Low-level Software Security: Attacks and Countermeasures

Size: px

Start display at page:

Download "Low-level Software Security: Attacks and Countermeasures"

Paulina Bridges
5 years ago
Views:

1 Lw-level Sftware Security: Attacks and Cuntermeasures Prf Frank PIESSENS These slides are based n the paper: Lw-level Sftware Security by Example by Erlingssn, Yunan and Piessens

2 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses that prevent / detect explitatin Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 2

3 Intrductin An implementatin-level sftware vulnerability is a bug in a prgram that can be explited by an attacker t cause harm Example vulnerabilities: SQL injectin vulnerabilities (discussed in ther part f the curse) XSS vulnerabilities (discussed in ther part f the curse) Buffer verflws and ther memry crruptin vulnerabilities An attack is a scenari where an attacker triggers the bug t cause harm A cuntermeasure is a technique t cunter attacks These lectures will discuss memry crruptin vulnerabilities, cmmn attack techniques, and cmmn cuntermeasures fr them 3

4 Memry crruptin vulnerabilities Memry crruptin vulnerabilities are a class f vulnerabilities relevant fr unsafe languages ie Languages that d nt check whether prgrams access memry in a crrect way Hence buggy prgrams may mess up parts f memry used by the language run-time In these lectures we will fcus n memry crruptin vulnerabilities in C prgrams These can have devastating cnsequences 4

5 Example vulnerable C prgram #include <stdih> int main() { int ckie = 0; char buf[80]; printf("buf: %08x ckie: %08x\n", &buf, &ckie); gets(buf); if (ckie == 0x ) printf("yu win!\n"); } 5

6 Example vulnerable C prgram #include <stdih> int main() { int ckie; char buf[80]; printf("buf: %08x ckie: %08x\n", &buf, &ckie); gets(buf); } 6

7 Backgrund: Memry management in C Memry can be allcated in many ways in C Autmatic (lcal variables in functins) Static (glbal variables) Dynamic (mallc and new) Prgrammer is respnsible fr: Apprpriate use f allcated memry Eg bunds checks, type checks, Crrect de-allcatin f memry 7

8 Prcess memry layut High addresses Lw addresses Arguments/ Envirnment Stack Unused and Mapped Memry Heap (dynamic data) Static Data Prgram Cde Stack grws dwn Heap grws up 8

9 Memry management in C Memry management is very errr-prne Sme typical bugs: Writing past the bund f an array Dangling pinters Duble freeing Memry leaks Fr efficiency, practical C implementatins dn t detect such bugs at run time The language definitin states that behavir f a buggy prgram is undefined 9

10 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 10

11 Stack based buffer verflw The stack is a memry area used at run time t track functin calls and s Per call, an activatin recrd r stack frame is pushed n the stack, cntaining: Actual parameters, address, autmatically allcated lcal variables, As a cnsequence, if a lcal buffer variable can be verflwed, there are interesting memry lcatins t verwrite nearby The simplest attack is t verwrite the address s that it pints t attacker-chsen cde (shellcde) 11

12 Stack based buffer verflw Stack Return address f0 IP f0: call f1 FP SP Saved Frame Ptr f0 Lcal variables f0 f1: buffer[] verflw() 12

13 Stack based buffer verflw Stack Return address f0 f0: call f1 Saved Frame Ptr f0 Lcal variables f0 Arguments f1 IP f1: buffer[] verflw() FP Return address f1 Saved Frame Ptr f1 Space fr buffer SP 13

14 Stack based buffer verflw Stack Return address f0 f0: call f1 Saved Frame Ptr f0 Lcal variables f0 Arguments f1 IP f1: buffer[] verflw() FP Overwritten address Injected Cde SP 14

15 Very simple shell cde In examples further n, we will use: Real shell-cde is nly slightly lnger: LINUX n Intel: char shellcde[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 15

16 Side-nte: endianness Intel prcessrs are little-endian

17 Stack based buffer verflw Example vulnerable prgram: 17

18 Stack based buffer verflw Or alternatively: 18

19 Stack based buffer verflw Snapsht f the stack befre the : 19

20 Stack based buffer verflw Snapsht f the stack befre the : 20

21 Stack based buffer verflw Snapsht f the stack befre the : 0x0012ff4c 0x xfeeb2ecd 0x x66 \x4c\xff\x12\x00 f f f f \xcd\x2e\xeb\xfe f f f f f 21

22 Stack based buffer verflw Lts f details t get right befre it wrks: N nulls in (character-)strings Filling in the crrect address: Fake address must be precisely psitined Attacker might nt knw the address f his wn string Other verwritten data must nt be used befre frm functin Mre infrmatin in Smashing the stack fr fun and prfit by Aleph One 22

