SlideShare ist ein Scribd-Unternehmen logo

Security research over Windows #defcon china

Als PPTX, PDF herunterladen
P
Peter Hlavaty

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Software
1 von 33
Security Research over Windows [ kernel ]
$whoami • @zer0mem ~ Peter Hlavaty • Senior Security Researcher at KeenLab, Tencent • MSRC100, Pwn2Own • Focus : kernel / hyperv / mitigations • sometimes talk somewhere .. • wushu player +- 
Sandbox • Restrict resources of target ( process ) • #syscalls • file system • registry • inter-process interaction • Different integrity levels • Untrusted • App Container • Low • Medium, ..
sandbox attack surface +- IPC ~ Broker vs worker Windows ~ kernel syscalls RPC ~ inter process communication 3rd elements ~ Windows Defender ( AV in general )
Windows kernel ~ attack surface w32k ntoskrnl tm, afd, ..
w32k attack surface hardening 4 years ago • Fonts • TTF emulation in kernel • Loading custom fonts • GDI • 6+ different kernel objects • *huge* source of UAF, overflows, … • EMF – *remote* • User • User mode callbacks machinery now • Fonts • TTF emulation in kernel user mode • Sandboxes low priv proc for custom • GDI -> restricted/no mode • 6+ different kernel objects • *huge* source of UAF, overflows, … • EMF – *remote* -> disabled by def • User -> restricted/no mode • User mode callbacks machinery
w32k security hardening • Restricted resources for exploitation • No resources if DisableW32kSystemCalls flag on  • Type isolation • Tactical mitigations, f.e. tagWnd • bugs-- • Refactored w32k ( win32k -> win32kfull + win32kbase ) • this also left/brings lot of bugs, but showing importance of cleaning up mess • Security researchers community support ( msrc100, insider bounties, .. ) • Internal fuzzing++ ?
w32k still alive • DirectX • w32k – user callbacks • Small parts of GDI + DComposition • New syscalls keep added in new builds • ~ no w32k in your target ? • w32k is somehow essential of GUI app • Bridge from your target to part of app which have access • Perhaps you can attack another part of app with w32k on ?
ntos attack surface • TM + CLFS • ‘hidden syscalls’ • CLFS : Lockdown for sandboxed processes! • Well finally, heavy parsing in kernel mode.. • Without CLFS backup it is very simple logic • However nice connections ~ Manager + Transaction + Enlistment + Resource • (A)LPC, Pipe, Sockets, Registry hives • Good amount of logic there • In SDL quite some time, crucial part of windows kernel! • Memory management, Sync, .. • + : lots of syscalls! • - : logic you can alter is way too simplistic
RPC – user processes • Any process has opened ALPC port • Everybody needs to have opened port at least to csrss.exe ! • Mostly ‘unknown’ area ~ previous research : • https://hakril.net/slides/A_view_into_ALPC_RPC_pacsec_2017.pdf • https://recon.cx/2008/a/thomas_garnier/LPC-ALPC-slides.pdf • NtAlpc* ~ undocumented • http://alex-ionescu.com/Publications/SyScan/syscan2014.pdf • COM using ALPC at the background • C++ inter-process interface
Native code exec But, OK .. you got a bug, what’s next ?
Mitigations on the rise • Past years Windows invest heavily into breaking attack surface and techniques ! • Guards : • (k)CFG • HVCI • VBS • ACG • CIG • Jit OoP • .. w32k + clfs lockdown + filter ntoskrnl filter via ACL Mitigation against native code exec Type Isolation Tactical mitigation
..G, ..G, ..G .. wut ? • Lots of guards in windows ;) • Must read : • https://cansecwest.com/slides/2017/CSW2017_Weston- Miller_Mitigating_Native_Remote_Code_Execution.pdf • https://github.com/Microsoft/MSRC-Security- Research/blob/master/presentations/2018_02_OffensiveCon/The%20Evolution%20 of%20CFI%20Attacks%20and%20Defenses.pdf • How those are enabled for sandboxing : • SetProcessMitigationPolicy • PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY of UpdateProcThreadAttribute
CFG • _guard_check_icall • More about CFG : • https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ • This is nice article : • https://www.endgame.com/blog/technical-blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks • Covering also mini COOP ;) – check that out
RFG FS:: delta return return call [callee] mov r11, [rsp] .. mov fs::[rsp], r11 Data Stack Control Stack mov r11, fs::[rsp] cmp .. jnz .. ret
RFG ~ pulled down, but CET ( check CET! ) • 2 stacks : Control + Data • Control stack no pointer in user mode • It is OK to be write-able ~ therefore with write primitive you can write there • But problem : how to find it ? => no leaks == no way ? • At each function prolog store return address also to Control stack • At each function epilogue check if ControlStack[rsp]==DataStack[rsp] • Aka return address match • BRILIANT IDEA + DESIGN = no compatibility issues, can plug it right now! • Only 5 instruction per function! • Key Problems : • Race condition -> could be done in stable way • Secret based ~ what if is possible to reveal address of control stack without pointer leak ?
