logo
allArticlesConferencesPresentations

The Dark Age of Memory Corruption Mitigations in the Spectre Era

Conference:  BlackHat USA 2021

2021-08-05

Summary

The talk discusses how memory corruption defenses can be bypassed using speculative execution attacks, with a focus on stack protectors, control flow integrity, and bounds checks in Go. The speakers demonstrate how information can be leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send. They also show how this can be achieved by stitching together multiple gadgets in a speculative return-oriented programming attack.
  • Memory corruption defenses can be bypassed using speculative execution attacks
  • Stack protectors, control flow integrity, and bounds checks in Go can be bypassed under certain conditions
  • Information can be leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send
  • Multiple gadgets can be stitched together in a speculative return-oriented programming attack
The speakers provide an example of a speculative execution attack, specifically the Spectre version 101 attack which leverages a buffer overflow. The attack accesses a buffer and a bounds check is performed before making a write. However, the attacker can use speculative execution to bypass the bounds check and access secret data through a side channel.

Abstract

The prevalence of memory corruption bugs in the past decades resulted in numerous defenses, such as stack canaries, control flow integrity (CFI), and memory-safe languages. These defenses can prevent entire classes of vulnerabilities, and help increase the security posture of a program. In this talk, we show that memory corruption defenses can be bypassed using speculative execution attacks. We study the cases of stack protectors, CFI, and bounds checks in Go, demonstrating under which conditions they can be bypassed by a form of speculative control flow hijack, relying on speculative or architectural overwrites of control flow data. Information is leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send. We also demonstrate, for the first time, that this can be achieved by stitching together multiple gadgets, in a speculative return-oriented programming attack.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

WebAssembly: A New World of Native Exploits on the Browser

Conference:  BlackHat USA 2018
Authors:
2018-08-09

The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy

Conference:  Defcon 27
Authors:
2019-08-01

Breaking Bootloaders on the Cheap

Conference:  BlackHat EU 2019
Authors:
2019-12-05

Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTime

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Internal Server Error: Exploiting Inter-Process Communication in SAP's HTTP Server

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Conference:  Defcon 31
Authors: Mikhail Shcherbakov KTH Royal Institute of Technology, Musard Balliu KTH Royal Institute of Technology
2023-08-01