当前位置:首页 > 报告详情

失控:KCFG 和 KCET 如何重新定义 Windows 内核中的控制流完整性.pdf

上传人: 竿*** 编号:981900 2025-11-29 36页 2.57MB

1、#BHUSA BlackHatEventsOut Of Control:How KCFG and Out Of Control:How KCFG and KCET Redefine Control Flow KCET Redefine Control Flow Integrity in the Windows KernelIntegrity in the Windows KernelConnor McGarr 33y0reSoftware Engineer,Prelude Security#BHUSA BlackHatEventsAbout Software Engineer at Prelu

2、de SecurityPreviously Software Engineer at CrowdStrike on the Windows Sensor Team Blog:connormcgarr.github.ioWindows OS internals,exploit mitigations,browser and kernel exploitation,malware,reverse engineering articles I like C,Assembly,Operating Systems,and Hypervisors!#BHUSA BlackHatEventsIntroduc

3、tion To Control Flow Integrity Most exploits require two things:1.Ability to hijack the legitimate execution(control flow)of an application/operating system2.Use the above primitive to execute some malicious code Control Flow Integrity(CFI)attempts to address the first problem by verifying and mitig

4、ating attempts to alter the target of a control-flow transferCalls/jmps are forwards-edge control-flow transfersReturns are backwards-edge control-flow transfers#BHUSA BlackHatEventsControl Flow Guard Control Flow Guard is Windows version of forwards-edge CFIPresent in user-mode since Windows 8.1(as

5、 an optional update)All indirect call targets which are known at compile-time are stored in a read-only,kernel-protected(and per-process)“CFG bitmap”User-mode address space is 128 TB on 64-bit Windowsthere are 128 TB of possible call targets(in theory),but the compiler should generate call targets a

6、t 16-byte(0 x10)boundaries128 TB/16 bytes=8 TB of potential targets8 TB*2 bits(denotes the“state”for every 16 bytes)=2 TB CFG bitmap sizeMemory manager performs some optimizationsIndirect call/jmps are replaced with“thunks”that first check the CFG bitmap for bits related to the call target before tr

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据文章内容,以下是全文关键点的概括: 1. **控制流完整性(CFI)**:旨在防止攻击者通过改变程序执行流程来执行恶意代码。 2. **控制流保护(CFG)**:Windows的向前边缘CFI,存储已知调用目标在只读的CFG位图中。 3. **向后边缘CFI**:由于CFG的限制,攻击者转向使用返回地址篡改,因此Intel CET和AMD Shadow Stack提供向后边缘保护。 4. **KCFG**:内核模式CFG,自Windows 10 1703起提供,通过SLAT和VBS增强安全性。 5. **KCET**:内核CET,保护内核返回地址,自Windows 11 22H2起提供,需要HVCI支持。 6. **VBS**:虚拟化基于安全,通过SLAT和虚拟信任级别提供额外的安全层。 7. **KXFG**:扩展CFI,旨在提供更细粒度的控制,但已弃用。 8. **KCET的挑战**:处理对影子堆栈的写入,需要SLAT和特殊的SSS位支持。 9. **结论**:KCFG和KCET显著提高了攻击难度,但仍有研究空间和潜在漏洞。
KCFG如何守护控制流?" 硬件加持下的控制流完整性新篇章?" Windows内核如何抵御内核攻击?"
客服
商务合作
小程序
服务号
折叠