1 00:00:00,260 --> 00:00:06,569 thank you very much thank you being here 2 00:00:03,300 --> 00:00:09,780 and and also appreciates the organizer 3 00:00:06,569 --> 00:00:13,440 to give me the opportunity to talk my 4 00:00:09,780 --> 00:00:16,789 research so today my talk is arrow so 5 00:00:13,440 --> 00:00:21,119 basically I will go through bunch of 6 00:00:16,789 --> 00:00:23,880 code reuse techniques so we assume 7 00:00:21,119 --> 00:00:27,029 people understand what's Olaf 8 00:00:23,880 --> 00:00:32,040 I just quickly keeps the basic stuff and 9 00:00:27,029 --> 00:00:35,430 introduce the other one research part so 10 00:00:32,040 --> 00:00:37,710 my name is Zhang Li and from India so 11 00:00:35,430 --> 00:00:41,010 I'm the security research and architect 12 00:00:37,710 --> 00:00:44,850 in inter lab so we deliver a lots of 13 00:00:41,010 --> 00:00:47,550 product includes the deep safe some 14 00:00:44,850 --> 00:00:53,969 couples if you feature like I am Frank 15 00:00:47,550 --> 00:00:57,890 Hari and also our victim delivers sjx so 16 00:00:53,969 --> 00:01:01,559 I focus on unwinding and detecting 17 00:00:57,890 --> 00:01:03,750 Prevention's or zero day so advanced 18 00:01:01,559 --> 00:01:09,090 persistent attack this kind of stuff 19 00:01:03,750 --> 00:01:11,040 with latest new simple feature so I did 20 00:01:09,090 --> 00:01:17,159 some research for pet care couple years 21 00:01:11,040 --> 00:01:20,280 ago talk how to assess the pet card with 22 00:01:17,159 --> 00:01:23,850 the pet care decoder so we have the 23 00:01:20,280 --> 00:01:27,030 white paper published at that time and 24 00:01:23,850 --> 00:01:33,750 also I present at couple conference 25 00:01:27,030 --> 00:01:36,689 before so now we talk about the return 26 00:01:33,750 --> 00:01:38,340 oriented programming so I assume lots of 27 00:01:36,689 --> 00:01:43,589 people already know that because this is 28 00:01:38,340 --> 00:01:45,149 pretty popular content for research for 29 00:01:43,590 --> 00:01:47,579 many years right 30 00:01:45,149 --> 00:01:49,799 so I will go through the basic stuff 31 00:01:47,579 --> 00:01:52,470 then we talk about the brown transfer 32 00:01:49,799 --> 00:01:55,470 instruction after I will talk little bit 33 00:01:52,470 --> 00:01:57,810 couple different Rob defense mechanism 34 00:01:55,470 --> 00:02:01,079 and how to bypass that is different 35 00:01:57,810 --> 00:02:03,390 gadget though and I also will talk about 36 00:02:01,079 --> 00:02:06,360 little bit for some valid gadget and 37 00:02:03,390 --> 00:02:09,119 also some powerful gadget from the wall 38 00:02:06,360 --> 00:02:13,260 succe for by give luck 39 00:02:09,119 --> 00:02:16,860 so Rob is the popular topic for many 40 00:02:13,260 --> 00:02:19,140 years so I just leased couple reference 41 00:02:16,860 --> 00:02:22,980 here so if you want to understand more 42 00:02:19,140 --> 00:02:28,048 basically stuff you can read the content 43 00:02:22,980 --> 00:02:30,530 here so that's couple couple talks from 44 00:02:28,049 --> 00:02:35,400 different research that are very 45 00:02:30,530 --> 00:02:39,060 excellent target so here I want to 46 00:02:35,400 --> 00:02:43,829 introduce some information here about 47 00:02:39,060 --> 00:02:46,590 the new rockin straw in apt so Robbie is 48 00:02:43,829 --> 00:02:50,040 very popular right so we saw lots of 49 00:02:46,590 --> 00:02:51,720 loss of drop paste extra but I want to 50 00:02:50,040 --> 00:02:55,440 mention this one because this one is 51 00:02:51,720 --> 00:02:56,040 special because in two years ago 52 00:02:55,440 --> 00:03:00,329 actually 53 00:02:56,040 --> 00:03:02,900 so yeah was one PDF zero day actually 54 00:03:00,329 --> 00:03:07,260 include two vulnerability within 55 00:03:02,900 --> 00:03:11,220 visiting one single file so this one is 56 00:03:07,260 --> 00:03:13,739 the zero day was detect by Phi they 57 00:03:11,220 --> 00:03:14,750 report by Phi so this one is very 58 00:03:13,739 --> 00:03:17,549 special 59 00:03:14,750 --> 00:03:21,720 interesting because the only use robbed 60 00:03:17,549 --> 00:03:25,049 a jet with thought share code so that's 61 00:03:21,720 --> 00:03:26,970 something we didn't see before because 62 00:03:25,049 --> 00:03:30,450 really we talked about locked areas we 63 00:03:26,970 --> 00:03:33,000 see how to use the Rob gadget to initial 64 00:03:30,450 --> 00:03:34,768 the deliver next stage attack for 65 00:03:33,000 --> 00:03:38,959 example enables or shareholders 66 00:03:34,769 --> 00:03:42,930 collapsing right but this attack is very 67 00:03:38,959 --> 00:03:45,660 frustrated the use pure rubber gadget to 68 00:03:42,930 --> 00:03:47,540 replace the circle they don't need share 69 00:03:45,660 --> 00:03:52,109 code then eventually just the wrongs or 70 00:03:47,540 --> 00:03:56,099 maybe are you actually so here is the 71 00:03:52,109 --> 00:03:59,510 example for rob cadet tell thirteen part 72 00:03:56,099 --> 00:04:03,738 so again see the lab site is the first 73 00:03:59,510 --> 00:04:07,230 vulnerability used by this zero day 74 00:04:03,739 --> 00:04:09,450 review triggers or Rob danger to the 75 00:04:07,230 --> 00:04:12,929 tech curtain like here 76 00:04:09,450 --> 00:04:15,780 once the indirect off happen the coin to 77 00:04:12,930 --> 00:04:18,750 here we push the reacts and pops the ESP 78 00:04:15,780 --> 00:04:23,080 that's exactly the way to do the 79 00:04:18,750 --> 00:04:26,780 staggering so they have another 80 00:04:23,080 --> 00:04:30,560 explore to targeting sandbox pepper zero 81 00:04:26,780 --> 00:04:33,080 day so we use another carrier here to 82 00:04:30,560 --> 00:04:34,940 call ye acts and do very similar thing 83 00:04:33,080 --> 00:04:38,270 push EDX and pop 84 00:04:34,940 --> 00:04:40,160 yes P so this is a way people use your 85 00:04:38,270 --> 00:04:42,740 job carrier to do the stack 30 86 00:04:40,160 --> 00:04:45,770 of course this attack and lots of lots 87 00:04:42,740 --> 00:04:47,419 of gadget if you want to understand more 88 00:04:45,770 --> 00:04:51,139 you can search online lots of people 89 00:04:47,419 --> 00:04:57,710 publish the eat here so today the topic 90 00:04:51,139 --> 00:05:00,350 we want to discuss is is the rock gadget 91 00:04:57,710 --> 00:05:03,888 is the way to only way to do that of 92 00:05:00,350 --> 00:05:08,449 course not because you can see people do 93 00:05:03,889 --> 00:05:11,660 a lot of research the retail aren't here 94 00:05:08,449 --> 00:05:15,080 programming just a one-off survey to 95 