Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Size: px

Start display at page:

Download "Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security"

Egbert Richards
5 years ago
Views:

1 CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1

2 Anatomy of Control-Flow Exploits 2

3 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation 2

4 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) 2

5 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, 2

6 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks 2

7 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection 2

8 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim 2

9 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region 2

10 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region 2

11 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region How is code injection done? 2

12 Code Injection 3

13 Code Injection Advantage 3

14 Code Injection Advantage Adversary can install any code they want 3

15 Code Injection Advantage Adversary can install any code they want What code do adversaries want? 3

16 Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses 3

17 Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) 3

18 Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both 3

19 Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both 3

20 Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both What can adversary do to circumvent these defenses and still execute useful code (for them)? 3

21 Return-to-libc Attacks 4

22 Return-to-libc Attacks Method 4

23 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) 4

24 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, 4

25 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage 4

26 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection 4

27 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses 4

28 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses Remove unwanted library functions 4

29 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses Remove unwanted library functions How to overcome this defense??? 4

30 Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses Remove unwanted library functions How to overcome this defense??? Topic of today s lecture 4

31 Return-Oriented Programming Arbitrary exploitation without code injection or whole-function reuse (return-to-libc) 5

32 Return-Oriented Programming 6

33 ROP Thesis 7

34 Return-to-libc 8

35 ROP vs return-to-libc 9

36 ROP Attacks 10

37 Machine Instructions 11

38 ROP Execution 12

39 Building ROP Functionality 13

40 Building ROP Functionality 14

41 Building ROP Functionality 15

42 Creating Programs 16

43 Finding Gadgets 17

44 ROP Conclusions 18

45 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret Registers %eax = %ebx = G1 5 jmp G2 0x jump G3... Memory 0x = Return Address buf

46 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret Registers %eax = %ebx = G1 5 jmp G2 0x jump G3... Memory 0x = Return Address buf

47 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret Registers %eax = %ebx = G1 5 jmp G2 0x jump G3... Memory 0x = Return Address buf

48 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax = %ebx = 5... Memory 0x =

49 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax = %ebx = 5... Memory 0x =

50 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax = %ebx = 5 0x Memory 0x =

51 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax = %ebx = 5 0x Memory 0x =

52 ROP Example Use ESP as program counter E.g., Store 5 at address 0x (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x jump G3 Return Address buf... Registers Memory %eax = 5 0x = 5 %ebx = 0x

53 Advanced Defenses 20

54 Advanced Defenses Control-flow attack defenses operate at two stages 20

55 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control 20

56 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... 20

57 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice 20

58 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... 20

59 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,.

60 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses Q. Is subverting control-flow the only goal of an attacker? 20

61 Control-Flow Integrity 21

62 Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences 21

63 Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph 21

64 Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, returns,... 21

65 Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, returns,... Challenges Building accurate model Efficient enforcement 21

66 Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 22

67 Our Mechanism F A F B call fp return 23

68 Our Mechanism F A F B call fp return CFG excerpt A call B 1 A call+1 B ret 23

69 Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp return CFG excerpt A call B 1 A call+1 B ret 23

70 Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp nop IMM 2 if(**esp!= nop IMM 2 ) halt return CFG excerpt NB: Need to ensure bit patterns for nops appear nowhere else in code memory A call A call+1 23 B 1 B ret

71 More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } call fp F C 24

72 More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } if(*fp!= nop IMM 1 ) halt call fp nop IMM 1 F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 24

73 Imprecise Return Information F A Q: What if F B can return to many functions? CFG excerpt A call+1 D call+1 B ret call F B F B succ(b ret ) = {A call+1, D call+1 } F D return call F B 25

74 Imprecise Return Information F A Q: What if F B can return to many functions? CFG excerpt A call+1 D call+1 B ret call F B nop IMM 2 F B succ(b ret ) = {A call+1, D call+1 } F D if(**esp!= nop IMM 2 ) halt return call F B nop IMM 2 25

75 Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can return to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B ret call+1 succ(b ret ) = {A call+1, D call+1 } F D if(**esp!= nop IMM 2 ) halt return call F B nop IMM 2 25

