失控：KCFG 和 KCET 如何重新定义 Windows 内核中的控制流完整性.pdf

1、#BHUSA BlackHatEventsOut Of Control:How KCFG and Out Of Control:How KCFG and KCET Redefine Control Flow KCET Redefine Control Flow Integrity in the Windows KernelIntegrity in the Windows KernelConnor McGarr 33y0reSoftware Engineer,Prelude Security#BHUSA BlackHatEventsAbout Software Engineer at Prelu

2、de SecurityPreviously Software Engineer at CrowdStrike on the Windows Sensor Team Blog:connormcgarr.github.ioWindows OS internals,exploit mitigations,browser and kernel exploitation,malware,reverse engineering articles I like C,Assembly,Operating Systems,and Hypervisors!#BHUSA BlackHatEventsIntroduc

3、tion To Control Flow Integrity Most exploits require two things:1.Ability to hijack the legitimate execution(control flow)of an application/operating system2.Use the above primitive to execute some malicious code Control Flow Integrity(CFI)attempts to address the first problem by verifying and mitig

4、ating attempts to alter the target of a control-flow transferCalls/jmps are forwards-edge control-flow transfersReturns are backwards-edge control-flow transfers#BHUSA BlackHatEventsControl Flow Guard Control Flow Guard is Windows version of forwards-edge CFIPresent in user-mode since Windows 8.1(as

5、 an optional update)All indirect call targets which are known at compile-time are stored in a read-only,kernel-protected(and per-process)“CFG bitmap”User-mode address space is 128 TB on 64-bit Windowsthere are 128 TB of possible call targets(in theory),but the compiler should generate call targets a

6、t 16-byte(0 x10)boundaries128 TB/16 bytes=8 TB of potential targets8 TB*2 bits(denotes the“state”for every 16 bytes)=2 TB CFG bitmap sizeMemory manager performs some optimizationsIndirect call/jmps are replaced with“thunks”that first check the CFG bitmap for bits related to the call target before tr