This talk was given by Abdul-Aziz Hariri (left), Simon Zuckerbraun (center), and Brian Gorenc (right), and it was the easily the toughest talk to follow that I saw at Black Hat! I'm a C# developer not a security professional and maybe that's the whole problem, but honestly I wonder if the security professionals at my work wouldn't have been a little baffled too. "Using MemoryProtection as a way to bypass ASLR" (where ASLR is address space layout randomization) was the name of this thing. The premise was that as of the middle of last year attackers were giving up on trying to use Internet Explorer to attack corporations and were instead shifting their focus to Adobe Flash vulnerabilities. This is because the isolated heap was introduced in June of 2014 to IE. Now why older versions of IE could not just be used anyways for mischief (sidestepping the security), I do not know. Maybe the attacks attack installs of IE itself in lieu of coming from IE? Don't expect what follows to be too followable, and, yes, I know followable is not a real word. The isolated heap does a good job of separating the memory management scope of DOM objects from other types of allocations. MemoryProtection is... um, I think a separate but complementary upgrade introduced at the same time to Internet Explorer. It introduces a deallocation delay from memory so that the garbage collection cannot just clean up deallocated memory, but instead memory lingers even when it is irrelevant for a spell before it may be wiped not unlike flags being set at half-mast for weeks whenever a U.S. President dies keeping that person in our thoughts for a window yet even though they themselves are quite finished. It's memory Purgatory for souls doomed to an atheist afterlife. Anyhow, the isolated heap and the MemoryProtection basically make things better, but the three super-smart individuals on the panel have found a new loophole in the MemoryProtection that opens up a new vulnerability. Microsoft baited the public to find something wrong with the isolated heap and MemoryProtection with a $25,000 prize and these three guys won the prize with their findings. They then turned around and recommended to Microsoft solutions to correct the problem and Microsoft did not act on their suggestions so the security hole in modern Internet Explorer that I'm getting to still exists, but I wouldn't get too excited because there is no way Average Joe is gonna understand it to exploit it. Maybe Microsoft just thought they could let it be. I dunno. Alright, if you bombard the heap to the point that it is full with noise predictably in one megabyte blobs of memory usage and you wait for garbage collection to clean up a one megabyte blob of memory, when you next shove in the next one megabyte blob of memory, it is reasonable to assume that it will land in the one and only available empty one megabyte slot for memory that the last actor just left. If you cannot put it in there that tells you that the last actor has not left, perhaps because it is in use, but also perhaps because MemoryProtection just hasn't let go of it. With this you can narrow in on an address space of MemoryProtection, but don't ask me how because I'm already lost, and from there you may move onward to more sinister things (armed with that knowledge) but I couldn't follow what comes next either. That's it. That's the whole talk. During the presentation, the guy sitting next to me held up a piece of paper with the number ten on it for the panel to see as if he were a judge judging a beauty contest and he were awarding the highest honor. He seemed to be directly attempting to rattle the speakers as if to say "Good job with the geek out. We're all lost." and I looked at him and smiled and shrugged at the over-our-heads content and he smiled back as if to affirm, yes, it was all too much. Afterwards, I realized there is a guy like him at every talk and the 10 just lets the speakers know that they only have 10 minutes left and it's not a prank that one individual orchestrated as my imagination deduced. Where my imagination went kinda says something though. Good job Abdul, Simon, and Brian. You're smarter than Microsoft and certainly smarter than me.
No comments:
Post a Comment