Breaking Payloads with Runtime Code Stripping and Image Freezing

by Collin Mulliner, Matthias Neugschwandtner
Sept. 18, 2017 2 comments Black Hat belen_caty

Fighting off attacks based on memory corruption vulnerabilities is hard and a lot of research was and is conducted in this area. In our recent work we take a different approach and looked into breaking the payload of an attack. Current attacks assume that they have access to every piece of code and the entire platform API. In this talk, we present a novel defensive strategy that targets this assumption. We built a system that removes unused code from an application process to prevent attacks from using code and APIs that would otherwise be present in the process memory but normally are not used by the actual application. Our system is only active during process creation time, and, therefore, incurs no runtime overhead and thus no performance degradation. Our system does not modify any executable files or shared libraries as all actions are executed in memory only. We implemented our system for Windows 8.1 and tested it on real world applications.

https://www.blackhat.com/us-15/briefings.html#breaking-payloads-with-runtime-code-stripping-and-i...

Avatar
Steven Ulm 3 months ago

It is always nice reading about new approaches towards the memory corruption vulnerabilities. Best of luck with it!

Reply
Avatar
Mitchell Rowton moderator 2 months, 4 weeks ago

The guys that made this paper are a mixture of rocket scientist and androids

Reply