Over the years numerous exploit mitigations have been developed and many are shipped with common operating systems or third party security software. Yet, we still see weaponized exploits used effectively to infiltrate systems and bypass all existing mitigations. In this presentation a novel hardware-assisted approach will be presented for detecting and stopping exploits using Hardware-Based CPU tracing and a practical fine-grained CFI approach.
Some recent work has shown hardware-assisted methods to be very promising as a new anti-exploit technology, most research focusing on PMU (Performance events) based methods. The novel approach presented in this talk includes the use of tracing rather than PMU events. The method consists of tracing every instruction the CPU executes and following the exact control flow of a program. This is achieved using a new feature in modern CPUs which is intended for software tracing and is called “Processor Trace”. The result of using this approach is a practical, working system on Microsoft Windows environments that is able to detect code reuse (ROP) attacks with good accuracy and performance, in a way that was not possible with older CPU generations. This approach is unique in the sense that it allows checking for fine-grained CFI in a practical and un-intrusive manner with relatively fast analysis. In the talk, the research process leading to the working prototype will be explained and the results will be presented including a detailed drill-down of the different parts of the developed system.
The talk will include a demo of the system, which is able to scan popular file formats such as Microsoft Word, PowerPoint, PDF etc. and detect if the file contains an exploit. I will talk about obstacles encountered during the research and how they were overcome. For example: how the analysis process was heavily optimized to reduce the time it takes to analyze a trace from several hours per file to a matter of seconds, or how to deal with exception-handling and windows user-mode callbacks that cause irregularities from a control-flow perspective.
Some more details on the technique
The new features used are called “Processor Trace” on Intel Architecture, and “Coresight” for ARM-based processors and enable fast tracing of every branch taken during the execution of a program with little performance impact on the traced application. This trace allows reconstruction of every line of assembly code that is executed at the processor level. This way we can write systems that see everything an application does in near real-time.
The ability to see every branch and application takes has immediate implications on many aspects of security the most dramatic being – a new promising anti-exploitation approach. It allows for transparent “Fine grained” Control flow integrity and thus detection of many kinds of malicious behavior including Code reuse attacks (ROP/JOP etc.) as well as exploits attempting to write to dynamically generated code pages (JIT), Use-after-free exploits , flow hardening and much more.