CIG + ACG + Jit OoP : In short • Code Integrity (CIG) ~ only signed images can be loaded • Ok but we can do RWX + shellcode  • Arbitrary code guard (ACG) -> no you can not .. • No RWX page same time! • X pages -> in fact you can not VirtualProtect to Exec* anymore • JIT : but I need it! • Nope … nope .. nope • Process can not have RWX pages nor from Data page make Code page • Therefore only different process can do it for you • Browser : Jit Process -> Worker process
Type Isolation • Important exploit primitives consists : • Structure with control and data parts • Control : pointers, sizes • Data : controlled data by user • Outcome : • Data or size overflow lead to full compromise of domain • Mitigation : • Separate Control & Data part of structure to two different places • Crucial : data should not reach control part ~ page guards / different pools
Header ( size .. ) Data Data Header ( size .. ) Header ( size .. ) Data Data Header ( size .. ) AFTERBEFORE Overflow Overlap https://blog.quarkslab.com/reverse-engineering-the-win32k-type-isolation-mitigation.html https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations/2018_04_OPCDE
Tactical mitigation • prevalent methodology of misusing object for arbitrary read / write • Start with limited read/write • Boost it to full read/write to domain • Usually pivot-worker schema • Tactical mitigation == Break particular techniques, one by one! • How : Introduce safe – checks • Buffer ranges • Pool limitation • Outcome : need to chain *limited* read/write primitives • Crucial : • safe boundaries must not be reachable by our limited write • broken for tagWnd ~ check this nice references : https://github.com/MortenSchenk/tagWnd-Hardening-Bypass/blob/master/tagWnd/tagWnd/tagWnd.cpp https://improsec.com/blog/hardening-windows-10-with-zero-day-exploit-mitigations-under-the-microscope
Tactical mitigation or just nice check ? • Triaging one of our bug • We investigated possible exploitability • In one of the branch there was interesting check • Guess what is it
Therefore.. • Theory • No W^X memory anymore • No Arbitrary modules • No @rip hijack • No return address hijack • No Overflows ( buffer or size/counters ) exploitable • No/Limited Read/Write primitive • Practice • Not there yet, most of those bypass-able by design limitations • However showing interesting shift towards security, doesn’t it ? • especially memory corruptions
Sandbox++ When kernel is not a boundary
virtualization • HyperV technology • VM machine • Well Security designed! • Legacy striped • (relatively) small ( + heavily audited ) attack surface • Mitigations applied • WDAG applying HyperV technologies • Another layer of sandbox introduced for edge • And not only for edge! https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard- runtime-attestation/
vmwp overview • What ? • User mode process on host side responsible for running guest-partition • Minimum legacy • IO devices • No complex structures ( in IO ) • Minimal interaction ( no Drag&Drop, basic session by default, .. ) • Generation2 way to go, however Generation1 still default • Clean design • All mitigations • Sandboxed! • pwn vmwp complexity ~ remote pwn
Successful attack in the future (?) Get a bug in remote target ( browser, .. ) Get RCE or COOP-ish style control Escape sandbox Get bug in kernel Bypass proc restrictions or get RCE (coop-ish style is OK) Get a bug in virtualization Bypass mitigations in virtualization target pwn
Bug is just the start line But even though .. how to ?
How to approach • Understanding of attack surface • Windows landscape • Understanding of target • Reverse engineering & internals • Make use of technologies : • IntelPt (+ QemuPt) • windbg + TTD • Qemu + KVM • Hypervisors ( tooling + automatization ) • BochsPwn reloaded / DigTool alike approaches • Make use ( and proper understanding ) of “state of the art” tools • syzkaller • (k)AFL • .. then make your own patches / tools / plugins
Fuzzing vs Eye-balling • Fuzzing : • Easy to make dummy fuzzer • Easy to overengineer fuzzer and kill its randomness • Eyes : • You can easily miss trivial bugs • Hard to comprehend complex logic • Why not combine both ? • Make random-enough fuzzing • Inject ( to fuzzer ) knowledge from auditing-code • Use fuzzer to check some complex logic for you + automate it!
RCE • RCE is not all about browsers! • Microsoft Office • SMB • SMB v1 non default ~ big attack surface • non auth attack vector seems finally heavily audited ? • But was kAFL alike fuzzing approach applied ?  • Most modern apps connect over internet • Skype, Slack, games, .. ?
Other windows cool targets ~ kernel • Sockets • UoW ( ubuntu on windows ~ WSL ) • SMB (v1, v2, v3) • HyperV ( user, kernel, hypervisor ) • VhdParser • RDP • .. .sys ?
Conclusions • Attack surface reduction is most effective • Sandbox becoming solid boundary • However not applied everywhere • Native code execution mitigations on the raise • But bypass-able by nature ( architecture + legacy ) • Finding & exploiting bugs becoming more challenging • …but no that hard as it may be...
Thanks! Q & A

