Problem
us-16-Weston-Windows-10-Mitigation-Improvements us-16-Weston-Windows-10-Mitigation-Improvements
Return addresses are not protected Valid functions can be called out of context “Fail-open” design for compatibility Bypass Non-enlightened Just-in-Time (JIT) compilers can be abused Multiple non-instrumented indirect calls reported to our Mitigation Bypass Bounty Status Mitigated in latest version of Edge on Windows 10 (Chakra, Adobe Flash, and WARP) Mitigated in latest version of Edge on Windows 10 NtContinue/longjmp – mitigated for all CFG enabled apps on Windows 10 Calling sensitive APIs out of context Corrupting return addresses on the stack VirtualProtect/VirtualAlloc – mitigated in latest version of Edge on Windows 10 LoadLibrary – mitigated in latest version of Edge on Windows 10 via code integrity WinExec – mitigated in Edge on Windows 10 anniversary edition via child process policy Known limitation that we intend to address with new technology (e.g. with Intel CET)
Execute arbitrary native code Only properly signed images can be loaded (Microsoft, WHQL, Store, or DRM signed) Binaries on remote devices (UNC/WebDAV) cannot be loaded Example of such an attack provided by Yang Yu @ Black Hat USA 2014 Tactic Applies to First shipped Breaking exploitation techniques Edge on Windows 10 and opt-in for other apps November, 2015 (Windows 10 1511 update)
- Page 3 and 4: • S Problem: Preventative Securit
- Page 5 and 6: Internal Data Sources External Data
- Page 7 and 8: Percentage of Use Analysis: 90 80 7
- Page 9 and 10: Assume Breach Prevent Breach Threat
- Page 11 and 12: REDTEAM: Model real-world attacks
- Page 15: Internet Explorer, Edge, & Chakra S
- Page 18 and 19: 1. Allocate object p = new COptionE
- Page 20: No legacy document modes No legacy
- Page 24 and 25: Place array length at a predictable
- Page 28: Execute arbitrary native code Code
- Page 31 and 32: Non-paged pool System Page tables c
- Page 34: Win32 Process Store App AppContaine
- Page 38 and 39: Legend 2/4/2014 CVE-2014-0497 Explo
Return addresses are not protected Valid functions can be called out of context “Fail-open” design for compatibility<br />
Bypass<br />
Non-enlightened Just-in-Time (JIT) compilers<br />
can be abused<br />
Multiple non-instrumented indirect calls<br />
reported to our Mitigation Bypass Bounty<br />
Status<br />
Mitigated in latest version of Edge on Windows 10 (Chakra, Adobe Flash, and WARP)<br />
Mitigated in latest version of Edge on Windows 10<br />
NtContinue/longjmp – mitigated for all CFG enabled apps on Windows 10<br />
Calling sensitive APIs out of context<br />
Corrupting return addresses on the stack<br />
VirtualProtect/VirtualAlloc – mitigated in latest version of Edge on Windows 10<br />
LoadLibrary – mitigated in latest version of Edge on Windows 10 via code integrity<br />
WinExec – mitigated in Edge on Windows 10 anniversary edition via child process policy<br />
Known limitation that we intend to address with new technology (e.g. with Intel CET)