Information Leaks. Kyriakos Kyriakou

Transcription

1 Information Leaks Kyriakos Kyriakou University of Cyprus EPL 682: Advanced Security Topics 1

2 Just-in-time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, Ahmad-Reza Sadeghi University of Cyprus EPL 682: Advanced Security Topics 2

3 Abstract University of Cyprus EPL 682: Advanced Security Topics 3

4 Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. University of Cyprus EPL 682: Advanced Security Topics 4

5 Solution To introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, that undermines the benefits of fine-grained ASLR. University of Cyprus EPL 682: Advanced Security Topics 5

6 Fine-grained ASLR may not be as promising as first thought. University of Cyprus EPL 682: Advanced Security Topics 6

7 Historical Overview Introduction University of Cyprus EPL 682: Advanced Security Topics 7

8 Attackers ultimate goal is to exploit vulnerabilities and provide the ability to redirect program logic within the vulnerable application (ASLR, DEP) University of Cyprus EPL 682: Advanced Security Topics 8

9 Exploitation defenses practices through time Shellcode, return address, stack Overwriting alternative control-flow constructs Redirect execution to existing shared-library functions, chaining together short instruction sequences ending with ret (gadgets, ROP) Memory disclosure problem Canary NX bit ASLR? University of Cyprus EPL 682: Advanced Security Topics 9

10 Background Review the basis of important concepts University of Cyprus EPL 682: Advanced Security Topics 10

11 1 Code Reuse Attacks University of Cyprus EPL 682: Advanced Security Topics 11

12 The general principle of any code reuse attack Redirect the logical program flow to instructions already present in memory, then use those instructions to provide alternative program logic University of Cyprus EPL 682: Advanced Security Topics 12

13 Basic principle of code reuse attacks An example of a ROP attack on the heap using a sequence of single-instruction gadgets 13

14 2 Randomization for Exploit Mitigation University of Cyprus EPL 682: Advanced Security Topics 14

15 What is ASLR and how it works? University of Cyprus EPL 682: Advanced Security Topics 15

16 The basic idea of address space layout randomization (ASLR) refer to a new stack memory allocator that adds a random pad for stack objects larger than 16 bytes. Start address of an executable is relocated between consecutive runs of the application. Current ASLR schemes randomize the base (start) address of segments such as the stack, heap, libraries, and the executable itself University of Cyprus EPL 682: Advanced Security Topics 16

17 As a result, an adversary must guess the location of the functions and instruction sequences needed for successful deployment of her code reuse attack. Today, ASLR is enabled on nearly all modern operating systems such as Windows, Linux, ios, or Android. University of Cyprus EPL 682: Advanced Security Topics 17

18 Fine-Grained Memory and Code Randomization University of Cyprus EPL 682: Advanced Security Topics 18

19 Today ASLR suffer from two main problems 1. The entropy of 32bit systems is too low 2. all ASLR solutions are vulnerable to memory disclosure attacks Since current ASLR implementations only randomize on a per-module level, disclosing a single address within a module effectively reveals the location of every piece of code within that module University of Cyprus EPL 682: Advanced Security Topics 19

20 Solution To confound these attacks, a number of fine-grained ASLR and code randomization schemes have recently appeared in the academic literature University of Cyprus EPL 682: Advanced Security Topics 20

21 The underlying idea in these works is to randomize the data and code structure by shuffling functions or basic blocks (ideally for each program run) The location of all gadgets is randomized and the disclosure of a single address no longer allows an adversary to deploy a code reuse attack. University of Cyprus EPL 682: Advanced Security Topics 21

22 Assumptions and Adversarial Model University of Cyprus EPL 682: Advanced Security Topics 22

23 An adversary actions may enumerated in two stages 1. exercise a vulnerability entry point 2. execute arbitrary malicious computations Modern stack and heap mitigations do eliminate categories of attack supporting stage one, but these mitigations are not comprehensive (ie. exploitable vulnerabilities still exist) University of Cyprus EPL 682: Advanced Security Topics 23

24 Assumptions for the target platform uses the following mechanisms to mitigate the execution of malicious computations Non-Executable Memory JIT Mitigations Export Address Table Access Filtering Base Address Randomization Strong Fine-Grained ASLR randomization scheme i. Permutes the order of functions and basic blocks ii. Swaps registers and replaces instructions iii. Randomizes the location of each instruction iv. Performs randomizations upon each run of an application University of Cyprus EPL 682: Advanced Security Topics 24

25 Current Problems with ASLR not usually applied to every executable or library, thereby allowing an adversary to leverage the non-randomized code parts for a conventional code reuse attack. current systems do not enforce fine-grained randomization. University of Cyprus EPL 682: Advanced Security Topics 25

26 The trend is Enabling ASLR for all applications, even for the operating system kernel as deployed in Windows 8 University of Cyprus EPL 682: Advanced Security Topics 26

27 What the proposed framework can do or offer? even given all these fortified defenses, the framework for code reuse attacks can readily undermine the security provided by these techniques an adversary will enjoy a simpler and more streamlined exploit development process than ever before builds the entire payload on-the-fly compatible with all OS revisions. University of Cyprus EPL 682: Advanced Security Topics 27

28 We only assume that the adversary can.. 1. Conform memory disclosure vulnerability to the interface that reveals values at an absolute address 2. Discover a single code pointer University of Cyprus EPL 682: Advanced Security Topics 28

29 Overview of Just-In-Time Code Reuse JIT Code Reuse University of Cyprus EPL 682: Advanced Security Topics 29

30 Exploiting a memory disclosure multiple times.. violates implicit assumptions of the fine-grained exploit mitigation model enables the adversary to iterate over mapped memory to search for all necessary gadgets on-the-fly University of Cyprus EPL 682: Advanced Security Topics 30

31 to bypass fine-grained exploit mitigation techniques, the authors designed and built a prototype exploit framework that aptly demonstrates one instantiation, called JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 31

32 Code Injection Attack Workflow Utilizing just-in-time code reuse against a script-enabled application protected by finegrained memory (or code) randomization. 32

33 HOW? University of Cyprus EPL 682: Advanced Security Topics 33

34 A. Mapping Code Page Memory JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 34

35 Challenge 1 University of Cyprus EPL 682: Advanced Security Topics 35

36 Lies in developing a reliable method for automatically searching through memory for code without causing a crash University of Cyprus EPL 682: Advanced Security Topics 36

37 Challenge 12 University of Cyprus EPL 682: Advanced Security Topics 37

38 To enumerate any information found in this initial page of code that reliably identifies additional pages of code University of Cyprus EPL 682: Advanced Security Topics 38

39 Algorithm 1 HarvestCodePages Given an initial code page, recursively disassemble pages and discover direct and indirect pointers to other mapped code pages. It is a recursive search over discovered code pages that results in the set of unique code page virtual addresses along with associated data. Iteration continues only until all the requisite information to build a payload has been acquired. 39

40 B. API Function Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 40

41 Challenge University of Cyprus EPL 682: Advanced Security Topics 41

42 Lies in the fact that an exploit will inevitably need to interact with operating system APIs to enact any significant effect. University of Cyprus EPL 682: Advanced Security Topics 42

43 The solution The favored method of interacting with the OS is through API calls because of the relative stability across OS revisions. [as in kernel32.dll] (not system calls) Discover the virtual addresses of API Functions used in the attacker-supplied program (Step ❸) Proposed code page harvesting gives unfettered access to a large amount of application code. This offers a unique opportunity for automatically discovering a diverse set of API function pointers. (Step ❷) University of Cyprus EPL 682: Advanced Security Topics 43

44 C. Gadget Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 44

45 Thus far we have automatically mapped a significant portion of the vulnerable application s code layout and collected API function pointers required by the exploit writer s designated program. University of Cyprus EPL 682: Advanced Security Topics 45

46 Challenge University of Cyprus EPL 682: Advanced Security Topics 46

47 Lies in accumulating a set of concrete gadgets to use as building blocks for the just-in-time code reuse payload & Fine-grained exploit mitigations may metamorphose instructions on each execution. University of Cyprus EPL 682: Advanced Security Topics 47

48 The solution In Step ❹ they efficiently collect sequences of instructions by adapting the Galileo algorithm proposed by Shacham to iterate over the harvested code pages from Step ❷ and populate an instruction prefix tree structure. Using criteria for useful gadgets University of Cyprus EPL 682: Advanced Security Topics 48

49 Algorithm 2 VerifyGadget Automatically match a sequence of instructions to a gadget s semantic definition. 49

50 University of Cyprus EPL 682: Advanced Security Topics 50

51 D. Just-In-Time Compilation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 51

52 Challenge University of Cyprus EPL 682: Advanced Security Topics 52

53 Lies in using the dynamically discovered API function pointers and collection of concrete gadgets to satisfy the exploit writer s target program (Step ❶), then generate a payload to execute (Step ❻) University of Cyprus EPL 682: Advanced Security Topics 53

54 The solution A dynamic compilation is required to ensure we can use a plethora of gadget types to build the final payload The JIT Gadget Compiler proposed is like a traditional compiler, except that compilation is embedded directly within an exploit script with a subset of concrete instructions available for code generation Next, they perform a lazy search over all possible gadget combinations that implement a program statement, as well as a search over all schedules and register combinations. The final payload is serialized to a structure accessible from the script, and control is returned to the exploit writer s code (Step ❻) University of Cyprus EPL 682: Advanced Security Topics 54

55 E. Implementation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 55

56 University of Cyprus EPL 682: Advanced Security Topics 56

57 Evaluation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 57

58 A. On Code Page Harvesting JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 58

59 To perform the evaluation, they used memory snapshots created using a custom library. The snapshots contain all process memory, metadata indicating if a page is marked as executable code, and auxiliary information on which pages belong to the application or a shared library. University of Cyprus EPL 682: Advanced Security Topics 59

60 University of Cyprus EPL 682: Advanced Security Topics 60

61 University of Cyprus EPL 682: Advanced Security Topics 61

62 B. On Gadget Coverage JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 62

63 They were able to find all the gadgets required in their proof of concept exploit. They found that we could generate a payload from 78% of the initial code pages, and 67% of the initial starting points additionally yielded a StackPivotG, which is required for many exploits. University of Cyprus EPL 682: Advanced Security Topics 63

64 University of Cyprus EPL 682: Advanced Security Topics 64

65 To reinforce the point that gadget discovery is not hindered by fine-grained mitigation techniques, they conducted an experiment using the in-place binary code randomizer. The framework discovers slightly more gadgets in the randomized libraries than the original unmodified DLLs. University of Cyprus EPL 682: Advanced Security Topics 65

66 C. On API Function Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 66

67 By calling VirtualProtect is the most direct way to undermine non-executable memory They found that within the Internet Explorer 8 process memory (including all libraries), there were only 15 distinct call sites to VirtualProtect. They found that call sites for LoadLibrary and GetProcAddress functions were readily available within the Internet Explorer memory 391 instances of GetProcAddress and 340 instances of LoadLibrary. University of Cyprus EPL 682: Advanced Security Topics 67

68 D. On Runtime Performance JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 68

69 JIT-ROP was able to locate a pivot within 10 pages, all required APIs in 19 pages, and the requisite gadgets for a payload within 50 pages a total running time of 22.5 seconds. University of Cyprus EPL 682: Advanced Security Topics 69

70 University of Cyprus EPL 682: Advanced Security Topics 70

71 The proposed framework runs incredibly fast when natively compiled code pages are traversed, gadgets are collected, APIs are resolved, and a payload is compiled in a fraction of a second. University of Cyprus EPL 682: Advanced Security Topics 71

72 Potential Mitigations Suggestions University of Cyprus EPL 682: Advanced Security Topics 72

73 Suggestions that would render this attack ineffective Re-randomize code pages at a high rate; the disclosed pages might be re-randomized before the just-in-time pay-load executes (randomization costs problem) Fortify defenses that hinder the first stage (i.e. the entry point) of a runtime attack Apply an Instruction set randomization (ISR), which mitigates code injection attacks by encrypting the binary s code pages with a random key and decrypting them on-the-fly. To prevent control-flow attacks is the enforcement of controlflow integrity (CFI), which mitigates runtime attacks regardless of whether the program suffers from vulnerabilities. University of Cyprus EPL 682: Advanced Security Topics 73

74 Conclusion University of Cyprus EPL 682: Advanced Security Topics 74

75 In this paper, they introduce a novel framework that undermines fine-grained randomization techniques by using a just-in-time code reuse strategy. They repeatedly abuse a memory disclosure to map an application s memory layout on-the-fly. It dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets all within a script environment at the time an exploit is launched. University of Cyprus EPL 682: Advanced Security Topics 75

76 Moving on University of Cyprus EPL 682: Advanced Security Topics 76

77 Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh University of Cyprus EPL 682: Advanced Security Topics 77

78 Abstract University of Cyprus EPL 682: Advanced Security Topics 78

79 Return Oriented Programming (ROP) The attacker knows the location of useful gadgets, because binary and distribution are available University of Cyprus EPL 682: Advanced Security Topics 79

80 What if the binary remains unknown to the attacker? University of Cyprus EPL 682: Advanced Security Topics 80

81 It is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. University of Cyprus EPL 682: Advanced Security Topics 81

82 Solution Blind ROP (BROP) attack remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. University of Cyprus EPL 682: Advanced Security Topics 82

83 The source code is available for everyone Open Source is most within reach Attackers can audit the code to find vulnerabilities Usually proprietary software that none has access to see the source code Hacking this software is also possible, but harder Attackers can use fuzz testing and reverse engineering University of Cyprus EPL 682: Advanced Security Topics 83

84 Simplest possible vulnerability: Stack buffer Overflows bugs such as these go unnoticed in proprietary software, where the source (and binary) has not been under the heavy scrutiny of the public and security specialists University of Cyprus EPL 682: Advanced Security Topics 84

85 Challenge University of Cyprus EPL 682: Advanced Security Topics 85

86 Lies in developing a methodology for exploiting these vulnerabilities when information about the target binary is limited University of Cyprus EPL 682: Advanced Security Topics 86

87 One advantage attackers often have Many servers restart their worker processes after a crash for robustness University of Cyprus EPL 682: Advanced Security Topics 87

88 They present a new attack, Blind Return Oriented Programming (BROP), that takes advantage of these situations to build exploits for proprietary services for which both the binary and source are unknown. University of Cyprus EPL 682: Advanced Security Topics 88

89 BROP attack assumptions A server application with stack vulnerability One that is restarted after a crash Runs 64-bit Linux with ASLR, non-executable (NX) memory, and stack canaries enabled University of Cyprus EPL 682: Advanced Security Topics 89

90 Position Independent Executables (PIE) are an output of the hardened package build process. A PIE binary and all of its dependencies are loaded into random locations within virtual memory each time the application is executed. University of Cyprus EPL 682: Advanced Security Topics 90

91 The attack is enabled by two new techniques 1. Generalized stack reading: this generalizes a known technique, used to leak canaries, to also leak saved return addresses in order to defeat ASLR on 64-bit even when Position Independent Executables (PIE) are used 2. Blind ROP: this technique remotely locates ROP gadgets Both techniques share the idea of using a single stack vulnerability to leak information based on whether a server process crashes or not. The stack reading technique overwrites the stack byte-by-byte with possible guess values, until the correct one is found and the server does not crash. University of Cyprus EPL 682: Advanced Security Topics 91

92 The Blind ROP attack remotely finds enough gadgets to perform the write system call, after which the server s binary can be transferred from memory to the attacker s socket. At this point, canaries, ASLR and NX have been defeated and the exploit can proceed using known techniques. University of Cyprus EPL 682: Advanced Security Topics 92

93 The BROP attack enables robust, general-purpose exploits for three new scenarios: 1. Hacking proprietary closed-binary services One may notice a crash when using a remote service or discover one through remote fuzz testing. 2. Hacking a vulnerability in an open-source library thought to be used in a proprietary closed-binary service A popular SSL library for example may have a stack vulnerability and one may speculate that it is being used by a proprietary service. 3. Hacking an open-source server for which the binary is unknown This applies to manually compiled installations or source-based distributions such as Gentoo University of Cyprus EPL 682: Advanced Security Topics 93

94 Braille makes BROP attacks highly automated University of Cyprus EPL 682: Advanced Security Topics 94

95 Their overall contribution 1. A technique to defeat ASLR on servers (generalized stack reading). 2. A technique to remotely find ROP gadgets (BROP) so that software can be attacked when the binary is unknown. 3. Braille: a tool that automatically constructs an exploit given input on how to trigger a stack overflow on a server 4. The first public exploit for nginx s recent vulnerability, that is generic, 64-bit, and defeats (full/pie) ASLR, canaries and NX. University of Cyprus EPL 682: Advanced Security Topics 95

96 Their overall contribution 5. Suggestions for defending against BROP attacks. In summary, ASLR must be applied to all executable segments (PIE) and re-randomization must occur after each crash (at odds with fork-only servers). Holding the binary from the attacker or purposefully altering it may not be an effective security countermeasure. University of Cyprus EPL 682: Advanced Security Topics 96