00:05:11,660 --> 00:05:17,570 deliver real skull right you can do the 96 00:05:15,080 --> 00:05:20,750 return based you can do the trunk paste 97 00:05:17,570 --> 00:05:22,729 and also you can do car based right so 98 00:05:20,750 --> 00:05:23,240 basically that's a concept for drop and 99 00:05:22,729 --> 00:05:26,690 the car 100 00:05:23,240 --> 00:05:31,060 I also leads to the reference here that 101 00:05:26,690 --> 00:05:37,430 two papers discuss this kind of attack 102 00:05:31,060 --> 00:05:41,479 so let's think about the return call and 103 00:05:37,430 --> 00:05:44,900 the charm the all the approach to real 104 00:05:41,479 --> 00:05:47,060 scope right but if we think about the 105 00:05:44,900 --> 00:05:50,840 vehicles from the branch transfer 106 00:05:47,060 --> 00:05:53,090 perspective so we can found actually we 107 00:05:50,840 --> 00:05:57,320 have lots of different combination or 108 00:05:53,090 --> 00:06:01,460 different approach to do the branch 109 00:05:57,320 --> 00:06:04,849 transfer to the rock real skull based on 110 00:06:01,460 --> 00:06:07,489 transfer for example here we know we 111 00:06:04,849 --> 00:06:10,969 have the written I actually we have near 112 00:06:07,490 --> 00:06:12,740 returned we have written for Trump 113 00:06:10,970 --> 00:06:15,410 that's very similar we have the 114 00:06:12,740 --> 00:06:17,840 Keynesian job then we have the new job 115 00:06:15,410 --> 00:06:20,120 Quadra of course we have the direct job 116 00:06:17,840 --> 00:06:22,460 and English charm so your leave the 117 00:06:20,120 --> 00:06:25,370 vulnerability happen with the into our 118 00:06:22,460 --> 00:06:27,680 jump and also we have the call we have 119 00:06:25,370 --> 00:06:30,650 the new car in the foie gras ingre 120 00:06:27,680 --> 00:06:33,670 called drag car so the India calculate 121 00:06:30,650 --> 00:06:36,280 is the problem for 122 00:06:33,670 --> 00:06:38,050 some vulnerability sometimes of vanity 123 00:06:36,280 --> 00:06:40,750 happened due to the kind of instruction 124 00:06:38,050 --> 00:06:43,660 and we are that we also have to 125 00:06:40,750 --> 00:06:46,060 interrupt written this is very different 126 00:06:43,660 --> 00:06:49,090 one we will talk about later so we can 127 00:06:46,060 --> 00:06:53,380 use the index written to some very cool 128 00:06:49,090 --> 00:06:56,890 stuff so return is very straightforward 129 00:06:53,380 --> 00:06:58,450 we can see here so basically we have 130 00:06:56,890 --> 00:07:02,280 near return on the fire written the new 131 00:06:58,450 --> 00:07:05,950 written talk used like many times in the 132 00:07:02,280 --> 00:07:08,559 rock area we can do the second the 133 00:07:05,950 --> 00:07:10,870 inside written right so the far we the 134 00:07:08,560 --> 00:07:14,730 concept happen when you talk about 135 00:07:10,870 --> 00:07:19,120 different mode you want to switch the 136 00:07:14,730 --> 00:07:23,260 segment so I will discuss later we have 137 00:07:19,120 --> 00:07:28,510 lots of slides covers or with me 10 or 138 00:07:23,260 --> 00:07:30,460 gadget in wall 64 the windows windows a 139 00:07:28,510 --> 00:07:32,560 certain to our window fixed wall paint 140 00:07:30,460 --> 00:07:35,140 mode that's the compile phase amount to 141 00:07:32,560 --> 00:07:41,590 run the service will feed application on 142 00:07:35,140 --> 00:07:44,229 6 4 6 4 feet windows so for charm we 143 00:07:41,590 --> 00:07:47,919 have the keynesian jar we have lots of 144 00:07:44,230 --> 00:07:51,100 conditional job right so basically this 145 00:07:47,920 --> 00:07:55,060 one can be used to construct some 146 00:07:51,100 --> 00:07:59,290 languages so that's me you can have some 147 00:07:55,060 --> 00:08:01,180 carriers linked by conditioned jump so 148 00:07:59,290 --> 00:08:03,460 if you inspect the carriage from the 149 00:08:01,180 --> 00:08:09,130 starting point that will be very long 150 00:08:03,460 --> 00:08:12,099 gadget so we also have the near jump and 151 00:08:09,130 --> 00:08:19,540 Foggia the fraud ramp also can be used 152 00:08:12,100 --> 00:08:22,150 to speech the segment we of course we 153 00:08:19,540 --> 00:08:24,280 have call into our car as a new kind of 154 00:08:22,150 --> 00:08:32,380 park off the park also can be used to 155 00:08:24,280 --> 00:08:33,689 switch the segment so iraq so this is 156 00:08:32,380 --> 00:08:37,210 the interesting one because you know 157 00:08:33,690 --> 00:08:41,070 surely areas will be used by kernel 158 00:08:37,210 --> 00:08:45,180 space after you handles or the 159 00:08:41,070 --> 00:08:47,550 userspace call then you can use area 310 160 00:08:45,180 --> 00:08:49,439 for Cisco and of course when the 161 00:08:47,550 --> 00:08:53,459 interrupt had been or some exception 162 00:08:49,440 --> 00:08:57,209 happens the routine in color space also 163 00:08:53,459 --> 00:09:01,829 need returned to your space with Iraq so 164 00:08:57,209 --> 00:09:05,880 the area view automatically switch the 165 00:09:01,829 --> 00:09:08,819 yes the code segment because you have to 166 00:09:05,880 --> 00:09:13,829 return to these three those code 167 00:09:08,819 --> 00:09:16,079 segments will include the privilege so 168 00:09:13,829 --> 00:09:20,040 you have to recover to the user space 169 00:09:16,079 --> 00:09:22,079 prove it so once the interrupter happens 170 00:09:20,040 --> 00:09:24,089 for example if in drop happen when the 171 00:09:22,079 --> 00:09:26,189 infra happens us if you will push a 172 00:09:24,089 --> 00:09:29,970 bunch of seeing our stack for example 173 00:09:26,190 --> 00:09:33,560 current SS ESP you flex yes VIP and 174 00:09:29,970 --> 00:09:37,620 error code so for certain pit and 175 00:09:33,560 --> 00:09:39,569 certain to emulation beat so only the 176 00:09:37,620 --> 00:09:42,000 privilege changes we will push all kinds 177 00:09:39,569 --> 00:09:47,189 of information otherwise we just push 178 00:09:42,000 --> 00:09:52,529 the flag and the CSEA IP and the error 179 00:09:47,190 --> 00:09:55,500 code but on c4p the Auggie's push SS 180 00:09:52,529 --> 00:10:00,660 ESPE blacks yes the IP and the error 181 00:09:55,500 --> 00:10:05,970 code if they have so now we talk about 182 00:10:00,660 --> 00:10:10,740 the rock defense and that past part so 183 00:10:05,970 --> 00:10:13,860 you know we have lots of defense already 184 00:10:10,740 --> 00:10:18,149 means there and also some coming so for 185 00:10:13,860 --> 00:10:20,819 example a couple years ago people did 186 00:10:18,149 --> 00:10:25,500 some research for keeping sir platinum 187 00:10:20,819 --> 00:10:30,180 chip answer to detect the raw and also a 188 00:10:25,500 --> 00:10:32,279 couple of people used p.m. you use the 189 00:10:30,180 --> 00:10:35,310 miss products these kind of seem to 190 00:10:32,279 --> 00:10:37,470 identify the drop drop attack and of 191 00:10:35,310 --> 00:10:40,800 course you know the latest windows 192 00:10:37,470 --> 00:10:43,589 already includes the CFG the control 193 00:10:40,800 --> 00:10:47,729 flow car that's in the Microsoft 194 00:10:43,589 --> 00:10:51,689 released already and also some research 195 00:10:47,730 --> 00:10:52,950 published some risk topic for hardware 196 00:10:51,689 --> 00:10:56,370 assistance 197 00:10:52,950 --> 00:11:00,019 CFI so control flow integrity and also 198 00:10:56,370 --> 00:11:03,769 some shadow stack this kind of thing so 199 00:11:00,019 --> 00:11:06,660 let's talk about couple different 200 00:11:03,769 --> 00:11:08,820 defense pattern that we can discuss the 201 00:11:06,660 --> 00:11:11,670 bypass so first thing we want to discuss 202 00:11:08,820 --> 00:11:14,310 is the keep answer so you know capacitor 203 00:11:11,670 --> 00:11:19,889 is the winner of the first blue hat 204 00:11:14,310 --> 00:11:23,489 prize couple years ago so it's also the 205 00:11:19,889 --> 00:11:27,360 first one to publicly use air we are the 206 00:11:23,490 --> 00:11:29,670 last pronged record so that's the bunch 207 00:11:27,360 --> 00:11:33,810 of information in intercept you can help 208 00:11:29,670 --> 00:11:35,729 you get the latest branch record 209 00:11:33,810 --> 00:11:39,420 information based on exactly we can 210 00:11:35,730 --> 00:11:41,910 check the ROC ROC policy this kind of 211 00:11:39,420 --> 00:11:44,550 scene and also this one mentions the 212 00:11:41,910 --> 00:11:48,389 policy of parts the copper seat of 213 00:11:44,550 --> 00:11:50,760 gadget so that means if you do return to 214 00:11:48,389 --> 00:11:54,120 a virtual place the whip law is limited 215 00:11:50,760 --> 00:11:58,079 tax data has the attack because think 216 00:11:54,120 --> 00:12:00,209 about it early once the car happen call 217 00:11:58,079 --> 00:12:03,959 instruction will push the return address 218 00:12:00,209 --> 00:12:05,518 on the on the stack the address will be 219 00:12:03,959 --> 00:12:07,589 the contacts in instruction 220 00:12:05,519 --> 00:12:10,410 so once the return happens issues land 221 00:12:07,589 --> 00:12:13,010 into the neck copper seed instruction 222 00:12:10,410 --> 00:12:16,050 right so that's very basic policy and 223 00:12:13,010 --> 00:12:18,390 also key bouncer use the run sequence of 224 00:12:16,050 --> 00:12:20,550 the short schedule so that's very 225 00:12:18,390 --> 00:12:23,660 interesting the assumes orc area the rob 226 00:12:20,550 --> 00:12:23,660 dagger should be shot 227 00:12:24,519 --> 00:12:35,170 that last very basic idea so here I list 228 00:12:30,959 --> 00:12:37,628 the graph from their paper so the idea 229 00:12:35,170 --> 00:12:40,240 basically is every time when you call 230 00:12:37,629 --> 00:12:42,279 into the critical API for example what 231 00:12:40,240 --> 00:12:45,939 report have so the view to the area 232 00:12:42,279 --> 00:12:49,120 check and to bunch of policy check right 233 00:12:45,939 --> 00:12:49,930 so that's the V key bouncer to the or 234 00:12:49,120 --> 00:12:54,160 drop T pass 235 00:12:49,930 --> 00:12:55,750 so because keep answer really rely on 236 00:12:54,160 --> 00:12:59,019 through three paths 237 00:12:55,750 --> 00:13:01,870 so first is area second is look call 238 00:12:59,019 --> 00:13:05,319 procedure policy the run is a shortcut 239 00:13:01,870 --> 00:13:10,089 yeah so let's talk about fer Presley so 240 00:13:05,319 --> 00:13:12,540 OPR is some MSR in inter CPU so 241 00:13:10,089 --> 00:13:17,230 basically you can enable area V the 242 00:13:12,540 --> 00:13:20,829 debug control Mesa then use the ms.fer 243 00:13:17,230 --> 00:13:23,500 silly act and that's not to select what 244 00:13:20,829 --> 00:13:27,329 kind of reactor you want for example you 245 00:13:23,500 --> 00:13:30,730 only want to monitor rinse three so 246 00:13:27,329 --> 00:13:33,880 probably you want to disable in zero 247 00:13:30,730 --> 00:13:36,189 path so this video you can set as one if 248 00:13:33,880 --> 00:13:39,610 you don't want to record the GCC the 249 00:13:36,189 --> 00:13:43,240 keynesian job the temples or GCC b2 as 250 00:13:39,610 --> 00:13:46,329 as well so basically that's up to user 251 00:13:43,240 --> 00:13:47,529 to configure via then eventually the AVR 252 00:13:46,329 --> 00:13:51,008 regice 253 00:13:47,529 --> 00:13:52,870 in MSR will keep the all data you want 254 00:13:51,009 --> 00:13:57,339 of course we have some limitation 255 00:13:52,870 --> 00:14:00,130 because we cannot keep lots of resource 256 00:13:57,339 --> 00:14:03,810 for we are so based on architecture we 257 00:14:00,130 --> 00:14:08,019 keep up to maybe today up to 32 or 16 258 00:14:03,810 --> 00:14:12,969 MSR so here is the MSR you can use to 259 00:14:08,019 --> 00:14:15,100 read the area theater so basically from 260 00:14:12,970 --> 00:14:16,420 where dress is ones of branch happen 261 00:14:15,100 --> 00:14:19,149 what's your address 262 00:14:16,420 --> 00:14:23,319 and what sort to address and the tops is 263 00:14:19,149 --> 00:14:27,579 because the city will keep changing the 264 00:14:23,319 --> 00:14:29,949 area so the tops are as the index so you 265 00:14:27,579 --> 00:14:32,620 will know these tops you know what's the 266 00:14:29,949 --> 00:14:36,729 latest we are record and you can 267 00:14:32,620 --> 00:14:39,040 spec to get couple different locks so 268 00:14:36,730 --> 00:14:43,030 the basically idea to baptistry bouncer 269 00:14:39,040 --> 00:14:47,380 here is the OPR history flash so this 270 00:14:43,030 --> 00:14:50,770 one is exactly idea from inkless so in 271 00:14:47,380 --> 00:14:54,070 crates from UC Berkeley published the 272 00:14:50,770 --> 00:14:58,780 paper about this kind of research so he 273 00:14:54,070 --> 00:15:01,660 used couple different v2 paths or have 274 00:14:58,780 --> 00:15:05,410 we are with with the pistol flash so 275 00:15:01,660 --> 00:15:08,199 here he leased couple different KJ for 276 00:15:05,410 --> 00:15:12,490 example if he used a bunch of Trump and 277 00:15:08,200 --> 00:15:16,230 the retail this kind of scene so they 278 00:15:12,490 --> 00:15:20,500 could to flash the LG RVs the logic 279 00:15:16,230 --> 00:15:22,720 after you did real stuff so that means 280 00:15:20,500 --> 00:15:25,000 you give some critical part then you use 281 00:15:22,720 --> 00:15:28,090 lots of gadget to flash the help er 282 00:15:25,000 --> 00:15:31,150 because we only keep limited numbers so 283 00:15:28,090 --> 00:15:33,850 then you just flash so they cannot guess 284 00:15:31,150 --> 00:15:37,870 the record some record really hit 285 00:15:33,850 --> 00:15:39,910 through the critical part so and also he 286 00:15:37,870 --> 00:15:43,300 published couple different the another 287 00:15:39,910 --> 00:15:46,140 way is the switch the context-based so 288 00:15:43,300 --> 00:15:49,569 here is for example here like big low 289 00:15:46,140 --> 00:15:53,530 like Zack so no because our BR is 290 00:15:49,570 --> 00:15:56,350 crossed some resource cross all process 291 00:15:53,530 --> 00:15:59,290 so that means if you do some looking or 292 00:15:56,350 --> 00:16:02,080 something like that then other process 293 00:15:59,290 --> 00:16:06,939 could be scheduled at that time we also 294 00:16:02,080 --> 00:16:08,920 view mix air BIA record as latest one so 295 00:16:06,940 --> 00:16:11,920 that means all records will belong to 296 00:16:08,920 --> 00:16:15,939 another process so that's also one way 297 00:16:11,920 --> 00:16:17,740 to do the air via flash and also he 298 00:16:15,940 --> 00:16:20,770 mentioned a couple different ways so I 299 00:16:17,740 --> 00:16:24,340 suggest people can read his paper later 300 00:16:20,770 --> 00:16:26,970 to understand more approach so we 301 00:16:24,340 --> 00:16:31,240 discuss couple different way to do the 302 00:16:26,970 --> 00:16:34,710 area flash so we will focus on this kind 303 00:16:31,240 --> 00:16:39,760 of new approach so first thing is here 304 00:16:34,710 --> 00:16:41,080 if we are given the starting area 305 00:16:39,760 --> 00:16:44,470 setting you enable 306 00:16:41,080 --> 00:16:47,440 a car based approach so then we have 307 00:16:44,470 --> 00:16:54,310 these kinds of valid gadget in existing 308 00:16:47,440 --> 00:16:56,530 software to cause the cop so for example 309 00:16:54,310 --> 00:16:58,810 if some vanellope happen when they 310 00:16:56,530 --> 00:17:02,589 happen and you can control the yi acts 311 00:16:58,810 --> 00:17:05,619 as a special number here the address 312 00:17:02,590 --> 00:17:10,630 here so you return to this instruction 313 00:17:05,619 --> 00:17:13,869 so this one will call the SP + 3 C so 314 00:17:10,630 --> 00:17:16,540 look at this tak if the three see point 315 00:17:13,869 --> 00:17:19,449 to the default then the code will come 316 00:17:16,540 --> 00:17:22,990 to default so the info code has the 317 00:17:19,450 --> 00:17:25,270 immediately in black branch e^x because 318 00:17:22,990 --> 00:17:27,940 the yaks controlled by attacker so this 319 00:17:25,270 --> 00:17:30,910 one applying to the 2 F 2 for example 320 00:17:27,940 --> 00:17:34,360 here so they come back right so you can 321 00:17:30,910 --> 00:17:37,150 do lots of loop for this one of course 322 00:17:34,360 --> 00:17:39,219 you know this cop based approach the 323 00:17:37,150 --> 00:17:42,160 stack will push push push 324 00:17:39,220 --> 00:17:45,130 right so eventually you can control the 325 00:17:42,160 --> 00:17:47,020 ESP plus 3 C point to the what repair 326 00:17:45,130 --> 00:17:50,820 tag for example I'm going to water 327 00:17:47,020 --> 00:17:54,220 further so this approach you see if the 328 00:17:50,820 --> 00:17:57,580 cop cashed by area you can flush area 329 00:17:54,220 --> 00:18:01,230 right if not caught by area you just go 330 00:17:57,580 --> 00:18:06,399 into the area visas or paste or 331 00:18:01,230 --> 00:18:10,360 rocket base data so and also you can 332 00:18:06,400 --> 00:18:13,330 flash our BR plus probably with Iraq so 333 00:18:10,360 --> 00:18:16,540 the Iraq is something different right 334 00:18:13,330 --> 00:18:20,260 because area at worked for interest 335 00:18:16,540 --> 00:18:23,080 based routine you early so the interrupt 336 00:18:20,260 --> 00:18:25,180 could happen at any time so you don't 337 00:18:23,080 --> 00:18:26,169 have to write return you can clearly 338 00:18:25,180 --> 00:18:29,380 Stasi 339 00:18:26,170 --> 00:18:31,900 return shoot listen to call procedure 340 00:18:29,380 --> 00:18:34,060 instruction right but for area that 341 00:18:31,900 --> 00:18:36,910 could be the interrupts could happen at 342 00:18:34,060 --> 00:18:40,240 any place you cannot control right so 343 00:18:36,910 --> 00:18:42,790 you can do this kind of scene if air BR 344 00:18:40,240 --> 00:18:43,690 records the area then you can do lots of 345 00:18:42,790 --> 00:18:47,020 areas based 346 00:18:43,690 --> 00:18:49,570 flash so Africa if didn't you can 347 00:18:47,020 --> 00:18:51,639 directly use the Arab gadget so the 348 00:18:49,570 --> 00:18:53,679 rebounds 349 00:18:51,640 --> 00:18:56,560 will not catch that if you didn't enable 350 00:18:53,680 --> 00:19:00,370 so that's some new part so because today 351 00:18:56,560 --> 00:19:03,820 people talk a lot for Rob and maybe drop 352 00:19:00,370 --> 00:19:06,340 and but I didn't see people use the 353 00:19:03,820 --> 00:19:11,830 area based data yeah so this one will be 354 00:19:06,340 --> 00:19:14,260 very powerful in filter and also like we 355 00:19:11,830 --> 00:19:18,760 mentioned previously we can use the call 356 00:19:14,260 --> 00:19:21,550 procedure CAD yet to the area flash 357 00:19:18,760 --> 00:19:26,440 right so for example very similar code 358 00:19:21,550 --> 00:19:28,810 here we have the ax a air equals zero if 359 00:19:26,440 --> 00:19:31,780 so someone will be happen greeting are 360 00:19:28,810 --> 00:19:35,139 somehow caused the address to to f2 at 361 00:19:31,780 --> 00:19:38,940 that time we keeps the stack as left 362 00:19:35,140 --> 00:19:45,330 side likely so we do the in black coffee 363 00:19:38,940 --> 00:19:50,520 exp plus 3 C so this one point to the 364 00:19:45,330 --> 00:19:55,629 Nandi for example this one point to zone 365 00:19:50,520 --> 00:19:58,510 98 a - so the 98 to view changes our 366 00:19:55,630 --> 00:20:02,350 stack because during this push push and 367 00:19:58,510 --> 00:20:08,080 the call you have three value on staff 368 00:20:02,350 --> 00:20:11,320 so this one jobs the yes key so adjust 369 00:20:08,080 --> 00:20:13,570 the SP and lam going through the stack 370 00:20:11,320 --> 00:20:16,270 you can control now after that you do 371 00:20:13,570 --> 