Mitigation Bounty — Introduction

Thomas Garnier
Dec 19, 2016 · 3 min read

More than a year ago, I joined Google Security after 7 years at Microsoft. It is fascinating to have the ability to compare how security is done on two different platforms and in different companies. A few weeks ago, I started playing again with Windows mitigations. I thought it would be fun on my free time. Microsoft Edge was the perfect candidate because it enables all the mitigations.

This post describes my approach in searching for mitigation bypasses. The next one explains how I extend the base primitive to control calls. The last one goes over all mitigations bypasses with proof-of-concept code.

Microsoft has a mitigation bypass bounty for the latest version of Windows. The bounty is open for mitigations bypasses (CFG, RFG, ASLR or others) and/or suggestions for new defence mechanisms. I made multiple submissions to the bounty and most of them were rejected. The reasons went from “by design” to “already known”.

A bounty for mitigation bypasses is an original idea but it’s a hard one to do. What a mitigation is supposed to protect can be perceived differently. The ability to fix an issue weight in considering a bypass legitimate. As an external contributor, you don’t know what was reported before and Microsoft rejects known bypasses. If you spend time on mitigation bypass research, you have no guarantee it will be accepted or even fixed. Microsoft updated the bounty page recently adding additional details on scopes.

In the next post, I describe how you can transform a read-write anywhere primitive into calling valid CFG functions and controlling all arguments:

The third post discloses 4 techniques to bypass mitigations that were not fixed:

Vulnerability primitive

A mitigation bypass can start with a vulnerability. You find the right bug and sit on it until you found a mitigation bypass to submit. You assume this bug won’t be found by somebody else. I don’t like the idea to sit on bugs that could be actively used. I decided to simulate a vulnerability instead of using a real one.

I used a Windbg script to corrupt a JavascriptArrayBuffer object buffer field. I point it to the object itself. It gives a relative read-write primitive. It can be used to read a vtable pointer in chakra.dll. I also corrupt an adjacent JavascriptArrayBuffer object to get a read-write anywhere primitive.

I assume an attacker can find a bug leading to a similar primitive. This type of bugs is used in multiple exploit write-up or techniques. Using this primitive, my goal was executing custom code bypassing CFG or RFG.

You can find the detail implementation on these files:

  • toolkit.js —Create the read-write primitive. Provide useful APIs like managing large integer on Javascript and resolving functions.
  • basic_examples.html— Usage examples for read-write anywhere and on calling anything (described in the next post).
  • scripts/windbg_attach.ps1 — Script to attach to Edge instances automatically and setup the breakpoint to simulate the vulnerability.

Existing CFG & RFG research

Plenty of people did research on bypassing CFG. If you are interested, you can look at the following:

RFG has been added few weeks ago on the fast and slow ring:

Please send me a message on twitter if you would like to add a link to the previous lists.

10

10 claps
Thomas Garnier

Written by

Hacker, Developer, Father… I work at Google working in security since 2015. I worked at Microsoft for about 7 years. I have my own opinion.