Jared DeMott, researcher at Bromium, is expected to give a talk on a Control Flow Guard bypass that Microsoft disregarded as unimportant and unworthy of a bug bounty when it was disclosed to them at Blackhat in August.
Control Flow Guard is an exploit mitigation technology that was enabled in Windows 10 and in Windows 8.1 Update 3.
DeMott’s talk, “Gadgets Zoo: Bypassing Control Flow Guard in Windows 10”, is expected to explain an open source malware analysis tool, The Packer Attacker, which enables security researchers to de-obfuscate encrypted and encoded malware. DeMott will also be introducing a new technique called “Stack DeSync”, which enables the bypass of Control Flow Guard.
According to Threatpost, Microsoft told DeMott that “it really only affects 32-bit apps running on 64-bit machines, and that it doesn’t affect all systems”. DeMott insisted “that IE runs as 32-bit by default on 64-bit Windows and this still fully affects the browser”.
The key to DeMott’s bypass is the use, or lack thereof, of Control Flow Integrity, a basic safety property. When combined, CFI and CFG create a formidable barrier. However, there are places where Microsoft only implements CFG, which does not protect return addresses on its own. The bypass corrupts the unprotected addresses, which eventually leads to return-oriented programming, a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing.
While the exploit is difficult to pull off, DeMott will be presenting it at DerbyCon, to a room full of cybersecurity professionals, hobbyists, and hackers. It’s difficult to say whether or not it’s falling into the right or wrong hands, but it’s definitely going into capable hands.
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.