JIT Spraying Never Dies

Recommendations

Info

Shader’s Lifecycle on WARP HTML Rendering Engine (edgehtml.dll/mshtml.dll) 2. HLSL 3. HLSL bytecode D3D HLSL Compiler (d3dcompiler_47.dll) 5. Create Shader or Draw D3D 10 Rasterizer (d3d10warp.dll) Shader GLSL source 1. GLSL 4. Create Shader or Draw D3D 11 runtime (d3d11.dll) 6. Compile Shader WARP Shader <strong>JIT</strong> Code
The Basic Principle of CFG • About CFG (Control Flow Guard) – A compiler-aided exploitation mitigation mechanism that prevents exploit from hijacking the control flow. – Compiler inserts CFG check before each indirect control transfer instruction (call/jmp), and at runtime the CFG check will validate the call target address against a pre-configured CFG bitmap to determine whether the call target is valid or not. The process will be terminated upon an unexpected call target is identified. – The RVA of all valid call targets determined at the time of compilation are kept in a Guard CF Function table in PE file. During the PE loading process, the loader will read CF info from guard CF function table and update the CFG bitmap. – The read-only CFG bitmap is maintained by the OS, and part of the bitmap is shared by all processes. Even bit in CFG bitmap corresponds to one 16-bytes aligned address, while odd bit corresponds to 15 non 16-bytes aligned addresses. – When the PE file is loaded, __guard_check_icall_fptr will be resolved to point to ntdll!LdrpValidateUserCallTarget.
Page 1 and 2: JIT Spraying Never Dies - Bypass CF
Page 3 and 4: About Speakers • Bing Sun - Bing
Page 5 and 6: Background Knowledge • Direct3D &
Page 7 and 8: Software Rasterizer & WARP • Soft
Page 9 and 10: GLSL & HLSL • Shading Language -
Page 11: WebGL and Its Usage • WebGL (Web
Page 15 and 16: Known CFG Bypass Methods • Call V
Page 17 and 18: The Security Assessment on WARP Sha
Page 19 and 20: Separation of Data and Code Data Co
Page 21 and 22: The Weakness of WARP Shader JIT Eng
Page 23 and 24: No CFG for JITed Code Data Code
Page 25 and 26: WARP Module Not Loaded Web page con
Page 27 and 28: The Solution to Challenge I & II
Page 29 and 30: The Solution to Challenge III • S
Page 31 and 32: The Solution to Challenge III (cont
Page 33 and 34: MS16-063 typedarray.subarray(ropsta
Page 35 and 36: CVE-2016-0193 (jmp) esi -> Fake vft
Page 37 and 38: The Possibility of Exploiting 64-bi
Page 39 and 40: Demo - MS16-063
Page 41 and 42: Extra Demo • Other 0day CFG/DEP B
Page 43 and 44: Demo - CFG/DEP Bypass 0day II Creat
Page 45 and 46: Q&A • You are welcomed to send qu

JIT Spraying Never Dies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?