Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Size: px

Start display at page:

Download "Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security"

Stephen Wiggins
6 years ago
Views:

1 CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29

2 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (urn address) Stack (buffer), heap, format string vulnerability Second -- attacker uses control of program flow to launch attacks Code injection Defense: NX, W (xor) X urn-to-libc Defense: remove unwanted functions (e.g., system) How to overcome these limitations??? Return-oriented programming 30

3 Return-Oriented Programming Arbitrary exploitation without code injection or whole-function reuse (urn-to-libc) 31

4 Return-Oriented Programming 32

5 ROP Thesis 33

6 Return-to-libc 34

7 ROP vs urn-to-libc 35

8 ROP Attacks 36

9 Machine Instructions 37

10 ROP Execution 38

11 Building ROP Functionality 39

12 Building ROP Functionality 40

13 Building ROP Functionality 41

14 Creating Programs 42

15 Finding Gadgets 43

16 ROP Conclusions 44

17 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x jump G3... Memory 0x $= Return Address buf

18 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x jump G3... Memory 0x $= Return Address buf

19 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x jump G3... Memory 0x $= Return Address buf

20 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5... Memory 0x $=

21 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5... Memory 0x $=

22 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5 0x Memory 0x $=

23 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5 0x Memory 0x $=

24 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf... Registers Memory %eax$= 5 0x $= 5 %ebx$= 0x

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,.

25 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses Q. Is subverting control-flow the only goal of an attacker? 47

26 Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, urns,... Challenges Building accurate model Efficient enforcement 48

27 Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 49

28 Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp nop IMM 2 if(**esp!= nop IMM 2 ) halt urn CFG excerpt NB: Need to ensure bit patterns for nops appear nowhere else in code memory A call A call+1 50 B 1 B

29 More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } if(*fp!= nop IMM 1 ) halt call fp nop IMM 1 F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 51

30 Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can urn to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B call+1 succ(b ) = {A call+1, D call+1 } F D call F B nop IMM 2 if(**esp!= nop IMM 2 ) halt urn CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). 52

31 No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 Solution II: Duplicate code to remove zig-zags CFG excerpt A call B 1 C 1 C 1A E call E call C 1E 53

32 More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 54

33 ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,...????????? Stack Heap Data??? Text 55

34 ASLR Implementations Linux Introduced in Linux (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Windows Only few programs in Linux use PIE Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities 56

35 Conclusion Defense against control-flow and data attacks is an ongoing arms race Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers However, they have implementation limitations Active area of research 57

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow