Inject malicious code Call any library functions Modify the original code

Size: px

Start display at page:

Download "Inject malicious code Call any library functions Modify the original code"

Kelley McBride
6 years ago
Views:

2 Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2

3 3 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 3

4 Re t u r n o r ien ted Pro g ra mm ing 4 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 4

5 5 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 5

6 2007 Intel x SPARC Atmel AVR 2009 Z80 PowerPc ARM 2010 Internet Explorer Apple Jailbreak Adobe Reader Quicktime Player 6 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 6

7 Video: 7 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 7

8 Request /iphone3,1_4.0.pdf 1) Exploit PDF Viewer Vulnerability by means of Return-Oriented Programming 2) Start Jailbreak 3) Download required system files 4) Jailbreak Done 8 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 8

9 User visits adversary web page Malicious webpage with embedded ROP payload SMS Database leaked to adversary 9 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 9

10 10 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 10

11 Perform arbitrary computation with return-into-libc techniques Approach Use small instruction sequences (e.g., of libc) instead of using whole functions Instruction sequences range from 2 to 5 instructions All sequences end with a return instruction Instruction sequences are chained together to a gadget A gadget performs a particular task (e.g., load, store, xor, or branch) Afterwards, the adversary enforces his desired actions by combining the gadgets 11 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

12 Adversary 1 Corrupt Control Structures Data Stack Return Address 3 Return Address Return Address 1 Libraries Instruction sequence Return Instruction sequence Return Instruction sequence Return SP Code Program Memory 12 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 12

Instruction sequences never intended by the programmer Get new code out of existing code Possible due to Unaligned Memory Access Variable-Length Instructions B8 13 00 00 00 Start interpretation of

13 Instruction sequences never intended by the programmer Get new code out of existing code Possible due to Unaligned Memory Access Variable-Length Instructions B Start interpretation of Byte Stream two Bytes later E9 C3 E9 C3 F8 FF FF Intended Code mov $0x13,%eax jmp 3aae9 Unintended Code add %al,(%eax) add %ch,%cl ret 13 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 13

14 14 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 14

15 15 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

16 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 16 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

17 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 17 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

18 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 18 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

19 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 19 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

20 20 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 20

21 Compiler Extensions Programming Languages Countermeasures Randomization and Diversity Binary Instrumentation 21 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

22 Idea Extend standard compilers by integrating additional security techniques Effectiveness The effectiveness depends on the integrated security mechanisms On the next slide we will present a well-known security mechanism (namely stack canaries) that is implemented in today s compilers Various other techniques exist: bounds checking for critical functions, return address stack, variable reordering, etc. Problems Typically, access to the source code is required Recompilation of the program Performance overhead is higher compared to randomization approaches 22 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

23 Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Stack Arbitrary Stack Value Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 23 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

24 Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Stack Arbitrary Stack Value Return Address Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 24 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

25 Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Stack Arbitrary Stack Value Return Address CANARY Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 25 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

26 Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Pop the canary value and check its value Stack Arbitrary Stack Value Return Address CANARY Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 26 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

27 Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Effectiveness As long as the canary remains secret, the adversary will not be able to overwrite control-flow information Problems Brute-force or disclosure attacks possible In practice it is hard to protect all controlflow information with random canaries Pop the canary value and check its value Stack Arbitrary Stack Value Return Address CANARY Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP SP SP 27 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

28 Idea Use programming languages that provide type-safety and thereby eliminate buffer overflow vulnerabilities by design Example The Java Programming language provides type-safety by applying a dedicated Bytecode verifier Problems Legacy compliance problem: All programs have to be ported to the new language Today s operating systems are mainly written in native languages due to performance reasons Type-safe languages usually built on native code parts, e.g., the Java virtual machine 28 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea ASLR randomizes the base address of code segments (stack, heap, dynamic libraries) for each execution Implementation ASLR is enabled in modern OSes: Windows 7, Linux Distributions, Mac OS X,

more difficult, because stack/heap are randomized. Hence, the start address of the injected code is difficult to predict.

29 Idea ASLR randomizes the base address of code segments (stack, heap, dynamic libraries) for each execution Implementation ASLR is enabled in modern OSes: Windows 7, Linux Distributions, Mac OS X, Android, ios Effectiveness Prevents return-into-libc and ROP because the adversary does not know the runtime memory addresses of instruction sequences and functions ASLR makes code injection attacks more difficult, because stack/heap are randomized. Hence, the start address of the injected code is difficult to predict. Problems Entropy of the randomization is often too low (brute-force attacks possible) Disclosure attacks possible In practice, not all code segments are randomized. Hence, an adversary can leverage the non-randomized code parts to (1) perform the attack or (2) calculate the base addresses of randomized shared libraries 29 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Derive n application instances (executables) from one source code, while all instances share the same semantics Effectiveness An exploit sample will only affect one application instance Hence,

30 Idea Derive n application instances (executables) from one source code, while all instances share the same semantics Effectiveness An exploit sample will only affect one application instance Hence, an adversary has to write n exploits if he aims to compromise the application on n platforms Problems Diversity has to be applied to all shared libraries as well, otherwise the adversary can leverage codereuse attacks like ROP Until today, there is no secure and practical diversification scheme that could be really deployed as a countermeasure against control-flow attacks Source Code of Application A Diversification Engine Compiler Executable A 1 Executable A 2 Executable A n 30 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

31 Idea In general, binary instrumentation is a technique that binds additional code (instrumentation code) to a program for security or profiling purposes Probe-based instrumentation: Add instrumentation code by rewriting the binary at program start. Just-In-Time (JIT) based instrumentation: Instrumentation code is dynamically added. More specifically, the program to be instrumented is executed in a virtual machine (VM) like environment. The VM continuously intercepts program code and rewrites it on-the-fly. Effectiveness As for compiler-based approaches, the effectiveness depends on the integrated security mechanisms On the next slide we will present how jit-based instrumentation could be used to perform enhanced return address checks Further, we present control-flow integrity (CFI) Problems Although binary instrumentation-based solutions require no access to source code, they typically induce higher performance penalties 31 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

4 Return 3 Return 2 Return 1 2a 2b Program Stack Copy of Return 4 Copy of Return 3 Copy of

32 Intercept Instruction 1 2 Is Call? Is Return? 3 Wait for next Instruction 1a Push TOS onto Shadow Stack Compare TOS of both Stacks 1b Return 4 Return 3 Return 2 Return 1 2a 2b Program Stack Copy of Return 4 Copy of Return 3 Copy of Return 2 Copy of Return 1 Shadow Stack 32 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 32

33 33 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

34 34 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

BBL 2 BBL 1 label_1 entry ins, ins, ins, exit

Malicious Code Shellcode label_2 entry ins,

Sequences Library Functions BBL 4 label_4

*BBL3[exit] == label_5 BBL 5 label_5 entry

Generate the Control-Flow Graph before the

35 BBL 2 BBL 1 label_1 entry ins, ins, ins, exit BBL 3 label_3 entry ins, ins, ins, exit Malicious Code Shellcode label_2 entry ins, ins, ins, exit 1 2 Library Code Instruction Sequences Library Functions BBL 4 label_4 entry ins, ins, ins, exit CFI Check: *BBL3[exit] == label_5 BBL 5 label_5 entry ins, ins, ins, exit 1. Rewrite all exit instructions with a control-flow check 2. Generate the Control-Flow Graph before the program starts executing 35 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption