How to Survive the Hardware Assisted Control-Flow Integrity Enforcement presented at BlackHatAsia2019 2019

by Chong Xu, Bing Sun, Jin Liu,

Summary : Control-flow hijacking is a crucial step of modern vulnerability exploitation, which helps to convert a memory safety vulnerability into arbitrary code execution. The security industry has put in great efforts in combating the control-flow hijacking, however it turns out the pure software-based control-flow integrity solution (such as Microsoft's CFG) is inadequate to defeat those sophisticate control-flow hijacking attacks which may expect hardware assisted solution. Intel's Control-flow Enforcement Technology (CET) is such a solution which aims at preventing the exploits from hijacking the control-flow transfer instructions for both forward-edge (indirect call/jmp) and back-edge transfer (ret). The latest Windows 10 RS5 has introduced some new mitigation change to support Intel CET (the new PTE type for shadow stack), and this is a clear sign that Microsoft is taking serious steps to address the control-flow hijacking issue once for all. In this talk, we'll give a deep dive into Intel CET and its implementation on the latest Windows 10 x64 operating system (RS5 and 19H1). Moreover, we'll discuss possible ways that still achieve the control-flow hijacking when CET is enabled. We'll also provide demonstrations for the attacks discussed.