Empfohlen

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 

Empfohlen

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
Honorary_BoT
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Biblioteca Nacional de España
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
Packers
PackersPackers
Packers
Ange Albertini
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
Abhisek Datta
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 

Was ist angesagt? (20)

When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Packers
PackersPackers
Packers
 

Ähnlich wie Security research over Windows #defcon china

"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
Tech in Asia ID
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

Ähnlich wie Security research over Windows #defcon china (20)

Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
321 codeincontainer brewbox
321 codeincontainer brewbox321 codeincontainer brewbox
321 codeincontainer brewbox
 
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
 
DevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesDevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile Games
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
John adams talk cloudy
John adams talk cloudyJohn adams talk cloudy
John adams talk cloudy
 

Kürzlich hochgeladen

%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 

Kürzlich hochgeladen (20)

%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 

Security research over Windows #defcon china

  • 2. $whoami • @zer0mem ~ Peter Hlavaty • Senior Security Researcher at KeenLab, Tencent • MSRC100, Pwn2Own • Focus : kernel / hyperv / mitigations • sometimes talk somewhere .. • wushu player +- 
  • 3. Sandbox • Restrict resources of target ( process ) • #syscalls • file system • registry • inter-process interaction • Different integrity levels • Untrusted • App Container • Low • Medium, ..
  • 4. sandbox attack surface +- IPC ~ Broker vs worker Windows ~ kernel syscalls RPC ~ inter process communication 3rd elements ~ Windows Defender ( AV in general )
  • 5. Windows kernel ~ attack surface w32k ntoskrnl tm, afd, ..
  • 6. w32k attack surface hardening 4 years ago • Fonts • TTF emulation in kernel • Loading custom fonts • GDI • 6+ different kernel objects • *huge* source of UAF, overflows, … • EMF – *remote* • User • User mode callbacks machinery now • Fonts • TTF emulation in kernel user mode • Sandboxes low priv proc for custom • GDI -> restricted/no mode • 6+ different kernel objects • *huge* source of UAF, overflows, … • EMF – *remote* -> disabled by def • User -> restricted/no mode • User mode callbacks machinery
  • 7. w32k security hardening • Restricted resources for exploitation • No resources if DisableW32kSystemCalls flag on  • Type isolation • Tactical mitigations, f.e. tagWnd • bugs-- • Refactored w32k ( win32k -> win32kfull + win32kbase ) • this also left/brings lot of bugs, but showing importance of cleaning up mess • Security researchers community support ( msrc100, insider bounties, .. ) • Internal fuzzing++ ?
  • 8. w32k still alive • DirectX • w32k – user callbacks • Small parts of GDI + DComposition • New syscalls keep added in new builds • ~ no w32k in your target ? • w32k is somehow essential of GUI app • Bridge from your target to part of app which have access • Perhaps you can attack another part of app with w32k on ?
  • 9. ntos attack surface • TM + CLFS • ‘hidden syscalls’ • CLFS : Lockdown for sandboxed processes! • Well finally, heavy parsing in kernel mode.. • Without CLFS backup it is very simple logic • However nice connections ~ Manager + Transaction + Enlistment + Resource • (A)LPC, Pipe, Sockets, Registry hives • Good amount of logic there • In SDL quite some time, crucial part of windows kernel! • Memory management, Sync, .. • + : lots of syscalls! • - : logic you can alter is way too simplistic
