JIT Spraying Never Dies

Recommendations

Info

References • https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass- Control-Flow-Guard-Comprehensively-wp.pdf • http://xlab.tencent.com/en/2015/12/09/bypass-dep-and-cfg-using-jitcompiler-in-charkra-engine/ • http://xlab.tencent.com/en/2016/01/04/use-chakra-engine-again-to-bypasscfg/ • https://blog.coresecurity.com/2015/03/25/exploiting-cve-2015-0311-part-iibypassing-control-flow-guard-on-windows-8-1-update-3/ • https://blog.coresecurity.com/2016/06/14/exploiting-internet-explorers- ms15-106-part-ii-jscript-arraybuffer-slice-memory-disclosure-cve-2015- 6053/ • https://labs.bromium.com/2015/09/28/an-interesting-detail-about-controlflow-guard/
Page 1 and 2: JIT Spraying Never Dies - Bypass CF
Page 3 and 4: About Speakers • Bing Sun - Bing
Page 5 and 6: Background Knowledge • Direct3D &
Page 7 and 8: Software Rasterizer & WARP • Soft
Page 9 and 10: GLSL & HLSL • Shading Language -
Page 11 and 12: WebGL and Its Usage • WebGL (Web
Page 13 and 14: The Basic Principle of CFG • Abou
Page 15 and 16: Known CFG Bypass Methods • Call V
Page 17 and 18: The Security Assessment on WARP Sha
Page 19 and 20: Separation of Data and Code Data Co
Page 21 and 22: The Weakness of WARP Shader JIT Eng
Page 23 and 24: No CFG for JITed Code Data Code
Page 25 and 26: WARP Module Not Loaded Web page con
Page 27 and 28: The Solution to Challenge I & II
Page 29 and 30: The Solution to Challenge III • S
Page 31 and 32: The Solution to Challenge III (cont
Page 33 and 34: MS16-063 typedarray.subarray(ropsta
Page 35 and 36: CVE-2016-0193 (jmp) esi -> Fake vft
Page 37 and 38: The Possibility of Exploiting 64-bi
Page 39 and 40: Demo - MS16-063
Page 41 and 42: Extra Demo • Other 0day CFG/DEP B
Page 43 and 44: Demo - CFG/DEP Bypass 0day II Creat
Page 45: Q&A • You are welcomed to send qu

JIT Spraying Never Dies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?