23 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 23

24 Heap based buffer verflw If a prgram cntains a buffer verflw vulnerability fr a buffer allcated n the heap, there is n address nearby S attacking a heap based vulnerability requires the attacker t verwrite ther cde pinters We lk at tw examples: Overwriting a functin pinter Overwriting heap metadata 24

25 Overwriting a functin pinter Example vulnerable prgram: 25

26 Overwriting a functin pinter And what happens n verflw: 26

27 Overwriting heap metadata The heap is a memry area where dynamically allcated data is stred Typically managed by a memry allcatin library that ffers functinality t allcate and free chunks f memry (in C: mallc() and free() calls) Mst memry allcatin libraries stre management infrmatin in-band As a cnsequence, buffer verruns n the heap can verwrite this management infrmatin This enables an indirect pinter verwrite -like attack allwing attackers t verwrite arbitrary memry lcatins 27

28 Heap management in dlmallc Tp Heap grws with brk() c Backward pinter Frward pinter Other mgmt inf Free chunk User data Dlmallc maintains a dubly linked list f free chunks When chunk c gets unlinked, c s backward pinter is written t *(frward pinter+12) Or: green value is written 12 bytes abve where red value pints Other mgmt inf Chunk in use 28

29 Expliting a buffer verrun Tp Heap grws with brk() c d RA Stack Green value is written 12 bytes abve where red value pints A buffer verrun in d can verwrite the red and green values Make Green pint t injected cde Make Red pint 12 bytes belw a functin address Heap 29

30 Expliting a buffer verrun Tp Heap grws with brk() RA Green value is written 12 bytes abve where red value pints Net result is that the address pints t the injected cde c Stack Heap 30

31 Indirect pinter verwrite This technique f verwriting a pinter that is later dereferenced fr writing is called indirect pinter verwrite This is a bradly useful attack technique, as it allws t selectively change memry cntents A prgram is vulnerable if: It cntains a bug that allws verwriting a pinter value This pinter value is later dereferenced fr writing And the value written is under cntrl f the attacker 31

32 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 32

33 Return-int-libc Direct cde injectin, where an attacker injects cde as data is nt always feasible Eg When certain cuntermeasures are active Indirect cde injectin attacks will drive the executin f the prgram by manipulating the stack This makes it pssible t execute fractins f cde present in memry Usually, interesting cde is available, eg libc 33

34 Return-int-libc: verview Stack Params fr f1 Return addr Params fr f2 Return addr Params fr f3 Cde Memry f1 f2 f3 SP Return addr Return addr IP 34

35 Return-int-libc: verview Stack Params fr f1 Return addr Params fr f2 Return addr Params fr f3 IP Cde Memry f1 f2 f3 SP Return addr 35

36 Return-int-libc: verview Stack Params fr f1 Return addr Params fr f2 Return addr Params fr f3 IP Cde Memry f1 f2 f3 SP Return addr 36

37 Return-int-libc: verview Stack Params fr f1 Return addr Params fr f2 Return addr Params fr f3 Cde Memry f1 f2 f3 SP Return addr IP 37

38 Return-int-libc: verview Stack Cde Memry SP Params fr f1 Return addr Params fr f2 Return addr IP f1 f2 f3 38

39 Return-int-libc: verview Stack Cde Memry SP Params fr f1 Return addr Params fr f2 Return addr IP f1 f2 f3 39

40 Return-int-libc: verview Stack Cde Memry SP Params fr f1 Return addr IP f1 f2 f3 40

41 Return-t-libc What d we need t make this wrk? Inject the fake stack Easy: this is just data we can put in a buffer Make the stack pinter pint t the fake stack right befre a instructin is executed We will shw an example where this is dne by jumping t a trampline Then we make the stack execute existing functins t d a direct cde injectin But we culd d ther useful stuff withut direct cde injectin 41

42 Vulnerable prgram 42

43 The trampline Assembly cde f qsrt: Trampline cde 43

44 Launching the attack 44

45 Unwinding the fake stack Cde Memry VirtualAllc InterlckedEcxh ange SP 45

46 Unwinding the fake stack Cde Memry IP VirtualAllc InterlckedEcxh ange SP 46

47 Unwinding the fake stack Cde Memry IP VirtualAllc InterlckedEcxh ange SP 47

48 Unwinding the fake stack Cde Memry SP IP VirtualAllc InterlckedEcxh ange 48

49 Unwinding the fake stack Cde Memry VirtualAllc SP InterlckedEcxh ange IP 49

50 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 50

51 Data-nly attacks These attacks prceed by changing nly data f the prgram under attack Depending n the prgram under attack, this can result in interesting explits We discuss tw examples: The unix passwrd attack Overwriting the envirnment table 51

