Matt Miller: Towards Mitigating Arbitrary Native Code Execution in Windows 10

Matt Miller gave a super packed talk about protecting Windows 10 applications against code reuse attacks. As the talk was super packed it was challenging to follow all the details and I really hope that the talk will become available online in the near future. The overall goal of the Windows security team is to kill entire bug classes while following required design practices.

At its core, Windows uses two techniques to prevent arbitrary code generation: code integrity guard which restricts DLLs that can be loaded by checking their signatures and arbitrary code guard which enforces immutable code so that data cannot become code. As a JIT compiler could compromise the guarantees of the arbitrary code guard, EDGE removed the JIT from the main browser process. JavaScript can only generate new machine code through a well-defined interface.

In addition to this baseline, control-flow guard protects against control-flow hijacking with the limitation that backward edges are not protected and valid functions can be called out of context. A design principle of CF Guard is to fail open, i.e., indirect calls to COTS binaries are permitted to enable backward compatibility.

Microsoft's defenses are evaluated according to the following criteria:

• Security: a defense must be robust against the threat model.
• Performance: the defense must be within reason compared to the value it gives.
• Compatibility: a defense must be compatible with existing code.
• Interoperability: defenses must interoperate with COTS/binary code.
• ABI compliant: rebuilding world is not possible.
• Agility: any defense added to the toolset increases complexity. Defenses must be agile enough to enable further and future development.
• Developer friction: cost for developers must be minimal, i.e., no code changes are possible.

Matt later talked about return flow guard, an ABI compliant shadow stack that leverages x86_64 segmentation. Unfortunately there were attacks against return flow guard that stopped it from being deployed.

Overall, this was a fun, fast paced, packed talk that explained the considerations industry has to follow when deploying mitigations and defenses. More information is available in a Microsoft blog post and Matt made the slides available as well.

Li Kang: Enhancing Symbolic Fuzzing with Learning

Li explained his project on scaling symbolic fuzzing. Based on a concrete execution he derives information about the execution, collecting constraints along the way. The program runs in phases, for each phase information is parsed and then propagated to the next phase. This data is then used to guide symbolic execution along these starting points. The combination of these techniques allows researchers to scale symbolic execution to larger and more complex programs.

The bag of tricks for further scaling involves selected state scheduling. Heuristics based on concrete program executions allow a better selection of reasonable states and help move symbolic execution past the early stages of the program.

Oleksandr Bazhaniuk, Yuriy Bulygin: Exploring Your System Deeper is Not Naughty

Alex and Yuriy gave an interesting talk about chip security. For chip firmwares, many different functional modules are simply slammed together with different code quality and security constraints. Some of the modules may not even be signed, others contain firmware that is read-writable. A simple module-based analysis may detect bugs in highly privileged code. This whole area is not well explored.

Omri Herscovici, Omer Gull: Pwned in Translation - from Subtitles to RCE

This was by far the most entertaining talk at SyScan this year. Omri and Omer showed a set of remote code execution bugs in different video players and home entertainment systems through subtitle parsing. Surprisingly, there is a large amount of different subtitle formats with different powers. Some of them allow background commands, font embedding, or even image decoding. Overall, they powned PopcornTime, Kodi, StremIO, and VLC. Fun times and very entertaining talk.

Joe FitzPatrick: Nation-State Capabilities, Lone Wolf Budget

Listening to emissions of electric devices leaks information about what they are computing. Tagging and learning the emission patterns allows interesting applications such as tracking locations. Fun hacker talk.

Mathias Payer: Protecting bare-metal smart devices with EPOXY

I presented our work on EPOXY, smart privilege overlays for embedded systems. Bare metal devices are protected through a privilege overlay. Software no longer runs directly at the highest privilege but at user-space privileges. To enable kernel functionality, privileged functions are identified and these instructions are lifted and tagged to execute at kernel privileges. This technique allows us to drop privileges for the majority of code and build higher level security primitives on top of the privilege separation. Slides, source, and paper are available online.

Conclusion

SyScan was again a fun conference and I enjoyed discussions with industry. Due to the location in Seattle a lot of Microsoft folks were around and it was very informative to hear about their constraints. In addition, exchanging ideas in an open hacker environment is always fun.