00:20:18,580 return the return can return to course 372 00:20:16,270 --> 00:20:21,970 and that means the call next instruction 373 00:20:18,580 --> 00:20:26,740 right so like this then the SP can 374 00:20:21,970 --> 00:20:30,640 continue + 2 + 8 and recheck the year 375 00:20:26,740 --> 00:20:33,210 so if air equals zero we can continue so 376 00:20:30,640 --> 00:20:37,690 with this kind of approach you just 377 00:20:33,210 --> 00:20:41,410 flush the area with valid gadget right 378 00:20:37,690 --> 00:20:43,930 the return only happen call proceed 379 00:20:41,410 --> 00:20:47,220 instruction so you can easily bypass the 380 00:20:43,930 --> 00:20:51,100 policy right so that means today people 381 00:20:47,220 --> 00:20:55,080 still can use koppers it gadget to 382 00:20:51,100 --> 00:20:58,120 deliver enough attack so actually the 383 00:20:55,080 --> 00:21:01,020 nicholas Nicholas forms of UC Berkeley 384 00:20:58,120 --> 00:21:02,209 and look us from the Germany are also 385 00:21:01,020 --> 00:21:04,160 published 386 00:21:02,210 --> 00:21:07,760 two different papers talked about this 387 00:21:04,160 --> 00:21:14,630 kind of issue though the valid gadget is 388 00:21:07,760 --> 00:21:17,930 enough to deliver the attack so beyond 389 00:21:14,630 --> 00:21:21,110 the ERP so approach people also use the 390 00:21:17,930 --> 00:21:25,760 branch based approach branch mister he 391 00:21:21,110 --> 00:21:29,419 approach so cross where people publish 392 00:21:25,760 --> 00:21:32,120 the in the mix written miss Paroo 393 00:21:29,420 --> 00:21:36,680 approach on Sandy Bridge a couple years 394 00:21:32,120 --> 00:21:39,469 ago on 15th 2013 I think so and I also 395 00:21:36,680 --> 00:21:42,560 did some research for in Oaxaca in your 396 00:21:39,470 --> 00:21:48,620 trunk faced miss per day so basically 397 00:21:42,560 --> 00:21:52,010 the idea is if CPU keep the EMU running 398 00:21:48,620 --> 00:21:54,830 so one thirds or performs premier is a 399 00:21:52,010 --> 00:21:57,350 performance monitoring event you need so 400 00:21:54,830 --> 00:22:01,040 in case people don't that so you can set 401 00:21:57,350 --> 00:22:06,949 the config the EMU to catch the mystery 402 00:22:01,040 --> 00:22:11,180 event so for we tend miss miss purty 403 00:22:06,950 --> 00:22:14,990 based event that discussed by crossed 404 00:22:11,180 --> 00:22:17,510 right people a couple years ago so you 405 00:22:14,990 --> 00:22:20,960 know the return just return if you use 406 00:22:17,510 --> 00:22:25,220 Iraq probably it cannot detect that 407 00:22:20,960 --> 00:22:28,970 because you have to config so a p.m. you 408 00:22:25,220 --> 00:22:31,310 and the p.m. you have to support this 409 00:22:28,970 --> 00:22:33,800 kind of see and a very different scene 410 00:22:31,310 --> 00:22:36,129 for areas in tribe had net arbitrary 411 00:22:33,800 --> 00:22:38,060 place how do you know this one is in a 412 00:22:36,130 --> 00:22:41,990 mystery or not right 413 00:22:38,060 --> 00:22:44,360 probably with the arid area faced gadget 414 00:22:41,990 --> 00:22:45,890 you can't have house right and also you 415 00:22:44,360 --> 00:22:47,810 can couple or you have a couple 416 00:22:45,890 --> 00:22:51,500 different approach to bypass miss per 417 00:22:47,810 --> 00:22:54,679 day for example you do the in your car 418 00:22:51,500 --> 00:22:58,820 you'd rather carry out under v10 that's 419 00:22:54,680 --> 00:23:01,670 all follow the rule you just return to 420 00:22:58,820 --> 00:23:03,740 expect either place those are returned 421 00:23:01,670 --> 00:23:05,600 miss pertree never happen right so if 422 00:23:03,740 --> 00:23:08,800 you do this kind of move you also can 423 00:23:05,600 --> 00:23:10,870 finish the raw 424 00:23:08,800 --> 00:23:12,639 culture yours of course that's really 425 00:23:10,870 --> 00:23:15,219 depends on the on the rate here and the 426 00:23:12,640 --> 00:23:17,530 how many calories you need if while to 427 00:23:15,220 --> 00:23:20,110 us we gadget enough probably we can 428 00:23:17,530 --> 00:23:23,260 figure this kind of can yet Valley 429 00:23:20,110 --> 00:23:26,139 approach to team go to attack and also 430 00:23:23,260 --> 00:23:27,970 you can use drop because Museum expire 431 00:23:26,140 --> 00:23:31,930 you just focus on return you can get 432 00:23:27,970 --> 00:23:34,860 struck to deliver sort of drop gaya so 433 00:23:31,930 --> 00:23:38,140 and also we can use the cop drop drop 434 00:23:34,860 --> 00:23:41,679 combined gadget to deliver attack for 435 00:23:38,140 --> 00:23:44,260 example here the into a car into a car 436 00:23:41,680 --> 00:23:46,270 control gadget and the return to the 437 00:23:44,260 --> 00:23:48,640 interact romp and the change to another 438 00:23:46,270 --> 00:23:53,100 gadget so and also you can do the into a 439 00:23:48,640 --> 00:23:56,470 condo unit ramp and get for example here 440 00:23:53,100 --> 00:23:59,050 for example here so you can use the 441 00:23:56,470 --> 00:24:02,410 valid gadget here if you're coming to 442 00:23:59,050 --> 00:24:04,750 this instruction the if the EDX is 443 00:24:02,410 --> 00:24:06,910 controlled its acts control your ex know 444 00:24:04,750 --> 00:24:10,000 and you react control then we can jump 445 00:24:06,910 --> 00:24:12,280 to EDX if so u DX for example jump to 446 00:24:10,000 --> 00:24:16,870 here then you can just that you actually 447 00:24:12,280 --> 00:24:21,610 copies or provide from the ex2 the 448 00:24:16,870 --> 00:24:23,469 argument are given one right so you can 449 00:24:21,610 --> 00:24:25,479 do this kind of scene they will never 450 00:24:23,470 --> 00:24:28,420 trigger the reason miss party because 451 00:24:25,480 --> 00:24:31,660 that's all follow through if car and 452 00:24:28,420 --> 00:24:33,970 push the return address on stack and if 453 00:24:31,660 --> 00:24:38,440 return landing to the expected or 454 00:24:33,970 --> 00:24:40,210 address so and also for in we are 455 00:24:38,440 --> 00:24:42,250 calling in to our charm face to mean 456 00:24:40,210 --> 00:24:45,670 spreading you can use couple different 457 00:24:42,250 --> 00:24:47,560 way to avoid the miss per day sometimes 458 00:24:45,670 --> 00:24:51,480 that's really it depends on the risk 459 00:24:47,560 --> 00:24:54,550 condition so for control flow graph 460 00:24:51,480 --> 00:24:56,740 because we have lived at the time so I 461 00:24:54,550 --> 00:24:58,659 will not he's got too much so basically 462 00:24:56,740 --> 00:25:00,670 the control flow car is approached from 463 00:24:58,660 --> 00:25:03,250 Microsoft every time you do the into a 464 00:25:00,670 --> 00:25:04,870 car if you check into a car to make sure 465 00:25:03,250 --> 00:25:07,570 the into a call I need to the right 466 00:25:04,870 --> 00:25:09,850 address lungfuls of function otherwise 467 00:25:07,570 --> 00:25:12,399 if you block so couple people publish 468 00:25:09,850 --> 00:25:15,879 the research here and also this year one 469 00:25:12,400 --> 00:25:17,420 black hat we topic about control flow 470 00:25:15,880 --> 00:25:20,600 graph so I 471 00:25:17,420 --> 00:25:23,390 you can result reference and the also 472 00:25:20,600 --> 00:25:26,270 for happy are based control flow 473 00:25:23,390 --> 00:25:29,840 integration the approach is today we can 474 00:25:26,270 --> 00:25:31,910 do absolute return right a car and the 475 00:25:29,840 --> 00:25:35,149 job right so eventually it's possible 476 00:25:31,910 --> 00:25:37,930 CPU provides the capability see Hardware 477 00:25:35,150 --> 00:25:40,850 provides or kabillion see you only can 478 00:25:37,930 --> 00:25:44,300 land in to some place with the surf at 479 00:25:40,850 --> 00:25:46,669 tap for example if you return you should 480 00:25:44,300 --> 00:25:49,250 return to some place to indicate this is 481 00:25:46,670 --> 00:25:52,220 the place a lot written otherwise you 482 00:25:49,250 --> 00:25:57,220 would gas fill it right so this paper 483 00:25:52,220 --> 00:26:00,440 published by look at talk box or however 484 00:25:57,220 --> 00:26:03,560 enhanced our document so basically the 485 00:26:00,440 --> 00:26:06,650 thing here is Singapore's of policy if 486 00:26:03,560 --> 00:26:09,020 you have to land in to the place with a 487 00:26:06,650 --> 00:26:11,840 grass means that that's always valid 488 00:26:09,020 --> 00:26:13,970 gadget right we try to sculpt so onion 489 00:26:11,840 --> 00:26:16,909 handy gadget no you I impose return 490 00:26:13,970 --> 00:26:19,730 to the car proceed instruction so 491 00:26:16,910 --> 00:26:24,080 talking to the function entry the job 492 00:26:19,730 --> 00:26:26,600 going to the place should be the landing 493 00:26:24,080 --> 00:26:29,060 visit or call a label this kind of thing 494 00:26:26,600 --> 00:26:31,189 so that's all belong to valid gadget 495 00:26:29,060 --> 00:26:33,290 that means in future if we have this 496 00:26:31,190 --> 00:26:35,900 kind of capability you have to use the 497 00:26:33,290 --> 00:26:39,170 value gadget to in issues or attack 498 00:26:35,900 --> 00:26:41,150 otherwise it doesn't work right so today 499 00:26:39,170 --> 00:26:41,660 if you look at the rural attacks that's 500 00:26:41,150 --> 00:26:45,760 all 501 00:26:41,660 --> 00:26:45,760 almost based on running hundreds get 502 00:26:46,180 --> 00:26:51,080 another approach could be used to 503 00:26:48,350 --> 00:26:53,810 defense robbed in the shuttle stack that 504 00:26:51,080 --> 00:26:57,919 means every time the call happens we put 505 00:26:53,810 --> 00:26:59,810 the value on the stack shadow stack and 506 00:26:57,920 --> 00:27:02,360 when we tell happens if we check that 507 00:26:59,810 --> 00:27:04,669 and to make sure that smashed so that's 508 00:27:02,360 --> 00:27:07,280 a pretty much very close to the with a 509 00:27:04,670 --> 00:27:10,430 nice project because actually in rhythm 510 00:27:07,280 --> 00:27:13,220 is in current CPU they have limited 511 00:27:10,430 --> 00:27:16,460 buffer for shuttle stack very similar 512 00:27:13,220 --> 00:27:18,860 stuff so but if he will do this kind of 513 00:27:16,460 --> 00:27:21,080 scenes then that means you also rely on 514 00:27:18,860 --> 00:27:25,459 the valid gadget you only can use valid 515 00:27:21,080 --> 00:27:28,280 gadget to attack so now we totally read 516 00:27:25,460 --> 00:27:30,240 about the valid gadget here so first 517 00:27:28,280 --> 00:27:33,180 thing I want to discuss is Telfer 518 00:27:30,240 --> 00:27:35,460 so we solve the case here the the use 519 00:27:33,180 --> 00:27:38,240 the onion handy curve to lost actors 520 00:27:35,460 --> 00:27:40,530 right so we will show how to do the very 521 00:27:38,240 --> 00:27:43,890 planet based stealth parity and 522 00:27:40,530 --> 00:27:45,870 announcing our new mission here is in 523 00:27:43,890 --> 00:27:48,090 six for peace the area can be used to 524 00:27:45,870 --> 00:27:51,719 the stack parity the thing is very 525 00:27:48,090 --> 00:27:54,060 simple because every time the SS ESP you 526 00:27:51,720 --> 00:27:56,160 flag and the CSG IP of course if you 527 00:27:54,060 --> 00:27:59,669 have the error code via the view pooch 528 00:27:56,160 --> 00:28:02,520 on the stack right well when the wreck 529 00:27:59,670 --> 00:28:07,260 happened we will pop so as I can if you 530 00:28:02,520 --> 00:28:09,780 push the some special value on ESP stack 531 00:28:07,260 --> 00:28:13,740 as yes P then simply just directly 532 00:28:09,780 --> 00:28:15,720 install the ESP has a stack so that's 533 00:28:13,740 --> 00:28:20,540 pretty much very easily to do the 534 00:28:15,720 --> 00:28:23,370 staring future especially in the 64 p OS 535 00:28:20,540 --> 00:28:25,770 but here I want to show another approach 536 00:28:23,370 --> 00:28:28,409 to the stack 13 because think about the 537 00:28:25,770 --> 00:28:30,780 valid code ETF could have all kinds of 538 00:28:28,410 --> 00:28:33,450 different logic so for example here 539 00:28:30,780 --> 00:28:35,760 that's very interesting gadgets in your 540 00:28:33,450 --> 00:28:38,640 software when you call this function 541 00:28:35,760 --> 00:28:40,410 they do a bunch of thing but the most 542 00:28:38,640 --> 00:28:43,800 interesting thing is they will use the 543 00:28:40,410 --> 00:28:46,620 first parameter as ESP so thank you so 544 00:28:43,800 --> 00:28:50,070 that means first time you call this one 545 00:28:46,620 --> 00:28:52,229 you just push the first parameter as 546 00:28:50,070 --> 00:28:54,629 what you want that is the directly 547 00:28:52,230 --> 00:28:57,720 installed the value called ESP so 548 00:28:54,630 --> 00:29:00,570 there's three forward to the step 13 so 549 00:28:57,720 --> 00:29:03,060 after that you can do bunch of gadgets 550 00:29:00,570 --> 00:29:04,860 for example call to the second parameter 551 00:29:03,060 --> 00:29:07,409 then you'll cut through this kind of 552 00:29:04,860 --> 00:29:10,320 valid instruction we call the stack 553 00:29:07,410 --> 00:29:14,780 based function so that's pretty much 554 00:29:10,320 --> 