Researchers at Endgame have been evaluating an exploitation technique called Counterfeit Object-Oriented Programming (COOP) to bypass Control Flow Integrity (CFI) implementations such as that used by Microsoft to harden the defenses of Windows 10.
Microsoft added its mitigation, called Control Flow Guard (CFG), in Windows 8.1 and Windows 10 to make exploitation of memory-based vulnerabilities more difficult. However, attackers have been adapting to the new defenses and the likely next move is to bypass CFG and attack other weaknesses. Endgame researchers aimed to evaluate the COOP attacks against modern CFI implementations, whether it be Microsoft’s CFG or Endgame’s own solution (HA-CFI), in order to measure effectiveness of this type of cutting-edge attack technique.
“Bypassing CFG has also been a popular subject at security conferences the past few years. However, some attackers simply avoid CFG all together due to the lack of protection on the return stack,” said Matt Spisak, principal vulnerability researcher with Endgame. “Once Return Flow Guard or other Return Oriented Programming-based preventions are in place, attackers will be forced to deal with CFG more often.”
While the code-reuse attack, COOP, has been documented since a 2015 IEEE paper (PDF) was published describing the technique, it has not been needed by hackers who have prefer to exploit memory corruption vulnerabilities in software programs using traditional techniques such as return-oriented programming (ROP).
To illustrate the point that COOP attacks are on the horizon, on Tuesday Endgame published new research that is meant to illustrate how diverse an attack technique COOPs represent. To make its point, Endgame explained how to carry out a theoretical COOP attack to target Microsoft Edge on Windows 10.
Spisak said research demonstrated how attackers could exploit zero-days – even in the presence of CFG – with techniques such as COOP. “It also shows that even with the latest mitigations by Microsoft, there still exists a weakness in the design of CFG. Attackers are creative and will still be able to innovate and bypass CFI implementations,” Spisak said.
Endgame stresses COOP is not its attack, rather it is an attack method already identified in academia. Targeting Microsoft’s Windows Edge browser using COOP is unique, however. “Our purpose was to test our own and Microsoft’s defenses against this technique in order to stay ahead of potential exploitation trends coming down the road. The COOP technique has yet to show up in exploit kits, but is unique because it bypasses modern CFI implementations,” Spisak said.
According to Endgame, Edge represents a hardened CFG application that allowed Endgame to prepare its COOP payload in memory using JavaScript. The technique allows an attacker “to reuse and divert code down a different path to bypass exploit mitigations, specifically Control-Flow Integrity mitigations,” Endgame wrote.
Spisak said COOP has only been evaluated in academia at this point to bypass CFI. “It’s a code-reuse attack that illustrates weaker CFI implementations are vulnerable to,” he said.
Spisak declined to speculate on when these types of attacks might be seen in the wild. “Our goal is just to help the community improve its defenses against the next-generation of novel attacks,” he said.
“There isn’t a real-world example yet, we are applying state-of-the art exploit techniques that attackers could adopt to bypass CFG even in the latest Windows Creators Edition. But as defenders, it’s important that we anticipate attacker innovations by testing against novel approaches and adapt or improve our mitigations,” Spisak said.