76 Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can return to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B ret call+1 succ(b ret ) = {A call+1, D call+1 } F D call F B nop IMM 2 if(**esp!= nop IMM 2 ) halt return CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). 25

77 No Zig-Zag Imprecision CFG excerpt A call B 1 E call C 1 26

78 No Zig-Zag Imprecision CFG excerpt A call B 1 E call C 1 26

79 No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 E call C 1 26

80 No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 Solution II: Duplicate code to remove zig-zags CFG excerpt A call B 1 C 1 C 1A E call E call C 1E 26

81 More Challenges 27

82 More Challenges Returns used as jumps E.g., signal handling 27

83 More Challenges Returns used as jumps E.g., signal handling Exceptions 27

84 More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries 27

85 More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly 27

More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.

86 More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 27

87 Alternatives to CFI? 28

88 Alternatives to CFI? What are the fundamental enablers of ROP attacks? CFI: violate control flow Adversary can choose gadgets 28

89 Alternatives to CFI? What are the fundamental enablers of ROP attacks? CFI: violate control flow Adversary can choose gadgets Can we prevent adversaries from choosing useful gadgets? In general, adversaries can create/ obtain the same binary as is run by the victim But, that need not be the case 28

90 Apply Crypto to Code? 29

91 Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? 29

92 Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? Given a secret key and a program address space, encrypt the address space such that the probability that an adversary can locate a particular instruction (start of gadget) is sufficiently low and the program still runs correctly and efficiently 29

93 Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? Given a secret key and a program address space, encrypt the address space such that the probability that an adversary can locate a particular instruction (start of gadget) is sufficiently low and the program still runs correctly and efficiently Called address space randomization 29

94 Prevent Injection on Stack Stack Heap 30

95 Prevent Injection on Stack One idea applied in practice Stack Heap 30

96 Prevent Injection on Stack One idea applied in practice Suppose an adversary wants to inject code onto the stack Write onto the stack (buffer overflow) Jump to that malcode (return address) Stack Heap 30

97 Prevent Injection on Stack One idea applied in practice Suppose an adversary wants to inject code onto the stack Write onto the stack (buffer overflow) Jump to that malcode (return address) Randomize the base address of the stack on each execution Prevents adversary from predicting malicious return address Stack Heap 30

98 Prevent Injection on Stack One idea applied in practice Suppose an adversary wants to inject code onto the stack Write onto the stack (buffer overflow) Jump to that malcode (return address) Randomize the base address of the stack on each execution Prevents adversary from predicting malicious return address Can we apply this idea more generally???? Stack Heap 30

99 ASLR Stack Heap Data Text 31

100 ASLR For control-flow attacks, attacker needs absolute addresses Stack Heap Data Text 31

101 ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Stack Heap Data Text 31

102 ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,...????????? Stack Heap Data??? Text 31

103 ASLR Implementations 32

104 ASLR Implementations Linux 32

105 ASLR Implementations Linux Introduced in Linux (June 2005) 32

106 ASLR Implementations Linux Introduced in Linux (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes 32

107 ASLR Implementations Linux Introduced in Linux (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used 32

108 ASLR Implementations Linux Introduced in Linux (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Only few programs in Linux use PIE 32

109 ASLR Implementations Linux Introduced in Linux (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Only few programs in Linux use PIE Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] 32

110 ASLR Implementations 33

111 ASLR Implementations Windows 33

112 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) 33

113 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR 33

114 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible 33

115 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study 33

116 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study Good randomization for stack base 33

117 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study Good randomization for stack base Insufficient randomization for some - e.g., heap and image 33

118 ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study Good randomization for stack base Insufficient randomization for some - e.g., heap and image Lesson: bad crypto use will lead to vulnerabilities - again 33

119 ASLR Limitations 34

120 ASLR Limitations Attacks may leak randomization information 34

121 ASLR Limitations Attacks may leak randomization information Disclosure attacks 34

122 ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) 34

123 ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout 34

124 ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities 34

125 ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities So, what can we do? 34

126 ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities So, what can we do? How do we avoid leaking the key? 34

127 Conclusion Defense against control-flow and data attacks is an ongoing arms race Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers However, they have implementation limitations Active area of research 35

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation