Modern memory corruption exploits gain arbitrary code execution by overwriting a function pointer with a controlled value and triggering a code path that dereferences it. Recent compilers attempt to prevent this by emitting additional checks before dereferencing code pointers, thus placing restrictions on the control flow graph. This makes exploitation more difficult. In VC++ 2015, Microsoft has implemented "Control Flow Guard" (CFG), which disallows certain indirect function calls. Windows 8.1 and 10 binaries are compiled with this option enabled, and contain the kernel extensions required to perform the extra checks. (LLVM/Clang offers control flow protection as well, but they are experimental and not currently used in real world apps for Mac or Linux at this point.) In this talk, we briefly describe known information on CFG implementation and weaknesses. The meat of our research is providing a generic CFG bypass. We have partnered with Microsoft to safely coordinate this release.

Rafal Wojtczuk has over 15 years of experience with computer security. Specializing primarily in kernel and virtualization security, over the years he has disclosed many security vulnerabilities in popular operating system kernels and virtualization software. He is also well known for his articles on advanced exploitation techniques, including novel methods for exploiting buffer overflows in partially randomized address space environments. Recently he was researching advanced Intel security-related technologies, particularly TXT and VTd. He is also the author of libnids, a low-level packet reassembly library. He holds a master's degree in Computer Science from University of Warsaw. Jared DeMott is a seasoned security researcher who has spoken at conferences such as DerbyCon, Blackhat, DefCon, ToorCon, etc. Notable research relates to helping stop an exploit technique (ROP), by placing as a finalist in Microsoft's BlueHat prize contest, and by more recently showing how to bypass Microsoft's EMET protection tool. Jared teaches his AppSec course, has co-authored a book on Fuzzing, has been on three winning Defcon CTF teams, has been an invited lecturer at prestigious institutions such as the United States Military Academy, previously worked for the National Security Agency, and holds a PhD from Michigan State University.

Back to Derbycon 2015 video list