bypassing mitigations by attacking jit server in
play

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan - PowerPoint PPT Presentation

Jan 19, 2023 •281 likes •774 views

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

  1. Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

  2. About me ● Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) ● Doing security research for the last 10 years ● ● Author: Domato, WinAFL, ROPGuard ● @ifsecure on Twitter 2

  3. Browser exploit flow (example) Remote Read/write Code Break out vuln primitive execution of process 3

  4. Browser exploit flow (example) Remote Read/write Code Break out vuln primitive execution of process 4

  5. Code execution mitigations CFG Remote Read/write Code Break out vuln primitive execution of process Before: ● mov rbx,qword ptr [rax+8] call rbx ● After: mov rbx,qword ptr [rax+8] mov rax, rbx call qword ptr [chakra!_guard_dispatch_icall_fptr] ● Bitmap of CFG-allowed targets (some granularity involved) Only checks forward edges (doesn’t check return addresses) ● 5

  6. Code execution mitigations CFG Remote Read/write Code Break out vuln primitive execution of process ACG CIG ● 2 new mitigations Introduced in Windows 10 creators update (1703) 6

  7. Code execution mitigations CFG Remote Read/write Code Break out vuln primitive execution of process ACG CIG ● Arbitrary Code Guard (ACG) ● Make it impossible to allocate new executable pages ○ ■ e.g. VirtualAlloc(... ,... ,PAGE_EXECUTE_READWRITE ,...) make existing executable pages writable ○ ■ e.g. VirtualProtect(... ,... ,PAGE_EXECUTE_READWRITE ,...) Attempting results in 0xc0000604 STATUS_DYNAMIC_CODE_BLOCKED ● Similar to PaX MPROTECT ● ● What about JIT? JIT Server. 7

  8. Code execution mitigations CFG Remote Read/write Code Break out vuln primitive execution of process ACG CIG ● Code Integrity Guard (CIG) ○ Can only load properly signed DLLs 8

  9. Agenda ● How ACG works? Is it effective? ● How does JIT server work ● ● Issues (CFG and ACG) 9

  10. Enabling ACG ● Relies on setting the dynamic code policy ● Enabled by SetProcessMitigationPolicy() In Edge: ● 00 KERNELBASE!SetProcessMitigationPolicy 01 MicrosoftEdgeCP!SetProcessDynamicCodePolicy+0xc0 02 MicrosoftEdgeCP!StartContentProcess_Exe+0x164 03 MicrosoftEdgeCP!main+0xfe 04 MicrosoftEdgeCP!_main+0xa6 05 MicrosoftEdgeCP!WinMainCRTStartup+0x1b3 06 KERNEL32!BaseThreadInitThunk+0x14 07 ntdll!RtlUserThreadStart+0x21 10

  11. When is it enabled? 11

  12. When is it enabled? From Microsoft’s blog post: 12

  13. When is it enabled? 13

  14. How effective is ACG? Assumption: Attacker has a read/write primitive Data-only attacks ● ● Code reuse attacks ○ Do we need a ROP compiler? ● Code second-stage payloads in JavaScript ○ Need a way to call native-code functions from JavaScript and continue running script ○ Libraries already exist (pwn.js from Theori) 14

  15. Mitigations that work together ● ACG, CIG, no CFG => ROP, privescs in JavaScript CFG, CIG, no ACG => Overwrite/allocate executable memory ● ● CFG, ACG, no CIG => Load a malicious .dll 15

  16. ACG Bypasses, prior work ● Abusing thread opt-out (no longer the case) ● Bypass using Warbird DRM framework (Alex Ionescu) 16

  17. JIT server (simplified) Load script Parse into bytecode bytecode, ... Compile the bytecode RPC Interpret bytecode Allocate and write native native code address, ... code to shared memory Execute native code Shared memory Compiled code Compiled code PAGE_EXECUTE_READ PAGE_READWRITE MicrosotfEdgeCP.exe (JIT server) MicrosotfEdgeCP.exe (content process) BlockDynamicCode = OFF BlockDynamicCode = ON 17

  18. JIT server, maintaining state Process Thread Script Load script context context context Parse into bytecode Bytecode, ... Bytecode, ... Compile the bytecode context handle context ptr RPC Execute bytecode native code address, Allocate and write native ... code to shared memory Execute native code Compiled code Shared memory Compiled code PAGE_EXECUTE_READ PAGE_READWRITE MicrosotfEdgeCP.exe (JIT server) MicrosotfEdgeCP.exe (content process) BlockDynamicCode = OFF BlockDynamicCode = ON 18

