2

I understand that obtaining code execution by stack buffer-overflows were mitigated by DEP, which in turn lead to SEH and ROP exploit techniques etc.

However, I don't see how to exploit an executable simultaneously protected by "Control Flow Guard" and "Return Flow Guard", since those exploit mitigations guarantee that target addresses of indirect calls (call) and returns addresses (ret) are always benign up to a possible granularity of 16 bytes.

Are there currently any general methods of exploiting "Control Flow Guard" and "Return Flow Guard", or are those mitigations so robust that it becomes almost "impossible" to exploit future application builds?

Nicolas Lykke Iversen
  • 173
  • 3
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
  • The RFG attacks mentioned [here](https://www.youtube.com/watch?v=oOqpl-2rMTw) about 32 minutes in might interest you. – dreamist Apr 04 '19 at 18:03
  • @dreamist - Do you think the times of "casual" exploitation is over? – Shuzheng Apr 04 '19 at 18:22
  • I can't tell what you mean by casual, but mitigations will continue raising time and skill costs. There's plenty attack surfaces and powerful bugs still. – dreamist Apr 05 '19 at 19:48
  • @dreamist - what I mean by casual is a guy having it as a hobby; not a state agency or a research group. Can you provide me with a link to attack surfaces? – Shuzheng Apr 05 '19 at 21:01
  • It's kind of a concept in looking for bugs. Every individual feature or subpiece of a system has different potentials for bugs. Whatever features have potential and are reachable by your interaction are a part of the software's attack surface. If you hear about ["sources and sinks"](https://www.youtube.com/watch?v=ZaOtY4i5w_U) then you can think similarly to that. I liked [this talk](https://www.youtube.com/watch?v=KpuYMqDXdbE), still. – dreamist Apr 06 '19 at 19:07

0 Answers0