Capturing 0Day Exploits With Perfectly Placed Hardware Traps

by Cody Pierce, Matt Spisak, Kenneth Fitch
Sept. 15, 2017 1 comment belen_caty Pen Testing & Audits

In this talk, we will cover our research methodology, results, and limitations. We will highlight novel solutions to major obstacles we faced, including: proper tracking of Windows thread context swapping; configuration of PMU interrupt delivery without tripping Microsoft's PatchGuard; efficient algorithms for discovery of valid branch destinations in PE and ELF files at run-time; and the impact of operating in virtualized environments. The effectiveness of our approach using hardware-assisted traps to monitor program execution and enforce CFI policies on mispredicted branches will be demonstrated in real-time. We will prevent weaponized exploits targeting Windows and Linux x86-64 operating systems that nominally bypass anti-exploit technologies like Microsoft's EMET tool. We will also present collected metrics on performance impact and the real-world applications of this technology.

Steven Ulm 8 months ago

Really talented author! Was a pleasure (interesting too!) reading it!