  19. Exposed methods / managing contexts ● (!) ConnectProcess - Connects a new Content Process and creates the corresponding Process Context (!) InitializeThreadContext - Creates a ServerThreadContext object on the server. Also pre-reserves ● memory for compiled code and JIT thunks. InitializeScriptContext - Creates a ServerThreadContext object on the server. ● ● CleanupThreadContext - Marks Thread context as closed, removes it from the Thread context dictionary and closes all associated ScriptContexts ● CloseScriptContex - Marks Script context as closed and removes it from the Script context dictionary CleanupScriptContex - Closes script context if not closed already and deletes the associated ● ServerScriptContext object Shutdown - Deletes closed context objects, deletes allocated pages and unregisters RPC server ● 19

  20. Exposed methods / updating data in contexts ● UpdatePropertyRecordMap ● AddDOMFastPathHelper AddModuleRecordInfo ● SetWellKnownHostTypeId ● ● SetIsPRNGSeeded 20

  21. Exposed methods / working with thunks ● Thunk == short trampoline that jumps to function implementation ○ Executable code ○ Every function gets one NewInterpreterThunkBlock - Allocates a new executable buffer and fills it with ● interpreter thunks. ● DecommitInterpreterBufferManager - Decommits all memory pages used for thunk allocations. IsInterpreterThunkAddr - Checks if address is in one of the interpreter thunk ● blocks 21

  22. Exposed methods / working with compiled code ● (!) RemoteCodeGen ○ This is where the magic happens ○ Large structure as input/output ■ Bytecode ■ Type information, caches, inlinee information, addresses ● IsNativeAddr - checks if address is in one of the JIT blocks (!) FreeAllocation - Frees executable memory allocation made previously by the ● server and clears CFG targets 22

  23. JIT phases (1/2) ● (!) Build Intermediate Representation (IR) from bytecode ● Function inlining Build flow graph ● Global optimizations ● ● Lower IR into machine-specific representation (not yet encoded) ● Encode large constants (security) Insert stack probes ● Register allocation ● 23

  24. JIT phases (2/2) ● Peephole optimizations ● Layout Insert bailouts ● Insert NOPs at random points (security) ● ● Insert function prolog and epilog ● Final lower (!) Encoder ● Fixups on data allocated by JIT process ● 24

  25. Encoder phase (Encoder.cpp) ● Prepares the buffer with compiled code ○ Encoded instructions ○ Jump tables for switch statements ● Allocates memory for executable code Copies the buffer ● 25

  26. Allocating memory Busy Segment Free Page Page Page Page Page Alloc Free Alloc Decommitted 26

  27. Allocating memory / Segments (SectionAllocWrapper.cpp) Busy Segment Free Page Page Page Page Page Alloc Free Alloc Decommitted ● Segment == Shared memory object (created via CreateFileMapping) ● Mapped into each process using MapViewOfFile2 ○ PAGE_EXECUTE_READ for content process ○ PAGE_READWRITE for JIT process ● In JIT process unmapped immediately after writing 27

  28. Allocating memory / Pages (PageAllocator.cpp) Busy Segment Free Page Page Page Page Page Alloc Free Alloc Decommitted ● Pages start as decommitted -> committed using VirtualAllocEx when needed ● Each segment has 2 bit vectors for free pages and decommitted pages Once a page gets committed it gets filled with 0xCC (int 3) ● When sufficient number of pages is freed, pages start getting decommitted ● 28

  29. Allocating memory / Allocations (CustomHeap.cpp) Busy Segment Free Page Page Page Page Page Alloc Free Alloc Decommitted ● Large allocations (>pagesize) get the corresponding number of pages ● For smaller allocations, pages get divided into 128-byte blocks Bitmap of free blocks inside a page ○ ● Pages get put in buckets for allocations of size 128, 256, 512, 1024, 2048, 4096 ● Metadata is not stored together with data, stored in Allocation objects on the server only Upon freeing, data is filled with 0xCC (int 3) ● 29

  30. Issues ● CFG ○ Issues that rely on return address overwrite ○ Issues that don’t rely on return address overwrite ● ACG Memory corruption issues in the JIT process ○ ○ Logic issues in the JIT process 30

  31. Controlling bytecode ● What can we do with bytecode? ● T. Dullien: “Exploitation and state machines” Arbitrary read/write ○ ○ Overwriting the stack (in Chakra e.g. OP_ArgOut_A) 31

