This is the best kind of vulnerability story: Researcher finds bug, researcher figures out a way to block future attacks exploiting similar bugs.
This week, Adobe patched 17 vulnerabilities, including multiple use-after-free bugs, in its Flash Player as part of a scheduled update. Endgame Security researchers reported one of those bugs, CVE-2015-7663, to Adobe, and they're now working on a mitigation method to eliminate attacks exploiting similar bugs in Windows, Linux, and Mac OS X. The method is currently in proof-of-concept stage.
Endgame researchers exploited the bug, which lets an attacker read and write virtual memory, using a Vector length corruption technique, Endgame's senior director of vulnerability research and prevention Cody Pierce wrote on the company blog. The technique is resistant to corruption and application crash, and Endgame researchers have seen an increase in Flash exploits over the past year using it.
So long as Flash remains ubiquitous, attackers will look for bugs that give them remote code execution capabilities. Starting with Flash Player 18.104.22.168, Adobe has used heap isolation to improve the memory layout to deter some of these attacks. Flash Player now allocates Vector objects in the default runtime heap instead of in the heap associated with previously used ActionScript. This way, attackers are unable to coerce the allocator into creating adjacent blocks of memory for an attacker to use when corrupting the "length" property.
In the past, attackers were able to corrupt memory to gain read and write access to virtual memory, making it simple to bypass ASLR and execute code, Endgame said in the blog post. Heap isolation blocks such exploits because it doesn't allocate memory linearly in a predictable order of specific sizes or let attackers trigger a vulnerability that falls into predictable locations in order to corrupt adjacent locations.
Adobe uses sandboxing and heap isolation to block potential attacks, but they "are not keeping pace with the attackers' ability to exploit vulnerabilities," Pierce said. "Unfortunately, we know from experience that preventing a specific technique, such as Vector length corruption, will not stop attackers." New techniques looking at other Vector-like objects in Flash Player have already started popping up.
After reporting the original use-after-free bug to Adobe, Endgame's Vulnerability Research and Prevention team focused on generic enforcement of heap isolation. Typically, an attacker exploiting use-after-free must reallocate a different object into the freed memory location. By controlling the function pointers in that object, the attacker gains code execution. "Forcing heap isolation ensures the attacker can only reallocate the original object, effectively preventing exploitation," Pierce wrote.
Endgame is also looking at ways to enforce control flow integrity (CFI) policies on an application. While heap isolation can prevent successful exploitation, CFI detects active attempts since it looks for any points where the application's execution path changes. Attackers typically have to hijack control of the process in order to execute code; this is the point CFI is looking for.
This technique currently works on both Linux and 64-bit Windows systems and was able to detect multiple vulnerabilities, according to the blog post.
Attackers target Flash because it provides a large number of victims on Windows, Linux, OS X, and Android systems through Chrome, Firefox, Internet Explorer, Adobe Reader, Microsoft Office, and other widely used applications. Making it hard to target Flash with new mitigations would increase the cost for attackers.
Security needs to be built into software, and developers need to adopt secure development practices. But attack mitigation tools can be effective because they make it harder for attackers to break the software.
Microsoft, for example, relies on Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) mitigation tools in Windows and other third-party applications to block attacks. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data, while ASLR protects against buffer overflow attacks by placing a software process's address space in random areas of memory.
Microsoft's Blue Hat Prize in 2012 focused on memory safety vulnerability mitigation techniques, and Brad Arkin, chief security officer of Adobe, has urged security researchers in the past to help Adobe develop new attack mitigation methods.
"This work is exciting, as it has already shown its effectiveness at comprehensively detecting unknown exploits regardless of the specific technique used by observing abnormal program execution indicative of exploitation," Pierce wrote.