Monday, December 15, 2014

Using LBR (Last Branch Record) feature to detect ret2usr (return-to-user) attack w/ MMU paging structure corruption

SMEP (Supervisor Mode Execution Prevention) is a mitigation that aims to prevent the CPU from running code from user-mode while in kernel-mode, however this post (Windows 8 Kernel Memory Protections Bypass) presents a generic technique for exploiting kernel vulnerabilities with bypassing SMEP. Unlike my previous post (Page Table Structure Corruption Attacks - How to Mitigate it?) that presented a mitigation to that attack, this post will present a solution to detect such a ret2usr attack due to MMU paging structure corruption.

Thursday, December 11, 2014

New security feature - Control Flow Guard (CFG) - available in Visual Studio 2015 Preview

This blog announced that the Preview for Visual Studio 2015 includes a new, work-in-progress feature, called Control Flow Guard (CFG).