Lost Control-Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming

Breach kernel control-flow integrity using page-oriented programming, a technique that can bypass hardware-assisted enforcement of strong control-flow policies.

Key takeaways
  • Proteins enable breaking of hardware-assisted kernel control flow integrity using page-oriented programming.
  • Hardware-assisted control flow integrity (CFI) enforces strong CFI policies using Intel’s CET and Microsoft’s CFG, but page-oriented programming (POP) can bypass this enforcement.
  • POP uses page-level gadgets and remapping to create new control flows under CFI enforcement.
  • Hardware-based CFI focuses on indirect branches, while software-based CFI ensures non-write-over code, but POP exploits weaknesses in both.
  • POP exploits existing kernel vulnerabilities, such as memory read and write vulnerabilities, to train gadgets and system cores.
  • Page-oriented programming can make new control flows under CFI enforcement, enabling unauthorized code modification and injection.
  • The hypervisor non-write-over code mechanism and hardware-assisted CFI are effective in preventing unauthorized code modification and injection, but can be bypassed using POP.
  • The presentation highlights the importance of understanding page-oriented programming in order to break hardware-assisted kernel control flow integrity.

More talks

Half a decade of mob programming - Ulrika Malmgren - NDC Oslo 2024

James Powell - How Dimensional is a `pandas.DataFrame`, anyway? | PyData Amsterdam 2024

Stephen Macke - Python as a Hackable Language for Interactive Data Science | PyData Global 2023

Tabby, my free "Copilot" by Rafik Ferroukh

Hello, Quantum World! by Jules May

Ryan O'Neil - Build on-demand logistics apps with Python, OR-Tools, and DecisionOps | PyData Global

TDD & generative AI - a perfect pairing? by Bouke Nijhuis

How JavaScript Happened: A Short History of Programming Languages by Mark Rendle