Wednesday 4 October 16:30 - 17:00, Red room
Tao Yan & Edouard Bochin (Palo Alto Networks)
Return-oriented programming (ROP) has traditionally been used to bypass DEP/NX mitigation in exploits. However, in recent years, the Chromium WebAssembly (WASM) engine creates a RWX region in memory when initiating a WebAssembly instance, leading to a new exploitation technique that abuses the existing X (RWX) memory to bypass DEP/NX. This technique has become the most pervasive DEP/NX bypass exploitation technique in Chromium-based browser exploits, but the defensive side of this technique has not received much attention until now.
In this context, we introduce a new exploitation guard called WASMGuard, which is designed to detect Chromium browser exploits abusing the X (RWX) memory in WebAssembly. WASMGuard focuses on the WebAssembly RWX memory and incorporates three unique detection mechanisms on it: detecting illegal memory content changes, checking the WebAssembly compiled code and object structure integrity, and detecting shellcode in the RWX memory. The combination of these three detection mechanisms enables WASMGuard to provide comprehensive coverage and detection capabilities in different working scenarios.
In this presentation, we cover all our practices and solutions for overcoming the challenges of exploring the WebAssembly engine internals at the binary level and implementing the proof-of-concept of WASMGuard. We delve into the details of various techniques, including finding and hooking the WebAssembly export function even if it is inlined by the Turbofan optimization, optimizing performance as an inline detection module, addressing false positives caused by legitimate content changes in the WebAssembly RWX memory, and designing robust detection logic that is difficult to evade. Additionally, we showcase how WASMGuard effectively detects all known and potential future zero-day Chromium browser exploits that abuse the X (RWX) memory in WebAssembly through practical demonstrations.
Tao Yan is a security researcher at Palo Alto Networks. He focuses on new attack surface discovery, new research method exploration (including, but not limited to vulnerability discovery and exploitation methods) and system internals research from both offensive and defensive perspectives. His interests include bug findings with fuzzing and static code review, exploits, mitigations bypass, sandbox escape and privilege escalation on various applications and modules including browsers, Flash, RDP, COM/RPC, etc. In the meantime, he has also been involved with exploits, APTs, malware detection and defence. He has been listed as #7 researcher in 2016 and #4 researcher in 2017 for MSRC Top 100 Researchers. He is also the winner of the local escalation of privilege category in Pwn2own 2021. In addition, he is a regular security patent inventor and speaker at security conferences including CanSecWest, POC, HITCON, Recon, BlueHat and Black Hat.
Edouard is a security researcher at Palo Alto Networks, working in the field of vulnerability research. His daily responsibilities are centred around the analysis of vulnerabilities and exploits, complemented by the development of innovative detection methodologies and systems. His main interests are in reverse engineering, malware analysis, vulnerability research, exploitability research and machine learning.