  • 10. RPC – user processes • Any process has opened ALPC port • Everybody needs to have opened port at least to csrss.exe ! • Mostly ‘unknown’ area ~ previous research : • https://hakril.net/slides/A_view_into_ALPC_RPC_pacsec_2017.pdf • https://recon.cx/2008/a/thomas_garnier/LPC-ALPC-slides.pdf • NtAlpc* ~ undocumented • http://alex-ionescu.com/Publications/SyScan/syscan2014.pdf • COM using ALPC at the background • C++ inter-process interface
  • 11. Native code exec But, OK .. you got a bug, what’s next ?
  • 12. Mitigations on the rise • Past years Windows invest heavily into breaking attack surface and techniques ! • Guards : • (k)CFG • HVCI • VBS • ACG • CIG • Jit OoP • .. w32k + clfs lockdown + filter ntoskrnl filter via ACL Mitigation against native code exec Type Isolation Tactical mitigation
  • 13. ..G, ..G, ..G .. wut ? • Lots of guards in windows ;) • Must read : • https://cansecwest.com/slides/2017/CSW2017_Weston- Miller_Mitigating_Native_Remote_Code_Execution.pdf • https://github.com/Microsoft/MSRC-Security- Research/blob/master/presentations/2018_02_OffensiveCon/The%20Evolution%20 of%20CFI%20Attacks%20and%20Defenses.pdf • How those are enabled for sandboxing : • SetProcessMitigationPolicy • PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY of UpdateProcThreadAttribute
  • 14. CFG • _guard_check_icall • More about CFG : • https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ • This is nice article : • https://www.endgame.com/blog/technical-blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks • Covering also mini COOP ;) – check that out
  • 15. RFG FS:: delta return return call [callee] mov r11, [rsp] .. mov fs::[rsp], r11 Data Stack Control Stack mov r11, fs::[rsp] cmp .. jnz .. ret
  • 16. RFG ~ pulled down, but CET ( check CET! ) • 2 stacks : Control + Data • Control stack no pointer in user mode • It is OK to be write-able ~ therefore with write primitive you can write there • But problem : how to find it ? => no leaks == no way ? • At each function prolog store return address also to Control stack • At each function epilogue check if ControlStack[rsp]==DataStack[rsp] • Aka return address match • BRILIANT IDEA + DESIGN = no compatibility issues, can plug it right now! • Only 5 instruction per function! • Key Problems : • Race condition -> could be done in stable way • Secret based ~ what if is possible to reveal address of control stack without pointer leak ?
  • 17. CIG + ACG + Jit OoP : In short • Code Integrity (CIG) ~ only signed images can be loaded • Ok but we can do RWX + shellcode  • Arbitrary code guard (ACG) -> no you can not .. • No RWX page same time! • X pages -> in fact you can not VirtualProtect to Exec* anymore • JIT : but I need it! • Nope … nope .. nope • Process can not have RWX pages nor from Data page make Code page • Therefore only different process can do it for you • Browser : Jit Process -> Worker process
  • 18. Type Isolation • Important exploit primitives consists : • Structure with control and data parts • Control : pointers, sizes • Data : controlled data by user • Outcome : • Data or size overflow lead to full compromise of domain • Mitigation : • Separate Control & Data part of structure to two different places • Crucial : data should not reach control part ~ page guards / different pools
  • 19. Header ( size .. ) Data Data Header ( size .. ) Header ( size .. ) Data Data Header ( size .. ) AFTERBEFORE Overflow Overlap https://blog.quarkslab.com/reverse-engineering-the-win32k-type-isolation-mitigation.html https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations/2018_04_OPCDE
