Explore a novel defensive strategy against memory corruption vulnerabilities in this Black Hat conference talk. Dive into a system that removes unused code from application processes, preventing attacks from accessing unnecessary code and APIs. Learn how this approach operates only during process creation, incurring no runtime overhead or performance degradation. Discover the implementation for Windows 8.1 and its testing on real-world applications. Examine the investigation into code overhead in current applications, and understand the intricacies of code stripping, control flow graph recovery, and image freezing techniques. Gain insights into the advantages, current limitations, and future work involving CFG from the compiler in this comprehensive exploration of breaking payloads through runtime code stripping and image freezing.
Breaking Payloads With Runtime Code Stripping and Image Freezing
Overview
Syllabus
Intro
Securing Software (is hard!) Software bugs
Exploits and Payloads Initial stage gains program counter control
Loading the Payload
Breaking the Payload
Remove unused Functionality
"Modern" Software
Adobe Reader DLL Dependencies
Adobe Reader DLL Usage
Viber DLL Usage
Control Flow Graph (CFG)
Code Stripping: DLL CFGS
Code Stripping: mark used code
Code Stripping: remove unused code
Control Flow Recovery
Control Flow Graph Recovery
Kill Files
Kill Node (example 1)
DLL Injection
DLL Preloading . Strip code from dynamically loaded DLLS
Image Freezing
Hook Mem API in User Space
Function Whitelisting Static analysis is not sufficient
Whitelisting Functions...
CodeFreeze at Runtime
DemoServer.exe: Memory Overhead Unprotected
CodeFreeze Advantages
Current Limitations
Future Work: CFG from the Compiler
Taught by
Black Hat
