As Control Flow Integrity (CFI) enforcement solutions are widely adapted by major applications, traditional memory vulnerability exploitation techniques aiming to hijack the control flow have become increasingly difficult. For example, Microsoft’s Control Flow Guard (CFG) is an effective CFI solution against traditional memory exploits.
However, due to the CFG implementation limitations, we have seen new exploitation techniques such as using the unprotected ret instruction to bypass CFG. We believe eventually these limitations could all be overcome or improved, and ultimately we expect a fine-grained CFG solution to completely defeat control-flow hijacking. Consequently, attackers have begun to seek alternatives to exploit memory vulnerabilities without diverting the control flow. As a result of this trend, the data-oriented attacks have emerged.
As its name suggests, a data-oriented attack focuses on altering or forging the critical data of an application, rather than attempting to alter its control flow. The data-oriented attack may allow the attacker to do some powerful things, such as loading certain unwanted or disabled modules or changing the attributes of certain memory pages. Sometimes this can be achieved by changing only a few bits of data. Today, most successful memory exploits can gain some level of memory read/write primitives during exploitation of memory corruption vulnerability, which makes data-oriented attacks possible.
In this talk, we will present some interesting examples that show the power of data-oriented attacks. We then discuss ways to prevent such attacks. We conclude by live demonstrations of CFG/DEP bypass on Windows 10’s Edge using data-only exploitation techniques.
The mitigation bypass techniques that will be discussed in this talk has won Microsoft’s mitigation bypass bounty (https://technet.microsoft.com/en-us/security/dn425049.aspx), and the details have never been publicly disclosed anywhere.