Just-in-Time Code Reuse

Size: px

Start display at page:

Download "Just-in-Time Code Reuse"

Chrystal Payne
5 years ago
Views:

1 Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University of North Carolina at Chapel Hill 2 CASED/Technische Universität Darmstadt, Germany 1

2 The Big Picture 2 2

3 The Big Picture 2 2

4 The Big Picture Scrip&ng facilitates a0acks 2 2

5 The Big Picture Scrip&ng facilitates a0acks Large a0ack surface 2 2

6 The Big Picture Scrip&ng facilitates a0acks Exploit packs automate increasingly complex a0acks Adversary must apply a code- reuse strategy Large a0ack surface 2 2

7 The Big Picture 3 3

8 The Big Picture 3 3

9 The Big Picture Re t u r n o r ien ted Pro g ra mm ing 3 3

10 Basic ROP Attack Technique 4

11 Basic ROP Attack Technique Adversary 4

12 Basic ROP Attack Technique Adversary Stack Heap Code 4

13 Basic ROP Attack Technique Adversary Stack Heap Stack Pivot LOAD Gadget ADD Gadget Code 4

14 Basic ROP Attack Technique Adversary Stack Stack Var 1 Stack Var 2 Heap Stack Pivot LOAD Gadget ADD Gadget Code 4

15 Basic ROP Attack Technique Adversary SP Stack Stack Var 1 Stack Var 2 Heap Stack Pivot LOAD Gadget ADD Gadget Code 4

16 Basic ROP Attack Technique Adversary SP Stack Stack Var 1 Stack Var 2 Heap Inject ROP Payload Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

17 Basic ROP Attack Technique Adversary Inject ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

18 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

19 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

20 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

21 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability SP Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

22 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability SP Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

23 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

24 Code Reuse Attacks History selected not exhaustive

25 Code Reuse Attacks History selected not exhaustive 1997 ret2libc Solar Designer

26 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal

27 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer

28 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS)

29 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA)

30 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA)

31 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA) 2010 Roppery Iozzo et al (BlackHat USA) Payload already inside Long Le (BlackHat USA) ROP without Returns Checkoway et al (CCS) Pwn2Own iphone Weinmann & Iozzo Pwn2Own IE Nils Practical ROP Zovi (RSA Conference) 5

32 ASLR Address Space Layout Randomiza6on 6

33 Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 7 7

34 Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Application Run 2 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 7 7

35 Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) Application Run 2 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 3. Adjust instruction sequence pointers Disclosure Attack e.g., [Sotirov et al., Blackhat 2008] 2. Leak function pointer 1. Exploit disclosure vulnerability 7 7

36 Example Memory Disclosure Stack Executable Heap Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

37 Example Memory Disclosure Stack Executable Vulnerable Object array vuln[10] JavaScript String size Heap string data funcpointer Object funcpointer Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

38 Example Memory Disclosure Stack Executable Vulnerable Object AAAAAAAAAAAAAAAAA array vuln[10] JavaScript String MAX_SIZE size Heap string data funcpointer Object funcpointer Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

39 Example Memory Disclosure Stack Executable Vulnerable Object AAAAAAAAAAAAAAAAA array vuln[10] JavaScript String MAX_SIZE size Heap string data Object funcpointer funcpointer Library (e.g., user32.dll) Memory Readable as String Data Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

40 Tackling the Problems of ASLR via Fine- Grained ASLR 9

41 Basics of Fine-grained ASLR Application Run 1 Library (e.g., user32.dll) Instruction Sequence 1 Instruction Sequence 2 Instruction Sequence

42 Basics of Fine-grained ASLR Application Run 1 Library (e.g., user32.dll) Instruction Sequence 1 Instruction Sequence 2 Instruction Sequence 3 Application Run 2 Library (e.g., user32.dll) Instruction Sequence 3 Instruction Sequence 1 Instruction Sequence 2 Different fine- grained ASLR approaches have been proposed recently ORP [Pappas et al., IEEE Security & Privacy 2012] ILR [Hiser et al., IEEE Security & Privacy 2012] STIR [Wartell et al., ACM CCS 2012] XIFER [Davi et al., ASIACCS 2013] All mi&gate single memory disclosure a0acks 10 10

43 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized 11

44 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr 11

45 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original Randomized MOV EBX, $0 11

46 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX 11

47 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX Register Re-Allocation (in case another register is free to use) Original MOV EAX, &ptr CALL *EAX Randomized 11

48 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX Register Re-Allocation (in case another register is free to use) Original MOV EAX, &ptr CALL *EAX Randomized MOV EBX, &ptr CALL *EBX 11

49 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original 12

50 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 BBL_2 BBL_3 12

51 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12

52 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12

53 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12

54 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF 0x1000: Randomized BBL_2 BBL_2 MOV (ESP), EAX 0x10A0: BBL_3 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 12

55 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: MOV EBX, EAX CALL 0x10A0 12

56 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: MOV EBX, EAX CALL 0x10A0 12

57 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 MOV EBX, EAX CALL 0x10A0 JMP 0x

58 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: MOV (ESP), EAX BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 MOV EBX, EAX CALL 0x10A0 JMP 0x

59 Instruction Location Randomization Original MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX [Hiser et al., IEEE S&P 2012] 0x10FF: ADD EAX, ECX 13

60 Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX 0x1000: 0x12A0: MOV (ESP), EAX 0x1F00: 0x10FF: ADD EAX, ECX 0x2000: CALL 0x3000 0x2500: MOV EBX, EAX 0x3000: ADD EAX, ECX 13

61 Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX 0x1000: 0x12A0: MOV (ESP), EAX 0x1F00: 0x10FF: ADD EAX, ECX 0x2000: CALL 0x3000 0x2500: MOV EBX, EAX 0x2500 -> 0x2000 0x2000 -> 0x1000 0x1000 -> 0x12A0 0x3000 -> 0x1F00 Execution is driven by a fall-through map and a binary translation framework (Strata) 0x3000: ADD EAX, ECX 13

62 Does Fine- Grained ASLR Provide a Viable Defense in the Long Run? 14

63 Contributions 15 15

64 Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 15 15

65 Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 15 15

66 Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 3 A prototype exploit framework that demonstrates one instantiation of our idea, called JIT-ROP 15 15

67 Assumptions Adversary Defender 16 16

68 Assumptions Adversary Defender Non-Executable Stack and Heap 16 16

69 Assumptions Adversary Defender Fine-Grained ASLR Non-Executable Stack and Heap 16 16

70 Assumptions Adversary Memory Disclosure Vulnerability Defender Fine-Grained ASLR Non-Executable Stack and Heap 16 16

71 Assumptions Adversary Control-Flow Vulnerability Memory Disclosure Vulnerability Fine-Grained ASLR Defender Non-Executable Stack and Heap 16 16

72 Workflow of Just-In-Time Code Reuse Adversary 17 17

73 Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer 17 17

74 Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) 17 17

75 Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application 17 17

76 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Map Memory Description (High-Level Language) Vulnerable Application 17 17

77 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Map Memory Find ROP Sequences (Gadgets) Vulnerable Application 17 17

78 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Find ROP Sequences (Gadgets) Find API Functions 17 17

79 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Compile ROP Program Find ROP Sequences (Gadgets) Find API Functions 17 17

80 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Compile ROP Program Find ROP Sequences (Gadgets) Find API Functions 17 17

81 Challenges 18 18

82 Challenges Map memory without crashing 18 18

83 Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime 18 18

84 Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated 18 18

85 Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated Demonstrate efficient, practical exploit 18 18

86 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present 19 19

87 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present f295afcad42b43 638b2bbf6381ff 72efc88bda4cc0 0732bba1575ccb eb7c025e6b8ad3 0c283baa9f03e4 7464fc814176cd 546bcee28e4232 initial code page 19 19

88 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page 19 19

89 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page 19 19

90 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx 19 19

91 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile 20 20

92 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); 20 20

93 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); 20 20

94 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program Vulnerable Application Code Page Previously Found Sleep() FindWindow() GetActiveWindow() 20 20

95 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program dynamic library and func&on loading is common solu&on: scan for LoadLibrary and GetProcAddress references instead Vulnerable Application Code Page Previously Found LoadLibrary( library.dll ); LoadLibrary( library.dll ); Sleep() LoadLibrary( library.dll ); GetProcAddress( func1 ) GetProcAddress( func1 ) FindWindow() GetProcAddress( func1 ) GetProcAddress( func2 ) GetProcAddress( func2 ) GetActiveWindow() GetProcAddress( func2 ) 20 20

96 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program dynamic library and func&on loading is common solu&on: scan for LoadLibrary and GetProcAddress references instead With Vulnerable Dynamic Application Loading LoadLibrary( urlmon.dll ); Code Page Previously Found URLDownloadToFile bot.exe ); LoadLibrary( kernel32.dll ); WinExec bot.exe ); LoadLibrary( library.dll ); LoadLibrary( library.dll ); Sleep() LoadLibrary( library.dll ); GetProcAddress( func1 ) GetProcAddress( func1 ) FindWindow() GetProcAddress( func1 ) GetProcAddress( func2 ) GetProcAddress( func2 ) GetActiveWindow() GetProcAddress( func2 ) 20 20

97 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile 21 21

98 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx gadgets found 21 21

99 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret gadgets found 21 21

100 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21

101 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21

102 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21

103 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found MovRegG 21 21

104 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov ebx, edx ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found MovRegG 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call

105 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov ebx, edx ret ret MovRegG JumpG ArithmeticG LoadRegG LoadRegG gadgets found MovRegG 21 21

106 Compiling the ROP program 22 22

107 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& 22 22

108 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 generate possible gadget arrangements 22 22

109 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22

110 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22

Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); GetProcAddress(@, WinExec ); @( calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); GetProcAddress(@,

111 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Serialize Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22

112 Take it to the Next Level JIT-ROP is only our initial prototype of just-in-time code reuse. Potential Improvements: Map Memory Find API Calls Find Gadgets Compile Run Time Improve ability to discern code from embedded data. Explore direct use of system calls. Lower conservativeness at expense of complexity. Define more composite gadgets implementing an operation. Optimize code throughout. Bigger changes: apply JIT code reuse to jump-oriented programming, return-less ROP, or ret-to-libc styles of code reuse

113 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? 24 24

114 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) 24 24

115 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) Are code pages interconnected enough? 24 24

116 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) Tested on 7 Applications: Are code pages interconnected enough? 24 24

117 Experiment Design For each application: Open Application with Blank Document Save Save Snapshot Save Snapshot Save of Snapshot Save of Snapshot Program Save Program Memory of Snapshot Save Program Memory of Program Memory of Snapshots Program Memory of Program Memory of Program Memory Memory Use only one initial code pointer to kick-off memory mapping, repeat for all possible initializations Build Native x86 Version of JIT-ROP Map Memory Find API Calls Find Gadgets Compile 25 25

118 Experimental Results Map Memory On average, 300 pages of code harvested. Find API Calls 500 Pages harvested from a single initial code pointer upper quartile 300 Find Gadgets median Run Time 100 lower quartile 26 26

119 Experimental Results Map Memory Find API Calls Using the LoadLibrary() and GetProcAddress() APIs, the generated ROP payload can lookup any other APIs needed. Find 9 to 12 on average, but only one needed. Find Gadgets upper quartile median 5 Run Time GetProcAddress() ASCII UNICODE LoadLibrary() similar results for all applications 27 27

120 Experimental Results Map Memory We only consider xchg eax,esp for a stack pivot, this could be improved. upper quartile median Find API Calls Find Gadgets Run Time 50 jump pivot mvreg arith load store arithld arithsto lower quartile Usually find one or more of each gadget type. Also tested against gadget elimination, e.g. ORP [Pappas et al., IEEE S&P 2012], which had little benefit. Some gadgets vanished, while new gadgets appeared. again, similar results for all applications 28 28

121 Seconds to Exploit Experimental Results Map Memory 22.5 End-to-end live exploitation experiments with different environments and vulnerabilities. Find API Calls CVE string size overwrite string size overwrite format string disclosure Find Gadgets V Run Time Varies, but viable for real-world exploitation

122 Live Demo CVE on 8 10 Credits Vulnerability Discovery: Metasploit Module for Win7/IE8: Nicolas Joly Juan Vazquez 30

123 Conclusion 31 31

124 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure 31 31

125 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical 31 31

126 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical Towards More Comprehensive Mitigations control-flow integrity [Abadi et al., CCS 2005] 31 31

127 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical Towards More Comprehensive Mitigations Need for Practical Solutions control-flow integrity [Abadi et al., CCS 2005] work towards efficient fine-grained CFI/DFI 31 31

Selected background on ARM registers, stack layout, and calling convention

Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),