Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University

Transcription

1 Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University 1

2 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible for all checks Large set of legacy and new applications written in C / C++ prone to memory bugs Too many bugs to find and fix manually Protect integrity through safe runtime system 2

3 3

4 Memory (un-)safety: invalid deref. Dangling pointer: (temporal) free(foo); *foo = 23; Out-of-bounds pointer: (spatial) char foo[40]; foo[42] = 23; Violation iff: pointer is read, written, or freed 4

5 Type Confusion vtable*? class B { Bptr b int b; }; c? class D: B { int c; vtable* virtual void d() {} B b }; c B *Bptr = new B; D *Dptr = static_cast<d*>b; Dptr->c = 0x43; // Type confusion! Dptr->d(); // Type confusion! Dptr D 5

6 Deployed Defenses 6

7 Status of deployed defenses Data Execution Prevention (DEP) Memory Address Space Layout Randomization (ASLR) Stack canaries Safe exception handlers 0x400 0x4?? RWX R-X text 0x800 0x8?? RWX RWdata 0xfff 0xf?? RWX RWstack 7

8 Control-Flow Hijack Attack 8

9 Control-flow hijack attack ' Attacker modifies code pointer Information leak: target address Memory safety violation: write Control-flow leaves valid graph Reuse existing code Inject/modify code 9

10 Control-Flow Hijack Attack int vuln(int usr, int usr2){ void *(func_ptr)(); 1 int *q = buf + usr; func_ptr = &foo; 2 *q = usr2; 3 (*func_ptr)(); } Memory 1 q buf func_ptr 2 gadget code

11 Attack scenario: code reuse Find addresses of gadgets Force memory corruption to set up attack Leverage gadgets for code-reuse attack (Fall back to code injection) Code Heap Stack 11

12 Attack: buffer overflow to ROP void vuln(char *u1) { // assert(strlen(u1) < MAX) char tmp[max]; strcpy(tmp, u1); } vuln(&exploit); Memory safety Violation Integrity *C Randomization &C Flow Integrity *&C tmp[max] don't care saved don't base care pointer points return to address &system() ebp 1stafter argument: system*u1 call 1st argument next stacktoframe system() Attack Control-flow hijack

13 Model for memory attacks Memory safety Integrity Randomization Flow Integrity Bad things Memory corruption C *C &C D *D &D *&C *&D Code Control-flow Data-only corruption hijack

14 Control-Flow Integrity 14

15 Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); Attacker return 7may corrupt memory, code ptrs. verified when used 15

16 Three directions for CFI Goal: minimize target sets, increase precision 16

17 Source-based CFI Kernel protection crucial for system integrity Enforce strict pointer propagation rules Function pointers can only be assigned Data pointers to function pointers are forbidden Enforce types to protect C++ virtual calls * Fine-Grained Control-Flow Integrity for Kernel Software. Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. In EuroS&P'16 * VTrust: Regaining Trust on Your Virtual Calls. Chao Zhang, Scott A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, and Dawn Song. In NDSS'16 17

18 Lockdown*: enforce CFI for binaries Fine-grained CFI relies on source code Coarse-grained CFI is imprecise Goal: enforce fine-grained CFI for binaries Support legacy, binary code and modularity (libraries) Leverage precise, dynamic analysis Enforce stack integrity through shadow stack Low performance overhead * Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, and Thomas R. Gross. In DIMVA'15 18

19 Dynamic CFI analysis Leverage program's modularity through loader /bin/<exec> /lib/libc.so.6 /lib/lib* exported exported exported imported puts scanf funca.text call puts lea fptr, %eax call *%eax imported _dl* puts scanf mprotect.text funca funcb imported ifunc*.text puts: mprotect: funca: funcb: symbol table of ELF DSO allowed Control Flow transfer.text section of DSO illegal Control Flow transfer 19

20 Dynamic CFI analysis Leverage program's modularity through loader /bin/<exec> /lib/libc.so.6 /lib/lib* exported exported exported Modularity increases precision. No source needed. Leverage context of transfers. imported puts scanf funca.text call puts lea fptr, %eax call *%eax imported _dl* puts scanf mprotect.text funca funcb imported ifunc*.text puts: mprotect: funca: funcb: symbol table of ELF DSO allowed Control Flow transfer.text section of DSO illegal Control Flow transfer 20

21 Necessity of shadow stack* Defenses without stack integrity are broken Loop through two calls to the same function Choose any caller as return location Shadow stack enforces stack integrity Attacker restricted to arbitrary targets on the stack Each target can only be called once, in sequence * Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. In Usenix SEC'15 21

22 printf()-oriented programming* Translate program to format string Memory reads: %s Memory writes: %n Conditional: %.*d Program counter becomes format string counter Loops? Overwrite the format specific counter Turing-complete domain-specific language * Direct fame to Nicholas Carlini, blame to me 22

23 Ever heard of brainfuck*? > == dataptr++ %1$65535d%1$.*1$d%2$hn < == dataptr-- %1$.*1$d %2$hn + == *dataptr++ %3$.*3$d %4$hhn - == *datapr-- %3$255d%3$.*3$d%4$hhn. == putchar(*dataptr) %3$.*3$d%5$hn, == getchar(dataptr) %13$.*13$d%4$hn [ == if (*dataptr == 0) goto ']' %1$.*1$d%10$.*10$d%2$hn ] == if (*dataptr!= 0) goto '[' %1$.*1$d%10$.*10$d%2$hn * 23

24 Exploitable program void loop() { char* last = output; int* rpc = &progn[pc]; while (*rpc!= 0) { // fetch -- decode next instruction sprintf(buf, "%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%2$hn", *rpc, (short*)(&real_syms)); // execute -- execute instruction sprintf(buf, *real_syms, ((long long int)array)&0xffff, &array, // 1, 2 *array, array, output, // 3, 4, 5 ((long long int)output)&0xffff, &output, // 6, 7 &cond, &bf_cgoto_fmt3[0], // 8, 9 rpc[1], &rpc, 0, *input, // 10, 11, 12, 13 ((long long int)input)&0xffff, &input // 14, 15 ); // retire -- update PC sprintf(buf, " %.*d%hn", (int)(((long long int)rpc)&0xffff), 0, (short*)&rpc); // for debug: do we need to print? if (output!= last) { putchar(output[-1]); last = output; } } } 24

25 Presenting: printbf* Turing complete interpreter Relies on format strings Allows you to execute stuff * Direct fame to Nicholas Carlini, blame to me 25

26 Purdue's Capture the Flag (CTF) team Compete in international hacking competitions Gain practical security experience Competitive, fun, challenging tasks Open, inclusive environment Founded 2014, ~15 active, ~100 interested 3rd US academic team, top 50 overall 26

27 Conclusion 27

28 Conclusion ROP/JOP is key to modern exploits Leak addresses, connect gadgets, inject code Control-flow hijack protection Shadow stack, precise CFI, and locality High precision is key for effectiveness Low overhead, open-source Future work Protect context of control-flow Protect data and data-flow, not just control 28

29 Thank you! Questions? Mathias Payer, Purdue University 29