Lost Control-Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming

Breach kernel control-flow integrity using page-oriented programming, a technique that can bypass hardware-assisted enforcement of strong control-flow policies.

Key takeaways
  • Proteins enable breaking of hardware-assisted kernel control flow integrity using page-oriented programming.
  • Hardware-assisted control flow integrity (CFI) enforces strong CFI policies using Intel’s CET and Microsoft’s CFG, but page-oriented programming (POP) can bypass this enforcement.
  • POP uses page-level gadgets and remapping to create new control flows under CFI enforcement.
  • Hardware-based CFI focuses on indirect branches, while software-based CFI ensures non-write-over code, but POP exploits weaknesses in both.
  • POP exploits existing kernel vulnerabilities, such as memory read and write vulnerabilities, to train gadgets and system cores.
  • Page-oriented programming can make new control flows under CFI enforcement, enabling unauthorized code modification and injection.
  • The hypervisor non-write-over code mechanism and hardware-assisted CFI are effective in preventing unauthorized code modification and injection, but can be bypassed using POP.
  • The presentation highlights the importance of understanding page-oriented programming in order to break hardware-assisted kernel control flow integrity.

More talks

Locknote: How JavaScript Happened: A Short History of Programming Languages - Mark Rendle

Stephen Macke - Python as a Hackable Language for Interactive Data Science | PyData Global 2023

Programming Kotlin: Why, How & Its Future • Venkat Subramaniam & Hadi Hariri

Data Integrity in smart infrastructures by Ludovico Binda

Animations from first principles — Rodrigo Girão Serrão

Talks - Bruce Eckel: Functional Error Handling

Marc Feistkorn: Karlsruher Modell - Geschichte, Technik, Ausblick

"Scientific Clojure, a bird's eye view" by Thomas Clark