00:29:18,629 very easy to kick off the tank ferreting 555 00:29:14,780 --> 00:29:22,620 so even we have all kinds of solution 556 00:29:18,630 --> 00:29:25,200 when the valid gadget is enough so for 557 00:29:22,620 --> 00:29:28,040 example mekin 558 00:29:25,200 --> 00:29:31,350 last year did the talk talking the hat 559 00:29:28,040 --> 00:29:34,379 so the basic idea here I want to 560 00:29:31,350 --> 00:29:37,350 introduce is think bugs or cheat cheat 561 00:29:34,380 --> 00:29:37,690 engine so today we use top screw this 562 00:29:37,350 --> 00:29:40,299 can 563 00:29:37,690 --> 00:29:42,279 right so think about if the job scripts 564 00:29:40,299 --> 00:29:44,799 from the script level you call the 565 00:29:42,279 --> 00:29:48,519 tongue function with the parameter the 566 00:29:44,799 --> 00:29:51,250 protocol exactly per tab exactly like 567 00:29:48,519 --> 00:29:54,730 some other API if we do the actually 568 00:29:51,250 --> 00:29:58,029 rewrite we can change the callback of 569 00:29:54,730 --> 00:30:01,409 vtable from the memory now every time 570 00:29:58,029 --> 00:30:02,529 you call the some JavaScript object 571 00:30:01,409 --> 00:30:05,320 based 572 00:30:02,529 --> 00:30:07,990 messer so eventually we can redirect 573 00:30:05,320 --> 00:30:11,168 that to the API call that means that's 574 00:30:07,990 --> 00:30:14,559 the cost dimension me to call the API 575 00:30:11,169 --> 00:30:20,129 from script level so this is the exact 576 00:30:14,559 --> 00:30:22,600 topic him mentioned like intro 577 00:30:20,129 --> 00:30:24,730 inter-dimensional excursion with that we 578 00:30:22,600 --> 00:30:28,449 you never against the value gadget 579 00:30:24,730 --> 00:30:31,000 because our cages creates by Rob our 580 00:30:28,450 --> 00:30:33,940 engine now that's all valid code is here 581 00:30:31,000 --> 00:30:36,879 the V just about how you call these 582 00:30:33,940 --> 00:30:39,159 kinds of API as you want of course 583 00:30:36,879 --> 00:30:41,139 probably you need so absolutely right 584 00:30:39,159 --> 00:30:45,269 bond ability to change the V table like 585 00:30:41,139 --> 00:30:49,990 that so this is a very interesting topic 586 00:30:45,269 --> 00:30:52,570 so now I talk about some very 587 00:30:49,990 --> 00:30:54,370 interesting stuff in war64 because I 588 00:30:52,570 --> 00:30:57,129 only have six minutes I will go very 589 00:30:54,370 --> 00:30:59,678 fast but we talked about the teapot so 590 00:30:57,129 --> 00:31:02,500 what it's for is comes in you can run 591 00:30:59,679 --> 00:31:05,460 those two so two bit code on 64-bit 592 00:31:02,500 --> 00:31:09,159 windows right we have a couple different 593 00:31:05,460 --> 00:31:10,899 component to support that so they have 594 00:31:09,159 --> 00:31:13,600 three different components of wall since 595 00:31:10,899 --> 00:31:14,949 fall and was evolving and also was in 596 00:31:13,600 --> 00:31:16,449 France if you so this is very 597 00:31:14,950 --> 00:31:19,929 interesting because this one is actually 598 00:31:16,450 --> 00:31:23,679 controls the CPU mode switch so let's 599 00:31:19,929 --> 00:31:26,139 look at that so before we have you code 600 00:31:23,679 --> 00:31:28,509 we introduced the basic concepts for 601 00:31:26,139 --> 00:31:31,479 logic address transfer to linear graph 602 00:31:28,509 --> 00:31:34,629 so basically that's through the segment 603 00:31:31,480 --> 00:31:37,419 and segment table this kind of thing so 604 00:31:34,629 --> 00:31:39,840 every time as you know if you use a 605 00:31:37,419 --> 00:31:42,040 segment selector they have 606 00:31:39,840 --> 00:31:46,629 different definition for example here 607 00:31:42,040 --> 00:31:49,600 that's that that's the index and this is 608 00:31:46,630 --> 00:31:50,020 indicate that's in GD g TR ldt and also 609 00:31:49,600 --> 00:31:53,139 up here 610 00:31:50,020 --> 00:31:56,520 so the selecting itself let me use to 611 00:31:53,140 --> 00:32:00,220 search in the GDP our duty to guess the 612 00:31:56,520 --> 00:32:02,080 selector the other segment descriptor so 613 00:32:00,220 --> 00:32:04,360 the sacrament is cook you'll have bunch 614 00:32:02,080 --> 00:32:07,240 of definitions but here what interesting 615 00:32:04,360 --> 00:32:11,260 thing is air beat so this one indicate 616 00:32:07,240 --> 00:32:14,680 the code is 64-bit or 32-bit so this is 617 00:32:11,260 --> 00:32:17,830 very interesting so now in 64-bit 618 00:32:14,680 --> 00:32:19,930 windows they have bunch of different use 619 00:32:17,830 --> 00:32:22,360 the Yoast bunch of different segments 620 00:32:19,930 --> 00:32:26,140 but here the interesting part is in the 621 00:32:22,360 --> 00:32:30,850 seconds 33 this one that gives four 622 00:32:26,140 --> 00:32:34,810 seats for bit code the segment 23 that 623 00:32:30,850 --> 00:32:37,449 that Kate Foster to be so this is very 624 00:32:34,810 --> 00:32:41,740 interesting part so if you look at your 625 00:32:37,450 --> 00:32:44,890 code how the transfer mode for example 626 00:32:41,740 --> 00:32:47,740 we look at this one that's the watch ng 627 00:32:44,890 --> 00:32:51,190 watch query over to memory so this point 628 00:32:47,740 --> 00:32:55,360 is what's it for if you call this curve 629 00:32:51,190 --> 00:32:59,500 in ant idea so to be an idea so we will 630 00:32:55,360 --> 00:33:03,490 come to a pass of CFC 0 this point clip 631 00:32:59,500 --> 00:33:05,800 1 address for the translation the switch 632 00:33:03,490 --> 00:33:07,990 color so for example this one point to 633 00:33:05,800 --> 00:33:12,310 here so this is very straightforward 634 00:33:07,990 --> 00:33:15,580 that's a part of the use Trump Trump to 635 00:33:12,310 --> 00:33:19,860 the address is the selector is 33 after 636 00:33:15,580 --> 00:33:23,050 that our code will run in 64-bit mode so 637 00:33:19,860 --> 00:33:25,959 after the finished part of request we 638 00:33:23,050 --> 00:33:28,419 will switch back to the so to gate so 639 00:33:25,960 --> 00:33:30,520 the use of our job also used in to a 640 00:33:28,420 --> 00:33:33,550 part of switch back and also beyond that 641 00:33:30,520 --> 00:33:36,310 they also could use the array I rescue 642 00:33:33,550 --> 00:33:38,379 like that so because we're since 643 00:33:36,310 --> 00:33:40,750 populate has different implementations 644 00:33:38,380 --> 00:33:43,450 they have part of place in useless space 645 00:33:40,750 --> 00:33:47,650 to use errors queue to return to the 646 00:33:43,450 --> 00:33:50,919 different address so well