Explore advanced techniques for bypassing modern control-flow integrity (CFI) mechanisms in this Black Hat conference talk. Delve into a comprehensive analysis of recently proposed CFI solutions, including kBouncer, ROPGuard, ROPecker, and CFI for COTS binaries. Learn how to transform existing exploits against Windows into stealthy attacks that evade detection by Windows EMET and other CFI techniques. Discover how a 1MB Windows library (kernel32.dll) can be leveraged to derive a Turing-complete gadget set using only call-preceded gadgets. Gain insights into runtime attacks, Return-Oriented Programming (ROP), and the evolution of CFI implementations. Examine the limitations of coarse-grained CFI proposals and understand the methodology for creating more sophisticated exploits. Conclude with a discussion on real-world exploitation techniques and future directions in CFI research.
Overview
Syllabus
Intro
Outline
Motivation
Runtime Attacks
Return-Oriented Programming (ROP) - Basic Idea
ROP Adversary Model/Assumptions
ROP Attack Technique: Overview
ROP Attack History - Selected
CFI Implementation based on Labels
Original CFI Proposal: Cons & Pros
Solution Proposals: "Coarse-Grained CFI" Making of practical for real-world deployment
General Idea
Heuristics: Reducing False Negatives
"Coarse-Grained" CFI Proposals
Policy 1: Call-Preceded Return Address
Policy 2: Chain of Short Sequences
Contribution
Taking the Most Restrictive Setting in Coarse Grained CFI
Our Methodology and Workflow
Turing-Complete Gadget Set in kernel32.dll
Turing-Complete Gadget Set (contd.)
Long NOP Gadget
EMET'S ROP Mitigations
Related Attacks
Real-World Exploitation
Conclusion and Future Work
Taught by
Black Hat