  • 20. Tactical mitigation • prevalent methodology of misusing object for arbitrary read / write • Start with limited read/write • Boost it to full read/write to domain • Usually pivot-worker schema • Tactical mitigation == Break particular techniques, one by one! • How : Introduce safe – checks • Buffer ranges • Pool limitation • Outcome : need to chain *limited* read/write primitives • Crucial : • safe boundaries must not be reachable by our limited write • broken for tagWnd ~ check this nice references : https://github.com/MortenSchenk/tagWnd-Hardening-Bypass/blob/master/tagWnd/tagWnd/tagWnd.cpp https://improsec.com/blog/hardening-windows-10-with-zero-day-exploit-mitigations-under-the-microscope
  • 21. Tactical mitigation or just nice check ? • Triaging one of our bug • We investigated possible exploitability • In one of the branch there was interesting check • Guess what is it
  • 22. Therefore.. • Theory • No W^X memory anymore • No Arbitrary modules • No @rip hijack • No return address hijack • No Overflows ( buffer or size/counters ) exploitable • No/Limited Read/Write primitive • Practice • Not there yet, most of those bypass-able by design limitations • However showing interesting shift towards security, doesn’t it ? • especially memory corruptions
  • 23. Sandbox++ When kernel is not a boundary
  • 24. virtualization • HyperV technology • VM machine • Well Security designed! • Legacy striped • (relatively) small ( + heavily audited ) attack surface • Mitigations applied • WDAG applying HyperV technologies • Another layer of sandbox introduced for edge • And not only for edge! https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard- runtime-attestation/
  • 25. vmwp overview • What ? • User mode process on host side responsible for running guest-partition • Minimum legacy • IO devices • No complex structures ( in IO ) • Minimal interaction ( no Drag&Drop, basic session by default, .. ) • Generation2 way to go, however Generation1 still default • Clean design • All mitigations • Sandboxed! • pwn vmwp complexity ~ remote pwn
  • 26. Successful attack in the future (?) Get a bug in remote target ( browser, .. ) Get RCE or COOP-ish style control Escape sandbox Get bug in kernel Bypass proc restrictions or get RCE (coop-ish style is OK) Get a bug in virtualization Bypass mitigations in virtualization target pwn
  • 27. Bug is just the start line But even though .. how to ?
  • 28. How to approach • Understanding of attack surface • Windows landscape • Understanding of target • Reverse engineering & internals • Make use of technologies : • IntelPt (+ QemuPt) • windbg + TTD • Qemu + KVM • Hypervisors ( tooling + automatization ) • BochsPwn reloaded / DigTool alike approaches • Make use ( and proper understanding ) of “state of the art” tools • syzkaller • (k)AFL • .. then make your own patches / tools / plugins
  • 29. Fuzzing vs Eye-balling • Fuzzing : • Easy to make dummy fuzzer • Easy to overengineer fuzzer and kill its randomness • Eyes : • You can easily miss trivial bugs • Hard to comprehend complex logic • Why not combine both ? • Make random-enough fuzzing • Inject ( to fuzzer ) knowledge from auditing-code • Use fuzzer to check some complex logic for you + automate it!
  • 30. RCE • RCE is not all about browsers! • Microsoft Office • SMB • SMB v1 non default ~ big attack surface • non auth attack vector seems finally heavily audited ? • But was kAFL alike fuzzing approach applied ?  • Most modern apps connect over internet • Skype, Slack, games, .. ?
  • 31. Other windows cool targets ~ kernel • Sockets • UoW ( ubuntu on windows ~ WSL ) • SMB (v1, v2, v3) • HyperV ( user, kernel, hypervisor ) • VhdParser • RDP • .. .sys ?
  • 32. Conclusions • Attack surface reduction is most effective • Sandbox becoming solid boundary • However not applied everywhere • Native code execution mitigations on the raise • But bypass-able by nature ( architecture + legacy ) • Finding & exploiting bugs becoming more challenging • …but no that hard as it may be...