Techniques to bypass ASLR and NX are already widely known. The first thing the modern day exploit writer searches for is a powerful information leak to defeat ASLR, and then introduces a ROP payload to avoid having to inject shellcode effectively bypassing NX. Therefore the search for better mitigation techniques against memory corruption exploits has bloomed.

First we will take a brief look at attempts to use more fine-grained randomization to protect binaries. Unfortunately many attempts can be defeated by using more powerful information leaks, which again has spawned more infoleak resilient randomization schemes.

A very promising concept is Control Flow Integrity (CFI). We will look at what CFI is and what the problems are and how it restricts an attacker. Recent academic work has shown some interesting results about the limits of CFI. Furthermore we will look at some examples on how a CFI implementation looks like.

Since the problems of CFI have become more clear focus has shifted again on preventing the actual hijacking of the instruction pointer. Protecting code pointers already has a history with mitigation mechanisms such as RELRO and stack canaries. The Code Pointer Integrity (CPI) project has generalized this to all code pointers. We will take a look at how this protection is achieved.

In the end we will take a look at what can be achieved with memory corruption without hijacking the program control flow. We will briefly discuss the results of Data Oriented Programming and a possible protection mechanism called Write Integrity Testing (WIT).

Michael Rodler is currently a CS student at TU Graz and writing his master thesis about exploit mitigation technqiues. His first contact with binary exploitation happened at FH Hagenberg when he was talked into joining their local Capture The Flag team. At TU Graz he founded the LosFuzzys CTF team, which coincidentally won last years BSides Ljubljana CTF. He also worked in the security industry, mainly in the area of secure coding. Furthermore he worked on dynamic analysis of android malware.



[ Slides (PDF) ] [Recording (MP4)] [Recording (OGV)]

Comments are closed.