now the 647 00:33:47,650 --> 00:33:53,259 interesting thing happens so think about 648 00:33:50,919 --> 00:33:58,210 the sort of beat codon six for peer code 649 00:33:53,259 --> 00:34:00,249 share same memory space actually not 650 00:33:58,210 --> 00:34:03,340 exactly shame but that means those 651 00:34:00,249 --> 00:34:04,509 things also do be called belong to part 652 00:34:03,340 --> 00:34:07,389 of things for be it 653 00:34:04,509 --> 00:34:10,599 so insert of the code you can access six 654 00:34:07,389 --> 00:34:13,029 four bit code in six more bit code also 655 00:34:10,599 --> 00:34:15,460 you can access the default vehicle also 656 00:34:13,030 --> 00:34:18,460 do video so that's not exactly similar 657 00:34:15,460 --> 00:34:19,839 drive space but the overlap if you do 658 00:34:18,460 --> 00:34:23,440 that that's very interesting because 659 00:34:19,839 --> 00:34:25,869 symbols or 64-bit code compiler can try 660 00:34:23,440 --> 00:34:28,270 that as six more bit code like little 661 00:34:25,869 --> 00:34:31,270 bit and saluted but the problem is once 662 00:34:28,270 --> 00:34:33,909 a signal different security code the 663 00:34:31,270 --> 00:34:37,929 instruction as current mode for example 664 00:34:33,909 --> 00:34:41,500 if secure in through gate now you run 665 00:34:37,929 --> 00:34:44,889 the each puppet color now if the code up 666 00:34:41,500 --> 00:34:47,859 code is cracked you just run the code as 667 00:34:44,889 --> 00:34:51,179 sorted to be but the problem is the 668 00:34:47,859 --> 00:34:54,098 original intention for this code is for 669 00:34:51,179 --> 00:34:58,150 FIFA P so this is very interesting 670 00:34:54,099 --> 00:35:00,599 problem so basically in current Windows 671 00:34:58,150 --> 00:35:06,010 Microsoft implemented kind of seen as 672 00:35:00,599 --> 00:35:09,910 theme has different segments but all 673 00:35:06,010 --> 00:35:11,680 segments can access sing simple code so 674 00:35:09,910 --> 00:35:16,058 that's that's a big problem because 675 00:35:11,680 --> 00:35:18,940 think about the valid gadget means the 676 00:35:16,059 --> 00:35:22,059 compiler compare that as area as well 677 00:35:18,940 --> 00:35:24,609 right so now you get value code very 678 00:35:22,059 --> 00:35:25,420 code is self compiled by 640 but the 679 00:35:24,609 --> 00:35:30,069 code is CF 680 00:35:25,420 --> 00:35:34,540 totally two different totally different 681 00:35:30,069 --> 00:35:41,009 scene in Ruby's mode so that crossbow 682 00:35:34,540 --> 00:35:44,470 that's a problem thank you so this is a 683 00:35:41,010 --> 00:35:48,040 key point I want to make say even you 684 00:35:44,470 --> 00:35:50,589 have all kinds of defense part but this 685 00:35:48,040 --> 00:35:52,990 is a big problem because you cannot see 686 00:35:50,589 --> 00:35:56,200 I compile the code of these all kinds of 687 00:35:52,990 --> 00:35:58,689 policy in six for Pete you eventually 688 00:35:56,200 --> 00:36:02,710 fix four bit binary but same code 689 00:35:58,690 --> 00:36:03,330 section can be proved wrong at still 690 00:36:02,710 --> 00:36:05,340 true 691 00:36:03,330 --> 00:36:08,220 with total different meaning so that's 692 00:36:05,340 --> 00:36:12,930 problem right and also the interesting 693 00:36:08,220 --> 00:36:17,700 part here is simple as a native 64-bit 694 00:36:12,930 --> 00:36:21,750 code itself even V is also to be wall 695 00:36:17,700 --> 00:36:23,939 inside your still can switch from c4p 696 00:36:21,750 --> 00:36:24,450 encode to 32-bit code that's a big 697 00:36:23,940 --> 00:36:27,660 problem 698 00:36:24,450 --> 00:36:29,640 so basically I've use skip bunch of 699 00:36:27,660 --> 00:36:34,980 slides because I have linear time 700 00:36:29,640 --> 00:36:37,379 so the key problem here is lots of onion 701 00:36:34,980 --> 00:36:40,590 handy valid code could exist in was in 702 00:36:37,380 --> 00:36:44,220 small so from solutely you can call a 703 00:36:40,590 --> 00:36:47,300 bunch of their compiled as 64-bit code 704 00:36:44,220 --> 00:36:50,759 but think about if you switch the 705 00:36:47,300 --> 00:36:54,540 molecule from cells because see for that 706 00:36:50,760 --> 00:36:57,420 means all internal code in certain base 707 00:36:54,540 --> 00:37:01,290 could be available for 64-bit code may 708 00:36:57,420 --> 00:37:04,110 be different meaning right and another 709 00:37:01,290 --> 00:37:06,270 big problem here is even native c4 710 00:37:04,110 --> 00:37:11,250 without war mode you'll still can 711 00:37:06,270 --> 00:37:14,370 trigger the sort of beat segment because 712 00:37:11,250 --> 00:37:17,040 probably the implement and be ready to 713 00:37:14,370 --> 00:37:20,400 use later but that means in to six 714 00:37:17,040 --> 00:37:22,380 copied application in fact at the bundle 715 00:37:20,400 --> 00:37:24,870 breaking you can trigger that on still 716 00:37:22,380 --> 00:37:27,540 do beat now you still can run so you be 717 00:37:24,870 --> 00:37:28,370 yet if they have so that's very 718 00:37:27,540 --> 00:37:31,080 interesting 719 00:37:28,370 --> 00:37:34,410 so last thing I want to mention is we 720 00:37:31,080 --> 00:37:36,540 talked about bunch of approach to defend 721 00:37:34,410 --> 00:37:39,299 Castle Rock these kinds of attack so 722 00:37:36,540 --> 00:37:42,450 actually the problem is today we still 723 00:37:39,300 --> 00:37:45,540 cannot fully against this kind of attack 724 00:37:42,450 --> 00:37:46,439 so from the contact perspective I want 725 00:37:45,540 --> 00:37:49,230 to mention 726 00:37:46,440 --> 00:37:51,360 probably miss some solution like branch 727 00:37:49,230 --> 00:37:53,220 transfer exact control so think about 728 00:37:51,360 --> 00:37:56,250 every time if the front transfer happens 729 00:37:53,220 --> 00:37:59,669 we can have the mechanism to guide our 730 00:37:56,250 --> 00:38:01,760 checks of some policy see this transfer 731 00:37:59,670 --> 00:38:04,050 is valid or not probably that's the 732 00:38:01,760 --> 00:38:07,710 approaching future we can scoffs the 733 00:38:04,050 --> 00:38:08,490 rough attack the drop of hot rock or 734 00:38:07,710 --> 00:38:10,980 whatever 735 00:38:08,490 --> 00:38:15,439 a similar closing your space back so 736 00:38:10,980 --> 00:38:15,440 quickly that's all thank you very much 737 00:38:17,850 --> 00:38:22,540 [Applause] 738 00:38:19,270 --> 00:38:26,150 so if you have questions we can discuss 739 00:38:22,540 --> 00:38:28,360 Hawkman because I guess already raw of 740 00:38:26,150 --> 00:38:28,360 that