  32. Call instructions in the JIT code ● What happens when JIT code needs to call a function, e.g. call chakra!helper_function ● JIT server needs to know address of DLLs in the Content Process ○ Q: How does it know? ○ A: Content Process tells it. 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery or a tale on

TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery or a tale on

TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery or a tale on how to audit a DNS server when you dont really know anything about DNS Date 17/11/2017 At GreHack By Clment Berthaux Whoami Clment

721 views • 26 slides
A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why

A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why

A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why Mitigations Attack surface reduction Hardware vulnerabilities Memory corruption Misc Missing ones Conclusion 2 Earlier

675 views • 48 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations

1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations

1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations & Future Tony Barber Nov 2013 TF-NOC Wayne Routly, DANTE GEANT APM, Vienna 8 October, 2013 Agenda Effects Real World Examples Mitigations

237 views • 13 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.09k views • 92 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.27k views • 96 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
Mitigations 3 Main Mitigations Implement traffic Implement Border Improve trader

Mitigations 3 Main Mitigations Implement traffic Implement Border Improve trader

UK border planning assumptions Ports of Calais, Dunkerque and Dover and Eurotunnel in Coquelles and Folkestone are Freight arriving at Dover and Folkestone will leave the port and terminal as they do today ready and have the infrastructure,

549 views • 25 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen & Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
Network Time Protocol (NTP) server client Aanchal Malhotra Isaac E. Cohen, Erik Brakke Sharon

Network Time Protocol (NTP) server client Aanchal Malhotra Isaac E. Cohen, Erik Brakke Sharon

NDSS, 2016 Attacking the Network Time Protocol (NTP) server client Aanchal Malhotra Isaac E. Cohen, Erik Brakke Sharon Goldberg Outline of the talk Background How does NTP work? How does NTP client take time? Our attacks

497 views • 16 slides
Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot - @elc0rr3Km1n0s Sr. Penetration Tester & Lead Auditor @Airbus Father, Bug Hunter, Tech-entrepreneur Plan Intro Install Prerequisites

376 views • 22 slides
Outline Modern architectures Spring 2006 Delay slots Introduction to instruction

Outline Modern architectures Spring 2006 Delay slots Introduction to instruction

Outline Modern architectures Spring 2006 Delay slots Introduction to instruction scheduling List scheduling Code Scheduling Resource constraints Interaction with register allocation Scheduling across basic blocks

887 views • 22 slides
Semantic Networks and Topic Modeling A Comparison Using Small and Medium-Sized Corpora Loet

Semantic Networks and Topic Modeling A Comparison Using Small and Medium-Sized Corpora Loet

Semantic Networks and Topic Modeling A Comparison Using Small and Medium-Sized Corpora Loet Leydesdor ff & Adina Nerghes D I G I TA L H U M A N I T I E S L A B Networks of words Semantic Networks Networks of concepts Content networks

408 views • 27 slides
Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

471 views • 23 slides
Leveraging Executable Language Engineering for Domain-Specific Transformation Languages (Position

Leveraging Executable Language Engineering for Domain-Specific Transformation Languages (Position

Observations From xDSMLs to DSTLs Conclusion and future work Leveraging Executable Language Engineering for Domain-Specific Transformation Languages (Position Paper) EXE 2016, Saint-Malo, France Erwan Bousse 1 Manuel Wimmer 1 Wieland Schwinger

594 views • 34 slides
Desig ign of f a Symboli licall lly Executable le Embedded Hyperv rvis isor Jan Nordholz

Desig ign of f a Symboli licall lly Executable le Embedded Hyperv rvis isor Jan Nordholz

Technische Universitt Berlin Desig ign of f a Symboli licall lly Executable le Embedded Hyperv rvis isor Jan Nordholz <j.nordholz@tu-berlin.de> 15 th EUROSYS, 27-30 April, 2020 PHIDIAS Type PHI ype I I Em Embedded Hype

388 views • 10 slides
Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL and XMLDsig Claes Nilsson Technology Area Group Leader Web Browsing Marcus Liwell Technology Area Group Leader Security and DRM Rev 1

576 views • 12 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Wishlist for Web Programming Peter Thiemann Universit at Freiburg Links Meeting, Edinburgh,

Wishlist for Web Programming Peter Thiemann Universit at Freiburg Links Meeting, Edinburgh,

Wishlist for Web Programming Peter Thiemann Universit at Freiburg Links Meeting, Edinburgh, Scotland, 6 April 2005 1 The Structure of Modern Web Sites kinds of content static generated images contents of passive downloads files

161 views • 13 slides

More recommend