97 Historical Overview University of Cyprus EPL 682: Advanced Security Topics 97

98 Exploitation defenses practices through time Shellcode, return address, stack Structured exception handlers (SEH) Redirect execution to existing shared-library functions, chaining together short instruction sequences ending with ret (gadgets, ROP) Memory disclosure problem Canary NX bit ASLR? University of Cyprus EPL 682: Advanced Security Topics 98

99 ROP Tutorial University of Cyprus EPL 682: Advanced Security Topics 99

100 University of Cyprus EPL 682: Advanced Security Topics 100

101 University of Cyprus EPL 682: Advanced Security Topics 101

102 Buffer Overflows Today University of Cyprus EPL 682: Advanced Security Topics 102

103 An attacker must fulfill at least two requirements in order to gain full control of a remote program s execution: 1. To defeat NX, the attacker must know where gadgets reside inside the program executable 2. To defeat ASLR, the attacker must de-randomize the location at which the executable s text segment is actually loaded in memory University of Cyprus EPL 682: Advanced Security Topics 103

104 The proposed stack reading technique makes it possible to attack PIE servers that do not rerandomize after crash. University of Cyprus EPL 682: Advanced Security Topics 104

105 University of Cyprus EPL 682: Advanced Security Topics 105

106 BROP Environment University of Cyprus EPL 682: Advanced Security Topics 106

107 BROP attack makes the following assumptions and requires the following environment: A stack vulnerability and knowledge of how to trigger it A server application that restarts after a crash What s the thread model? University of Cyprus EPL 682: Advanced Security Topics 107

108 The thread model is an attacker that.. knows an input string that crashes a server due to a stack overflow bug is able to overwrite a variable length of bytes including a return instruction pointer knows the source or binary of the server is able to crash the server as many times as he wishes while conducting the attack, and the server must restart is able to distinguish when a server crashes prematurely, e.g., by noticing that the socket closes without receiving a response If the server is compiled with the PIE flag, the server must be a forking daemon and must restart without using execve. The same is true for overflows where the canary must be modified by the exploit. University of Cyprus EPL 682: Advanced Security Topics 108

109 Attack Outline University of Cyprus EPL 682: Advanced Security Topics 109

110 The BROP attack has the following phases: 1. Stack reading: read the stack to leak canaries and a return address to defeat ASLR 2. Blind ROP: find enough gadgets to invoke write and control its arguments 3. Build the exploit: dump enough of the binary to find enough gadgets to build a shellcode, and launch the final exploit University of Cyprus EPL 682: Advanced Security Topics 110

111 Stack Reading: ASLR de-randomization University of Cyprus EPL 682: Advanced Security Topics 111

112 Exploits must have a method of defeating ASLR for configurations where PIE is used. They present a new stack reading technique that generalizes a known technique used for leaking canaries. University of Cyprus EPL 682: Advanced Security Topics 112

113 The basic idea 1. Overflow a single byte of the canary with value x 2. If x is correct, the server does not crash 3. The algorithm is repeated for all possible 256 byte values until it is found (128 tries on average) 4. The attack continues for the next byte until all 8 canary bytes (on 64-bit) are leaked University of Cyprus EPL 682: Advanced Security Topics 113

114 University of Cyprus EPL 682: Advanced Security Topics 114

115 University of Cyprus EPL 682: Advanced Security Topics 115

116 BROP Attack University of Cyprus EPL 682: Advanced Security Topics 116

117 BROP Attack Allows writing exploits without possessing the target binary. It introduces techniques to find ROP gadgets remotely and optimizations to make the attack practical. University of Cyprus EPL 682: Advanced Security Topics 117

118 BROP Attack Outline A. The pieces of a puzzle B. Finding gadgets and the stop gadget C. Identifying gadgets D. Finding the Procedure Linking Table (PLT) E. Controlling rdx via strcmp F. Finding write G. Concluding the attack H. Attack Summary I. First principles attack J. Other low-level details University of Cyprus EPL 682: Advanced Security Topics 118

119 A. The pieces of a puzzle University of Cyprus EPL 682: Advanced Security Topics 119

120 The goal is to find enough gadgets to invoke write University of Cyprus EPL 682: Advanced Security Topics 120

121 The write system call takes three arguments: a socket, a buffer and a length Arguments are passed in rdi, rsi and rdx registers, and the system call number is stored in the rax register. University of Cyprus EPL 682: Advanced Security Topics 121

122 The following gadgets are therefore needed: 1. pop rdi; ret (socket) 2. pop rsi; ret (buffer) 3. pop rdx; ret (length) 4. pop rax; ret (write syscall number) 5. syscall University of Cyprus EPL 682: Advanced Security Topics 122

123 University of Cyprus EPL 682: Advanced Security Topics 123

124 University of Cyprus EPL 682: Advanced Security Topics 124

125 The optimized attack therefore requires: 1. Finding the BROP gadget 2. Finding the PLT. Finding the entry for write. Finding the entry for strcmp. University of Cyprus EPL 682: Advanced Security Topics 125

126 B. Finding Gadgets University of Cyprus EPL 682: Advanced Security Topics 126

127 The basic idea in finding gadgets remotely is to scan the application s text segment by overwriting the saved return address with an address pointing to text and inspecting program behavior. A stop gadget is anything that would cause the program to block, like an infinite loop or a blocking system call (like sleep). University of Cyprus EPL 682: Advanced Security Topics 127

128 University of Cyprus EPL 682: Advanced Security Topics 128

129 C. Identifying Gadgets University of Cyprus EPL 682: Advanced Security Topics 129

130 How to classify gadgets? By controlling the stack layout and inspecting program behavior University of Cyprus EPL 682: Advanced Security Topics 130

131 We define three values that the attacker can place on the stack: Probe Stop Trap The address of the gadget being scanned. The address of a stop gadget that will not crash The address of non-executable memory that will cause a crash (e.g., 0x0). University of Cyprus EPL 682: Advanced Security Topics 131

132 The idea is that by varying the position of the stop and trap on the stack, one can deduce the instructions being executed by the gadget, either because the trap or stop will execute, causing a crash or no crash respectively. University of Cyprus EPL 682: Advanced Security Topics 132

133 Here are some examples and possible stack layouts: probe, stop, traps (trap, trap,... ) Will find gadgets that do not pop the stack like ret or xor rax, rax; ret probe, trap, stop, traps Will find gadgets that pop exactly one stack word like pop rax; ret or pop rdi; ret probe, stop, stop, stop, stop, stop, stop, stop, traps Will find gadgets that pop up to six words (e.g., the BROP gadget) University of Cyprus EPL 682: Advanced Security Topics 133

134 University of Cyprus EPL 682: Advanced Security Topics 134

135 D. Finding the Procedure Linking Table (PTL) University of Cyprus EPL 682: Advanced Security Topics 135

136 To control the third argument (rdx) one needs to find a call to strcmp, which sets rdx to the length of the string compared. The PLT is a jump table at the beginning of the executable used for all external calls (e.g., libc). University of Cyprus EPL 682: Advanced Security Topics 136

137 University of Cyprus EPL 682: Advanced Security Topics 137

138 Most of the PLT entries will not cause a crash regardless of arguments because they are system calls that return EFAULT on invalid parameters. The stack layout to find a PLT entry will be: probe, stop, trap. University of Cyprus EPL 682: Advanced Security Topics 138

139 E. Controlling rdx via strcmp University of Cyprus EPL 682: Advanced Security Topics 139

140 The attacker can identify PLT entries by exercising each entry with different arguments and seeing how the function performs. The first two arguments can be controlled thanks to the BROP gadget. University of Cyprus EPL 682: Advanced Security Topics 140

141 strcmp for example has the following behavior and signature, where bad is an invalid memory location (e.g., 0x0) and readable is a readable pointer (e.g., an address in.text): strcmp(bad, bad): crash strcmp(bad, readable): crash strcmp(readable, bad): crash strcmp(readable, readable): no crash The attacker finds strcmp by finding an entry that responds to the previously mentioned signature. University of Cyprus EPL 682: Advanced Security Topics 141

142 F. Finding write University of Cyprus EPL 682: Advanced Security Topics 142

143 The attacker so far can control the first three arguments to any call: the first two via the BROP gadget, and the third one indirectly via strcmp. write can now trivially be found by scanning each PLT entry and forcing a write to the socket and checking whether the write occurred. University of Cyprus EPL 682: Advanced Security Topics 143

144 The only complication is figuring out the file descriptor number for the socket. There are two approaches: 1. chaining multiple writes each with different file descriptor numbers in a single ROP chain, or 2. opening multiple connections and using a relatively high file descriptor number in hope that it will match one of the connections. They use both techniques in combination. University of Cyprus EPL 682: Advanced Security Topics 144

145 G. Concluding the attack University of Cyprus EPL 682: Advanced Security Topics 145

146 At this point the attacker can write the entire.text segment from memory to the attacker s socket, disassemble it, and find more gadgets. The attacker can also dump the symbol table and find useful functions in the PLT like dup2 and execve. University of Cyprus EPL 682: Advanced Security Topics 146

147 Generally speaking the attacker will need to: 1. Redirect the socket to standard input / output The attacker can use dup2 or close, followed by either dup or fcntl(f_dupfd). These are often in the PLT. 2. Find /bin/sh in memory An effective technique is to find a writable memory region like the environment, environ, from the symbol table, and read /bin/sh from the attacker s socket to that address. 3. execve the shell If execve is not in the PLT, the attacker will need to transfer more of the binary to find a pop rax; ret and syscall gadget. University of Cyprus EPL 682: Advanced Security Topics 147

148 H. Attack summary University of Cyprus EPL 682: Advanced Security Topics 148

149 The optimized BROP attack is as follows: 1. Find where the executable is loaded. Either 0x for non-pie executables (default) or stack read a saved return address. 2. Find a stop gadget. This is typically a blocking system call (like sleep or read) in the PLT. The attacker finds the PLT in this step too. 3. Find the BROP gadget. The attacker can now control the first two arguments to calls. 4. Find strcmp in the PLT. The attacker can now control the first three arguments to calls. 5. Find write in the PLT. The attacker can now dump the entire binary to find more gadgets. 6. Build a shellcode and exploit the server. University of Cyprus EPL 682: Advanced Security Topics 149

150 I. First principles attack University of Cyprus EPL 682: Advanced Security Topics 150

151 The attack outline: 1. Find all pop x; ret gadgets. 2. Find a syscall gadget. 3. Identify the pop gadgets previously found University of Cyprus EPL 682: Advanced Security Topics 151

152 The attack outline: The attacker starts by finding a stop gadget and all pop x; ret instructions. The difficulty is now in identifying the pop instructions and finding a syscall gadget. The idea is to identify the pop instructions based on system call behavior after tweaking system call arguments, in a similar way as to how strcmp was found in the optimized attack. University of Cyprus EPL 682: Advanced Security Topics 152

153 There is a bootstrap problem because to find syscall one must control the system call number (rax), so one must have a priori identified pop rax; ret University of Cyprus EPL 682: Advanced Security Topics 153

154 The solution Chain all pop instructions found by the attacker, popping the desired system call number, and one of them will likely be rax The system call to use is pause() which takes no arguments and so ignores all other registers. It also stops program execution until a signal is raised and so it acts as a stop gadget, making it identifiable The attacker can now append the probe address for syscall to the pop chain to find a system call gadget Once an address that makes the program pause is found, the attacker can eliminate the pops one by one to find which one controls rax University of Cyprus EPL 682: Advanced Security Topics 154

155 At this point the attacker has the address of a syscall gadget and a pop rax; ret gadget. University of Cyprus EPL 682: Advanced Security Topics 155

156 The attacker also holds a list of unidentified pops. These are identified by using the following system calls University of Cyprus EPL 682: Advanced Security Topics 156

157 One can now call write and continue the attack by dumping the.text segment and finding more gadgets University of Cyprus EPL 682: Advanced Security Topics 157

158 J. Other low level details University of Cyprus EPL 682: Advanced Security Topics 158

159 In this section they list a number of not so obvious low-level attack details, many of which added to the attack s stability: a) Stack reading with zeros b) Further strcmp verification c) Dealing with small buffers d) Dealing with few event-based workers University of Cyprus EPL 682: Advanced Security Topics 159

160 Implementation University of Cyprus EPL 682: Advanced Security Topics 160

161 The BROP attack was implemented in a tool called Braille that automatically goes from a crash to a remote shell. It is written in 2,000 lines of Ruby code. Braille is essentially a meta-exploit that takes a driver function that can crash a server, and figures out all the information needed to build an exploit. University of Cyprus EPL 682: Advanced Security Topics 161

162 Evaluation University of Cyprus EPL 682: Advanced Security Topics 162

163 The BROP attack was tested in three scenarios: 1. An open-source SSL library with a known stack vulnerability (yassl). This mimics the scenario where one is attacking a proprietary service that is believed to use a vulnerable open-source component. As a sample target we used an older version of MySQL that used yassl. 2. An open-source software with a known stack vulnerability (nginx), manually compiled from source. In this scenario the attacker knows the source of the entire server but does not hold the binary. 3. A toy closed-binary proprietary service with a stack vulnerability. This was written by a colleague and both the binary and source were kept secret. Ideally we would have tested this against a real-world proprietary service but it would have been difficult to do so legally University of Cyprus EPL 682: Advanced Security Topics 163

164 They ran Braille against all three attack scenarios, without any application-specific optimizations, and the attack succeeded in all cases. University of Cyprus EPL 682: Advanced Security Topics 164

165 Evaluation aspects 1. Performance: number of requests and time. 2. Stability: how robust the attack is. 3. Attack paired with source-code knowledge: whether having access to the source code (but not the binary) can make the attack better University of Cyprus EPL 682: Advanced Security Topics 165

166 University of Cyprus EPL 682: Advanced Security Topics 166

167 University of Cyprus EPL 682: Advanced Security Topics 167

168 Limitations University of Cyprus EPL 682: Advanced Security Topics 168

169 The BROP Attack has its limitations Applied only to simple stack overflows. Stack reading assumes that the attacker can overflow at a byte granularity and controls the last byte being overflown. Assumes that the same machine and process can be hit after each attempt. Relies on a number of workers being available and not ending up in a situation where all workers become stuck in an infinite loop. University of Cyprus EPL 682: Advanced Security Topics 169

170 BROP Prevention University of Cyprus EPL 682: Advanced Security Topics 170

171 Defenses mechanisms that will prevent the BROP Attack A. Rerandomization The most basic protection against the BROP attack is to rerandomize canaries and ASLR as often as possible. It is important that any child processes forked are randomized independently so that any information learned from one child cannot be used against another one. They suggest servers write a new canary before entering a per-request function. University of Cyprus EPL 682: Advanced Security Topics 171

172 Defenses mechanisms that will prevent the BROP Attack B. Sleep on crash In some situations, servers should not respawn, but in practice users and developers find this an unacceptable solution. Modern Linux desktops use systemd to monitor services and automatically restart services on failures. Developers should be cautious about which remote services they really need or want to restart automatically to reduce the attack surface. University of Cyprus EPL 682: Advanced Security Topics 172

173 Defenses mechanisms that will prevent the BROP Attack C. ROP protections Control Flow Integrity (CFI), prevents return oriented programming in general by enforcing the control flow graph. There are many other similar techniques that can be applied. University of Cyprus EPL 682: Advanced Security Topics 173

174 Defenses mechanisms that will prevent the BROP Attack D. Compiler Techniques Many modern compilers support inserting runtime bounds checks on buffers. University of Cyprus EPL 682: Advanced Security Topics 174

175 The main problem with all these solutions is that they may suffer as much as a 2x performance slowdown, and as such they are used mostly for testing University of Cyprus EPL 682: Advanced Security Topics 175

176 Conclusion University of Cyprus EPL 682: Advanced Security Topics 176

177 They show that, under the right conditions, it is possible to write exploits without any knowledge of the target binary or source code University of Cyprus EPL 682: Advanced Security Topics 177

178 To sum up 1. Their attack is able to defeat ASLR, NX and stack canaries on modern 64-bit Linux servers 2. They present two new techniques: a) generalized stack reading: which defeats full ASLR on 64-bit systems b) BROP attack: which is able to remotely find ROP gadgets. 3. Braille, can take under 4,000 requests to spawn a shell, under 20 minutes, tested against real versions of yassl+mysql and nginx with known vulnerabilities, and a toy proprietary service running an unknown binary University of Cyprus EPL 682: Advanced Security Topics 178

179 To sum up 4. ASLR is only effective when it is applied to all code segments in the binary (including PIE) 5. Security through obscurity, where the binary is unknown or randomized, can only slow but not prevent buffer overflow attacks 6. To defend against their attack, they suggest that systems should rerandomize ASLR and canaries after any crash, and that no library or executable should be exempt from ASLR University of Cyprus EPL 682: Advanced Security Topics 179

180 Thank you for your time Feel free to ask any questions University of Cyprus EPL 682: Advanced Security Topics 180