JIT Spraying Never Dies

Recommendations

Info

The Basic Principle of CFG (cont’d) Compiler inserts a call target check before each indirect function call/jmp CFG bitmap base 16-byte aligned Non 16-byte aligned, set bit 0 of offset High 24-bit of call target address is used as an index into the bitmap to get a 32-bit bitmap entry Bit 3 ~ 7 of target address is used as an offset Test the bit “offset” of that 32-bit bitmap entry. Target address is valid if bit is set, otherwise trigger INT 29h
Known CFG Bypass Methods • Call VirtualProtect Wrapper to replace ___guard_check_icall_fptr – The Wrapper itself must be able to pass CFG check. – The Wrapper is better to take as few arguments as possible to facilitate passing arguments from high level language. – Fixed by adding extra logic in wrapper to make sure it can not be used for other purposes. • Transit via unguarded trampoline (either in executable or in <strong>JIT</strong> code) – The trampoline itself must be able to pass CFG check. – The target address of unguarded indirect control transfer instruction must be controllable. – Fixed by introducing a CFG check before the indirect control transfer instruction. • Leverage stack desynchronization situation to overwrite function return address – Requires a function that contains a controllable function callout, which is used to cause stack imbalance. – A controllable value must be pushed onto the stack, which happens to overwrite the function’s saved return address. – Fixed by enforcing stack pointer sanity check.
Page 1 and 2: JIT Spraying Never Dies - Bypass CF
Page 3 and 4: About Speakers • Bing Sun - Bing
Page 5 and 6: Background Knowledge • Direct3D &
Page 7 and 8: Software Rasterizer & WARP • Soft
Page 9 and 10: GLSL & HLSL • Shading Language -
Page 11 and 12: WebGL and Its Usage • WebGL (Web
Page 13: The Basic Principle of CFG • Abou
Page 17 and 18: The Security Assessment on WARP Sha
Page 19 and 20: Separation of Data and Code Data Co
Page 21 and 22: The Weakness of WARP Shader JIT Eng
Page 23 and 24: No CFG for JITed Code Data Code
Page 25 and 26: WARP Module Not Loaded Web page con
Page 27 and 28: The Solution to Challenge I & II
Page 29 and 30: The Solution to Challenge III • S
Page 31 and 32: The Solution to Challenge III (cont
Page 33 and 34: MS16-063 typedarray.subarray(ropsta
Page 35 and 36: CVE-2016-0193 (jmp) esi -> Fake vft
Page 37 and 38: The Possibility of Exploiting 64-bi
Page 39 and 40: Demo - MS16-063
Page 41 and 42: Extra Demo • Other 0day CFG/DEP B
Page 43 and 44: Demo - CFG/DEP Bypass 0day II Creat
Page 45 and 46: Q&A • You are welcomed to send qu

JIT Spraying Never Dies

Create successful ePaper yourself

Delete template?

Save as template?