52 Unix passwrd attack Old implementatins f lgin prgram lked like this: Stack Hashed passwrd passwrd Passwrd check in lgin prgram: 1 Read lginname 2 Lkup hashed passwrd 3 Read passwrd 4 Check if hashed passwrd = hash (passwrd) 52

53 Unix passwrd attack Stack Hashed passwrd passwrd Passwrd check in lgin prgram: 1 Read lginname 2 Lkup hashed passwrd 3 Read passwrd 4 Check if hashed passwrd = hash (passwrd) ATTACK: type in a passwrd f the frm pw hash(pw) 53

54 Overwriting the envirnment table 54

55 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 55

56 Stack canaries Basic idea Insert a value right in a stack frame right befre the stred base pinter/ address Verify n frm a functin that this value was nt mdified The inserted value is called a canary, after the cal mine canaries 56

57 Stack canaries Stack Return address f0 IP f0: call f1 FP SP Saved Frame Ptr f0 Canary f1: buffer[] verflw() 57

58 Stack based buffer verflw Stack Return address f0 f0: call f1 Saved Frame Ptr f0 Canary Arguments f1 IP f1: buffer[] verflw() FP Return address f1 Saved Frame Ptr f1 Canary SP 58

59 Stack based buffer verflw Stack Return address f0 f0: call f1 Saved Frame Ptr f0 Canary Arguments f1 IP f1: buffer[] verflw() FP Overwritten address Canary SP 59

60 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 60

61 Nn-executable data Direct cde injectin attacks at sme pint execute data Mst prgrams never need t d this Hence, a simple cuntermeasure is t mark data memry (stack, heap, ) as nn-executable This cunters direct cde injectin, but nt -int-libc r data-nly attacks In additin, this cuntermeasure may break certain legacy applicatins 61

62 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 62

63 Cntrl-flw integrity Mst attacks we discussed break the cntrl flw as it is encded in the surce prgram Eg At the surce cde level, ne always expects a functin t t its call site The idea f cntrl-flw integrity is t instrument the cde t check the sanity f the cntrl-flw at runtime 63

64 Example CFI at the surce level The fllwing cde explicitly checks whether the cmp functin pinter pints t ne f tw knwn functins: 64

65 Example CFI with labels 65

66 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 66

67 Layut Randmizatin Mst attacks rely n precise knwledge f run time memry addresses Intrducing artificial variatin in these addresses significantly raises the bar fr attackers Such adress space layut randmizatin (ASLR) is a cheap and effective cuntermeasure 67

68 Example 68

69 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 69

70 Overview 70

71 Need fr ther defenses The autmatic defenses discussed in this lecture are nly ne element f securing C sftware Instead f preventing / detecting explitatin f the vulnerabilities at run time, ne can: Prevent the intrductin f vulnerabilities in the cde Detect and eliminate the vulnerabilities at develpment time Detect and eliminate the vulnerabilities with testing 71

72 Preventing intrductin Safe prgramming languages such as Java / C# take memry management ut f the prgrammer s hands This makes it impssible t intrduce explitable memry safety vulnerabilities They can still be explited fr denial-f-service purpses Explitable vulnerabilities can still be present in native parts f the applicatin

73 Detect and eliminate vulnerabilities Cde review Static analysis tls: Simple grep -like tls that detect unsafe functins Advanced heuristic tls that have false psitives and false negatives Sund tls that require significant prgrammer effrt t anntate the prgram Testing tls: Fuzz testing Directed fuzz-testing / symblic executin

74 Overview Intrductin Example attacks Stack-based buffer verflw Heap-based buffer verflw Return-t-libc attacks Data-nly attacks Example defenses Stack canaries Nn-executable data Cntrl-flw integrity Layut randmizatin Other defenses Cnclusin 74

75 Cnclusin The design f attacks and cuntermeasures has led t an arms race between attackers and defenders While significant hardening f the executin f C-like languages is pssible, the use f safe languages like Java / C# is frm the pint f view f security preferable 75

Low-level Software Security: Vulnerabilities, Attacks and Countermeasures

Low-level Software Security: Vulnerabilities, Attacks and Countermeasures Lw-level Sftware Security: Vulnerabilities, Attacks and Cuntermeasures Prf Frank PIESSENS Reading material: Ulfar Erlingssn, Yves Yunan, Frank Piessens, Lw-level sftware security by example, Handbk f Infrmatin