What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems

Size: px

Start display at page:

Download "What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems"

Scarlett Potter
5 years ago
Views:

1 What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems Aljoscha Lautenbach Magnus Almgren Tomas Olovsson Dept. of Computer Science and Engineering Chalmers University of Technology Gothenburg, Sweden CRITIS 2017 The International Conference on Critical Information Infrastructures Security Lucca, Italy 11 October, 2017 A. Lautenbach (CHALMERS) What the Stack? CRITIS 1 / 20

2 Why automotive security? Connected vehicles Communication systems: Bluetooth, Wireless LAN, IEEE p, Radio Data System (RDS), telecommunication (3G/4G/soon 5G),... Intelligent transport systems (ITS) Self-driving cars A. Lautenbach (CHALMERS) What the Stack? CRITIS 2 / 20

3 Why automotive security? Connected vehicles Communication systems: Bluetooth, Wireless LAN, IEEE p, Radio Data System (RDS), telecommunication (3G/4G/soon 5G),... Intelligent transport systems (ITS) Self-driving cars Security perspective Automotive security mostly focuses on communications A. Lautenbach (CHALMERS) What the Stack? CRITIS 2 / 20

4 The in-vehicle network Picture source: Nowdehi N., Lautenbach A., Olovsson T. In-vehicle CAN message authentication: An evaluation based on industrial criteria. Vehicular Technology Conference Fall A. Lautenbach (CHALMERS) What the Stack? CRITIS 3 / 20

5 The in-vehicle network Picture source: Nowdehi N., Lautenbach A., Olovsson T. In-vehicle CAN message authentication: An evaluation based on industrial criteria. Vehicular Technology Conference Fall A. Lautenbach (CHALMERS) What the Stack? CRITIS 3 / 20

6 Electronic control unit (ECU) security What is the problem? Exploitation of memory corruption bugs! A. Lautenbach (CHALMERS) What the Stack? CRITIS 4 / 20

7 Electronic control unit (ECU) security What is the problem? Exploitation of memory corruption bugs! Checkoway et al. (2011) We also encourage the use of simple anti-exploitation mitigations such as stack cookies and ASLR that can be easily implemented even for simple processors [...] A. Lautenbach (CHALMERS) What the Stack? CRITIS 4 / 20

8 Typical ECU hardware Typical ranges for resource constrained microcontrollers Hardware Specification Most Common RAM 4 KB KB 40 KB Flash Memory 256 KB - 6 MB 1 MB Processor Speed MHz 80 MHz A. Lautenbach (CHALMERS) What the Stack? CRITIS 5 / 20

9 ECU memory (1) Types of memory Flash memory: boot loader, OS, tasks RAM Data flash Memory mapped Input/Output A. Lautenbach (CHALMERS) What the Stack? CRITIS 6 / 20

10 ECU memory (2) Memory properties No memory management unit (MMU), i.e., no virtual memory Statically assigned memory Memory protection unit (use optional) A. Lautenbach (CHALMERS) What the Stack? CRITIS 7 / 20

11 Linear address space A. Lautenbach (CHALMERS) What the Stack? CRITIS 8 / 20

12 Static task memory mapping into RAM A. Lautenbach (CHALMERS) What the Stack? CRITIS 9 / 20

13 Memory exploitation and protection Attacks and defenses 1. Buffer overflows and stack canaries (aka stack cookies or stack-guards) 2. Buffer overflows and non-executable RAM 3. Return oriented programming (ROP) and compile-time randomization A. Lautenbach (CHALMERS) What the Stack? CRITIS 10 / 20

14 Exploiting buffer overflows A. Lautenbach (CHALMERS) What the Stack? CRITIS 11 / 20

15 Buffer overflows and stack canaries A. Lautenbach (CHALMERS) What the Stack? CRITIS 12 / 20

16 Stack canaries - pros and cons Pros Protects against simple buffer overflow attacks Simple to implement Proven technique (desktops and servers) Cons Performance degradation A. Lautenbach (CHALMERS) What the Stack? CRITIS 13 / 20

17 Buffer overflows and non-executable RAM A. Lautenbach (CHALMERS) What the Stack? CRITIS 14 / 20

18 Non-executable RAM - pros and cons Pros Protects against all standard buffer overflow attacks Already supported by MPUs Cons Sometimes RAM must be executable, e.g., during firmware upgrades. A. Lautenbach (CHALMERS) What the Stack? CRITIS 15 / 20

19 Return oriented programming (ROP) A. Lautenbach (CHALMERS) What the Stack? CRITIS 16 / 20

20 Compile-time layout randomization Standard layout Randomized layout A. Lautenbach (CHALMERS) What the Stack? CRITIS 17 / 20

21 Compile-time layout randomization - pros and cons Pros Raises the bar for successful ROP attacks Cons Low entropy Requires production changes (costly) Only of interest once non-executable RAM has been implemented A. Lautenbach (CHALMERS) What the Stack? CRITIS 18 / 20

22 Conclusions Stack canaries should be used Non-executable RAM should be used Layout randomization is hard to implement in practice further research is needed A. Lautenbach (CHALMERS) What the Stack? CRITIS 19 / 20

23 Thank you! A. Lautenbach (CHALMERS) What the Stack? CRITIS 20 / 20

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap