LAS VEGAS — It wasn’t long ago that ROP, or return-oriented programming, was a hacker’s best friend when it came to bypassing mitigations against memory-based attacks such as DEP and ASLR.
ROP, however, is so 2005. In the last couple of years, researchers and attackers have figured out how to bypass popular tools such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), without the need for ROP. Exploit kits, for example have integrated attacks that have moved up the exploitation stack closer to memory and before code is written to disk. All the while, defenders still focus on post-exploitation techniques (i.e., ROP) that are obsolete today.
This week at Black Hat USA 2016 in Las Vegas, researchers at Endgame are expected to introduce new defensive techniques that could level the playing field. Their approach is called Hardware Assisted Control Flow Integrity (HA-CFI), which leverages features in the micro-architecture of Intel processors, such as the performance monitoring unit (PMU), for security.
“During the last two years, academics have been using it for security purposes,” said Cody Pierce, Endgame director of vulnerability research. “We’re continuing the idea of using hardware features to implement a security check. That’s where CFI comes in and monitors the PMU to get real-time views into protected processes.”
Where tools such as EMET catch attacks in the post-exploitation stage of an attack, HA-CFI operates in the exploitation stage before bypasses happen.
“It’s generic in the fact it has no knowledge of exploit techniques, and doesn’t know about ROP; the system is autonomous,” Pierce said. “What it’s looking for is an abnormal change in execution. Usually this is the absolute first step of exploits. They will redirect execution from normal- to attacker-controlled execution. That’s a very specific thing that we’re hoping to pick up on.
“An analogy to malware would be that you would want to pick up detection of malware before it’s written to disk,” Pierce said. “You don’t want to wait until it runs and sets up persistence and backdoors.”
Microsoft implemented Control Flow Guard starting with Visual Studio 2015 and it runs only on x86 and x64 releases on Windows 8.1 and Windows 10. CFG restricts where applications can execute code from, Microsoft said, cutting into the effectiveness of code execution attacks and buffer overflow exploits. Pierce said CFG has its limitations, specifically that can run only on the latest compilers and OSes, requiring organizations to recompile in order to run it. HA-CFI would operate at runtime, and its biggest limitation, Pierce said, is a performance overhead that could be 3x higher than Microsoft’s requiring organizations to consider that tradeoff when protecting commonly exploited apps such as browsers, Office and Flash.
As for ROP being on life support, a number of prominent researchers have been developing new approaches to mitigation bypasses that are putting those attacks out to pasture. Yang Yu, a two-time Microsoft bounty winner, really got the ball rolling with a 2014 Black Hat talk called Write Once, Pwn Anywhere where he was able to change a value in memory that allowed his attack to bypass native restrictions and execute commands sans ROP. The Hacking Team dump of last summer also showed that other professionals had moved beyond ROP with a slate of attacks that bypass EMET and other mitigations.
“From an exploit writer’s perspective, you don’t want to have to do more work than necessary, and we’ve learned ROP is a little unnecessary,” Pierce said, adding that some of these techniques that have become public in the last 12-18 months have made it easier to develop more powerful exploits.
“With ROP, usually some work has to be done to get all versions of apps you want to exploit,” Pierce said. “These advanced approaches eliminate that need.”