Grafvision - Fotolia

How do code-reuse attacks bypass Windows 10 security features?

Certain Windows 10 security features can be bypassed with code-reuse attacks. Expert Michael Cobb explains how that works and what can be done to prevent it.

A new attack technique developed by Endgame researchers uses counterfeit object-oriented programming to bypass the Control Flow Integrity (CFI) defenses in Windows 10. What is counterfeit object-oriented programming? What changes need to be made to CFI implementations to prevent it?

There are various knock-on effects whenever software developers and vendors introduce new security controls into their products. The most obvious, assuming the control is effective, is that existing attacks that exploit the weakness the control mitigates no longer work. As a result of this, hackers turn to other exploits that are known to still be effective. Finally, the more sophisticated hackers begin to study how the control works and whether it can be circumvented, revisiting it whenever better techniques or resources become available.

For example, for a long time, attackers exploited memory-related vulnerabilities, such as buffer overflow errors, to hijack the control flow of software applications. The deployment of data execution prevention countermeasures quickly made these code injection attacks unfeasible.

Hackers reacted by switching to code-reuse attacks to exploit memory corruption vulnerabilities. Code-reuse attacks use techniques such as return-oriented programming, which don't need to inject code, as they induce malicious program behavior by misusing existing code chunks already residing in the attacked application's address space.

One technique applied in code-reuse attacks that hasn't appeared in exploit kits yet is called counterfeit object-oriented programming (COOP), a code reuse attack targeting applications developed in C++, and possibly other object-oriented languages. It was first documented in a paper for the 2015 IEEE Symposium on Security, and it can bypass the majority of the defenses for code-reuse attacks by reusing dynamically bound functions -- those accessed through global offset tables and virtual function tables.

Researchers at cybersecurity software company Endgame decided to evaluate how effective Microsoft's implementation of Control Flow Integrity, also called Control Flow Guard (CFG), and Endgame's own offering, HA-CFI, would be against a cutting-edge attack using COOP.

CFI was introduced by Microsoft to harden the defenses of Windows 10, as it can prevent attacks built on exploits that subvert machine code execution. It also provides a useful foundation for enforcing further security policies, such as policies that constrain the use of data memory.

The researchers carried out a theoretical COOP attack targeting Microsoft Edge, a hardened CFG application on Windows 10. The attack technique involved placing a COOP payload in memory using JavaScript that enabled them to reuse and divert code down a different path and bypass CFI, which is specifically designed to prevent such actions from occurring.

What this means is that CFI services need to be more aware of object-oriented C++ semantics, and that improved mitigations against code-reuse attacks need to be developed before COOP attacks become a mainstream weapon of choice.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out which security tools will make Windows 10 defenses stronger

Discover whether third-party security software will make Windows 10 stronger

Learn about the security features in Windows 10

This was last published in September 2017

Dig Deeper on Threats and vulnerabilities