Return to Where? You Can't Exploit What You Can't Find

Explore advanced techniques for detecting and preventing exploitation of memory corruption vulnerabilities in this Black Hat conference talk. Dive into the challenges of countering sophisticated exploitation methods like return-oriented programming (ROP) and the limitations of current control-flow integrity (CFI) defenses. Examine the shortcomings of probabilistic countermeasures based on memory layout randomization and the impact of memory disclosure attacks. Learn about a comprehensive defense called Readactor that utilizes hardware execute-only memory and code pointer hiding to counter both direct code reading and indirect layout disclosure. Discover how this efficient and practical solution can be applied to complex software like the Chromium web browser and protect dynamically generated code from JavaScript JIT compilers. Gain insights into the latest advancements in runtime exploit prevention and understand the ongoing battle between attackers and defenders in the realm of memory security.

Intro
Motivation
Three Decades of Runtime Exploits
Return-oriented Programming (ROP): Basic Idea
ROP Attack Technique: Overview
Adversary Model/Assumptions
MAIN DEFENSES MEASURES
Randomization vs. CFI
Fine-Grained ASLR
Key Insight and Observation
Gadget Finding and Payload Generation
Code Randomization: Attack & Defense Techniques
Readactor: Resilience to Memory Disclosure
Preventing Direct Memory Disclosure
Execute-Only EPT Mapping
Indirect Memory Disclosure Attack
Code-Pointer Hiding
Readactor Compiler
Readactor's Runtime Architecture
JIT Compiler Support
Evaluation: Does it work?
SPEC CPU2006 Performance
How About Security?
Vtable Randomization
Conclusion
Coming Soon