Grafvision - Fotolia
A new attack technique developed by Endgame researchers uses counterfeit object-oriented programming to bypass the Control Flow Integrity (CFI) defenses in Windows 10. What is counterfeit object-oriented programming? What changes need to be made to CFI implementations to prevent it?
There are various knock-on effects whenever software developers and vendors introduce new security controls into their products. The most obvious, assuming the control is effective, is that existing attacks that exploit the weakness the control mitigates no longer work. As a result of this, hackers turn to other exploits that are known to still be effective. Finally, the more sophisticated hackers begin to study how the control works and whether it can be circumvented, revisiting it whenever better techniques or resources become available.
For example, for a long time, attackers exploited memory-related vulnerabilities, such as buffer overflow errors, to hijack the control flow of software applications. The deployment of data execution prevention countermeasures quickly made these code injection attacks unfeasible.
Hackers reacted by switching to code-reuse attacks to exploit memory corruption vulnerabilities. Code-reuse attacks use techniques such as return-oriented programming, which don't need to inject code, as they induce malicious program behavior by misusing existing code chunks already residing in the attacked application's address space.
One technique applied in code-reuse attacks that hasn't appeared in exploit kits yet is called counterfeit object-oriented programming (COOP), a code reuse attack targeting applications developed in C++, and possibly other object-oriented languages. It was first documented in a paper for the 2015 IEEE Symposium on Security, and it can bypass the majority of the defenses for code-reuse attacks by reusing dynamically bound functions -- those accessed through global offset tables and virtual function tables.
Researchers at cybersecurity software company Endgame decided to evaluate how effective Microsoft's implementation of Control Flow Integrity, also called Control Flow Guard (CFG), and Endgame's own offering, HA-CFI, would be against a cutting-edge attack using COOP.
CFI was introduced by Microsoft to harden the defenses of Windows 10, as it can prevent attacks built on exploits that subvert machine code execution. It also provides a useful foundation for enforcing further security policies, such as policies that constrain the use of data memory.
What this means is that CFI services need to be more aware of object-oriented C++ semantics, and that improved mitigations against code-reuse attacks need to be developed before COOP attacks become a mainstream weapon of choice.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out which security tools will make Windows 10 defenses stronger
Discover whether third-party security software will make Windows 10 stronger
Learn about the security features in Windows 10
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading