming (ROP) has survived these protections. Medium-level protections, such as Microsoft's anti-ROP add-on called EMET, has helped some. But a particularly troublesome bug known as Use-after-Free (UaF) has been used in conjunction with other techniques to bypass EMET. Thus, another low-level mitigation is required. This talk will describe Heap Isolation and Delayed Free, two such new mitigations, aimed at preventing UaFs. We will demo the protection in action. We will also walk through a bypass for the new protection. We wrap up by discussing trends to watch for in the next couple years as it relates to these and other similar software attacks.

Presenters:

• Jared DeMott
  Jared DeMott is a seasoned security researcher who has spoken at conferences such as DerbyCon, Blackhat, DefCon, ToorCon, etc. Notable research relates to helping stop an exploit technique (ROP), by placing as a finalist in Microsoft's BlueHat prize contest, and by more recently showing how to bypass Microsoft's EMET protection tool. Jared teaches his AppSec course, has co-authored a book on Fuzzing, has been on three winning Defcon CTF teams, has been an invited lecturer at prestigious institutions such as the United States Military Academy, previously worked for the National Security Agency, and holds a PhD from Michigan State University.

Similar Presentations:

• 31C3 (2014) / EMET 5.1 - Armor or Curtain?
• THOTCON 0x5 (2014) / Bypassing EMET 4.1
• DeepSec 2014 „Do you want to know more?“ / Reliable EMET Exploitation