Play all

Intro

Outline

Motivation

Runtime Attacks

Return-Oriented Programming (ROP) - Basic Idea

ROP Adversary Model/Assumptions

ROP Attack Technique: Overview

ROP Attack History - Selected

CFI Implementation based on Labels

Original CFI Proposal: Cons & Pros

Solution Proposals: "Coarse-Grained CFI" Making of practical for real-world deployment

General Idea

Heuristics: Reducing False Negatives

"Coarse-Grained" CFI Proposals

Policy 1: Call-Preceded Return Address

Policy 2: Chain of Short Sequences

Contribution

Taking the Most Restrictive Setting in Coarse Grained CFI

Our Methodology and Workflow

Turing-Complete Gadget Set in kernel32.dll

Turing-Complete Gadget Set (contd.)

Long NOP Gadget

EMET'S ROP Mitigations

Related Attacks

Real-World Exploitation

Conclusion and Future Work

Description:

Explore advanced techniques for bypassing modern control-flow integrity (CFI) mechanisms in this Black Hat conference talk. Delve into a comprehensive analysis of recently proposed CFI solutions, including kBouncer, ROPGuard, ROPecker, and CFI for COTS binaries. Learn how to transform existing exploits against Windows into stealthy attacks that evade detection by Windows EMET and other CFI techniques. Discover how a 1MB Windows library (kernel32.dll) can be leveraged to derive a Turing-complete gadget set using only call-preceded gadgets. Gain insights into runtime attacks, Return-Oriented Programming (ROP), and the evolution of CFI implementations. Examine the limitations of coarse-grained CFI proposals and understand the methodology for creating more sophisticated exploits. Conclude with a discussion on real-world exploitation techniques and future directions in CFI research.

The Beast is in Your Memory

Black Hat

Add to list

#Conference Talks #Black Hat #Programming #Software Development #Information Security (InfoSec) #Cybersecurity #Control-Flow Integrity #Ethical Hacking #Exploit Development #Return-oriented Programming