Published: Wed 31 May 2017
By Mathias Payer
In Conferences .
tags: SyScan security
Just a couple of days after Oakland '17 I
attended my next information security conference. This year, SyScan+360 was in
Seattle and I used the time between Oakland and SyScan for a nice road trip from
San Jose to Seattle. SyScan is not an academic but an industry conference. As
I've been to SysCan before (see write-ups for the first and second
day), I knew that I could expect a great technical program focused on attacks
hosted by the awesome Thomas Lim. SyScan focuses on fewer but higher quality
talks and as always, I will focus on my personal highlights.
Matt Miller: Towards Mitigating Arbitrary Native Code Execution in Windows 10
Matt Miller gave a super packed talk about protecting Windows 10 applications
against code reuse attacks. As the talk was super packed it was challenging to
follow all the details and I really hope that the talk will become available
online in the near future. The overall goal of the Windows security team is to
kill entire bug classes while following required design practices.
At its core, Windows uses two techniques to prevent arbitrary code generation:
code integrity guard which restricts DLLs that can be loaded by checking their
signatures and arbitrary code guard which enforces immutable code so that data
cannot become code. As a JIT compiler could compromise the guarantees of the
arbitrary code guard, EDGE removed the JIT from the main browser process.
JavaScript can only generate new machine code through a well-defined interface.
In addition to this baseline, control-flow guard protects against control-flow
hijacking with the limitation that backward edges are not protected and valid
functions can be called out of context. A design principle of CF Guard is to
fail open, i.e., indirect calls to COTS binaries are permitted to enable
backward compatibility.
Microsoft's defenses are evaluated according to the following criteria:
Security: a defense must be robust against the threat model.
Performance: the defense must be within reason compared to the value it gives.
Compatibility: a defense must be compatible with existing code.
Interoperability: defenses must interoperate with COTS/binary code.
ABI compliant: rebuilding world is not possible.
Agility: any defense added to the toolset increases complexity. Defenses must
be agile enough to enable further and future development.
Developer friction: cost for developers must be minimal, i.e., no code changes
are possible.
Matt later talked about return flow guard, an ABI compliant shadow stack that
leverages x86_64 segmentation. Unfortunately there were attacks against return
flow guard that stopped it from being deployed.
Overall, this was a fun, fast paced, packed talk that explained the
considerations industry has to follow when deploying mitigations and defenses.
More information is available in a Microsoft blog post
and Matt made the slides
available as well.
Li Kang: Enhancing Symbolic Fuzzing with Learning
Li explained his project on scaling symbolic fuzzing. Based on a concrete
execution he derives information about the execution, collecting constraints
along the way. The program runs in phases, for each phase information is parsed
and then propagated to the next phase. This data is then used to guide symbolic
execution along these starting points. The combination of these techniques
allows researchers to scale symbolic execution to larger and more complex
programs.
The bag of tricks for further scaling involves selected state scheduling.
Heuristics based on concrete program executions allow a better selection of
reasonable states and help move symbolic execution past the early stages of the
program.
Oleksandr Bazhaniuk, Yuriy Bulygin: Exploring Your System Deeper is Not Naughty
Alex and Yuriy gave an interesting talk about chip security. For chip firmwares,
many different functional modules are simply slammed together with different
code quality and security constraints. Some of the modules may not even be
signed, others contain firmware that is read-writable. A simple module-based
analysis may detect bugs in highly privileged code. This whole area is not well
explored.
Omri Herscovici, Omer Gull: Pwned in Translation - from Subtitles to RCE
This was by far the most entertaining talk at SyScan this year. Omri and Omer
showed a set of remote code execution bugs in different video players and home
entertainment systems through subtitle parsing. Surprisingly, there is a large
amount of different subtitle formats with different powers. Some of them allow
background commands, font embedding, or even image decoding. Overall, they
powned PopcornTime, Kodi, StremIO, and VLC. Fun times and very entertaining
talk.
Joe FitzPatrick: Nation-State Capabilities, Lone Wolf Budget
Listening to emissions of electric devices leaks information about what they are
computing. Tagging and learning the emission patterns allows interesting
applications such as tracking locations. Fun hacker talk.
Conclusion
SyScan was again a fun conference and I enjoyed discussions with industry. Due
to the location in Seattle a lot of Microsoft folks were around and it was very
informative to hear about their constraints. In addition, exchanging ideas in an
open hacker environment is always fun.