More and more white hats who practice offensive security and exploit writing are simultaneously talking about exploit mitigation. Granted, some are incentivized to do so by their employers or six-figure rewards programs, but the trend nonetheless is moving away from finding and fixing individual bugs to eliminating entire classes of vulnerability.
The latest example comes from Endgame, a Beltway provider for the U.S. intelligence and defense communities, which had a hand in finding a critical vulnerability in Adobe’s Flash Player that was patched this week. Endgame shared some insight on a vector corruption attack it used to find the bug, and two exploit mitigations that it says could go a long way toward wiping out use-after-free vulnerabilities, a favorite among attackers and bug-hunters alike.
“When you study the exploitation of vulnerabilities for as long as I have, you see it’s a cat-and-mouse game. Exploit writers are creative; attackers are creative. So if you implement vendor mitigations specific to a vulnerability, it’s sure to be bypassed eventually,” said Cody Pierce, director of vulnerability research and prevention at Endgame. “We look at approaches that disrupt more of the exploit process and less the object or target of corruption. You get much more mileage out of that. I’m a believer in defense in depth, and one approach is not enough. You need a lot of layering to raise the cost of exploit writing.”
This week’s Flash update patched 17 vulnerabilities, 15 of them use-after-free bugs, and all of them opening the door to remote code execution on Windows, Mac OS X and Linux machines.
In this case, Endgame said in a report published this week that it was able to bypass Adobe’s version of Heap Isolation to exploit Flash similarly to how an advanced attacker might do so in a targeted attack. Adobe deployed Heap Isolation in Flash 18.0.0209; it’s also a mitigation deployed by Mozilla and by Microsoft in EMET. Prior to using Heap Isolation, Adobe used a single heap for ActionScript objects, Endgame said, giving an attacker the luxury of attacking a Vector object and dictating where object are allocating. By corrupting memory in this way, attackers could read and write in virtual memory and bypass ASLR to execute code, Endgame said. Heap Isolation prevents this by allocating Vector objects in a separate heap, eliminating the attacker’s ability to corrupt memory in this way.
Typical of the cat-and-mouse game, however, Endgame has come up with its own version of Heap Isolation, one that it applies to every object, rather than specific objects such as vectors.
Endgame said in its post:
An attacker exploiting a UAF must reallocate a different object into the freed memory location when an object has been released. This reallocation is what eventually gains the attacker code execution by controlling the function pointers in an object.
Forcing heap isolation ensures the attacker can only reallocate the original object, effectively preventing exploitation.
Endgame said it also enforces control flow integrity, another mitigation that spots exploitation attempts in real time and cuts them off.
“It’s the point when an exploit has corrupted memory in a certain way that it is about to control the application,” Pierce said. “It can spot that unique point when normal execution switches to attacker-controlled execution. With control flow integrity, we hope to observe that and enforce a policy to prevent that from happening.”
Wide adoption of such techniques takes time as products need to be refactored and recompiled before they’re introduced. But ultimately, it serves the goal of making it more expensive for attackers to develop exploits, much in the way the addition of ASLR and DEP mitigations forced attackers to spend new development time and costs to arrive at Return Oriented Programming (ROP), which is now a staple of most exploits.
“Those are big hurdles that lengthen the time to exploit,” Pierce said. “We want to get to the point where it takes significant effort, like three people over the course of six months, to come up with an exploit.”