Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Size: px

Start display at page:

Download "Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include"

Silas Nickolas Burke
6 years ago
Views:

2 2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks Software is written in unsafe languages such as C/C++ Thus, it suffers from various memory-related vulnerabilities Most prominent example: Buffer overflow Are knownfor2 decades Varioustechniquesexist(e.g., StackSmashing, Heap Overflow, Integer Overflow, Format String)

3 3

4 4 Target of Buffer Overflow Attacks Subvert the usual execution flow of a program by redirecting it to a injected (malicious) code The attack consists of 1. injectingnew (malicious) code into some writable memory area, 2. and changing a code pointer (usually the return address) in such a way that it points to the injected malicious code Code Injection Code can be injected by overflowing a local buffer allocated on the stack The target of the injected code is usually to launch a shell to the adversary Therefore the injected code is often referred to as shellcode

5 5 To understand how a buffer overflow attack works, we take a deeper look at the stack frame and its elements

6 6 Stack is a last in, first out (LIFO) memory area where the Stack Pointer (SP)points to the top word on the stack Usually, the stack grows downwards The stack can be accessed by two basic operations 1. Push elements onto the stack (SP is decremented) 2. Pop elements off the stack (SP is incremented) Stack is divided into individual stack frames Each function call sets up a new stack frame on top of the stack 1. Function arguments 2. Return address Upon function return (i.e., a return instruction is issued), control transfers to the code pointed to by the return address (i.e., control transfers back to the caller of the function) 3. Saved Base Pointer Base pointer of the calling function Variables/arguments are accessed via an offset to the base pointer 4. Local variables

7 7 The purposeofthefunctionprologueistobackup selected registers, and to reserve space for local variables On Intel x86 (Notation: destination register is the first operand) Note: Whenthefunctionisenteredthestackpointerpointstothe return address of the function Store Save Base Pointer on thestack: push %ebp Initialize Base Pointer of the called function with the current value of the Stack Pointer: mov%ebp,%esp Reserve space for local variables (here 12 Bytes): sub%esp,12 On ARM (usuallya dedicatedbase Pointer isnot used) Note: The returnaddressisin thelink registerlrwhenthefunctionis entered Save calleesavedregistersandreturnaddresson thestack: push {r4-r7,lr} Reserve space for local variables (here 12 Bytes): sub sp,sp,#12

8 8 The purposeofthefunctionepilogueistosetthe Stack Pointer back to its original state, to restore selected registers, and to issue the return On Intel x86 ResettheStackPointer (byloadingitwith%ebp): mov%esp, %ebp Restore the caller s Base Pointer: pop%ebp Pop thereturnaddressfromthestackandreturnback tothe caller: ret On ARM Restore the Stack Pointer (here 12 Bytes): add sp,sp,12 Restore callee-saved registers and load the return address in the program counter pc: pop{r4-r7,pc}

9 Simple Echo program suffering from a stack overflow vulnerability The gets() function does not provide bounds checking 9

10 10 10

11 11

12 12

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21 Why the attack is possible? The gets() function provides no bounds-checking C/C++ includes various functions providing no boundschecking, e.g., strcpy(): Copies a string into a buffer strcat(): Concatenates two strings scanf(): Read data from stdin(standard Input) General defense against code injection attacks is W ^ X (Writable Xor Executable) With W ^ X memory pages can be either marked writable or executable Stack is marked writable Hence, the adversary can only inject his malicious code, but cannot execute it

22 22 22

23 23 Basic idea Instead of injecting code use existing code Subvert the usual execution flow by redirecting it to functions in linked system libraries The process's image consists of 1. writable memory areas like stack and heap, 2. and executablememory areas such as the code segment and the linked system libraries The target for useful code can be found in the C library libc The C library libc Libcis linked to nearly every Unix program This library defines system calls and other basic facilities such as open(), malloc(), printf(), system(), execve(), etc. E.g., system ( /bin/sh )

24 Return-into-libcattacks bypass security mechanisms such as the W ^ X model, but suffer from the following restrictions The adversary relies on functions available in libc. Hence, the designers of libccould eliminate critical functions such as system(). The adversary can only invoke one function after the other. Hence, no branching is possible 24

25 Inject malicious code Call any library functions Modify the original code 25 19/11/2010 Lucas Davi 25

26 26 26

27 Re t u r n o r ien ted Pro g ra mm ing 27 27

28 28 28

2007 Intel x86 2008 SPARC Atmel AVR 2009 Z80 PowerPc ARM 2010

29 2007 Intel x SPARC Atmel AVR 2009 Z80 PowerPc ARM 2010 Internet Explorer Apple Jailbreak Adobe Reader Quicktime Player 29 29

30 Video:

31 31 31

32 32 Perform arbitrary computation with return-into-libc techniques Approach Use small instruction sequences (e.g., of libc) instead of using whole functions Instruction sequences range from 2 to 5 instructions All sequences end with a return instruction Instruction sequences are chained together to a gadget A gadget performs a particular task (e.g., load, store, xor, or branch) Afterwards, the adversary enforces his desired actions by combining the gadgets

Libraries Instruction sequence Return Instruction

33 Adversary 1 Corrupt Control Structures Data Stack Return Address 3 Return Address 2 Return Address Libraries Instruction sequence Return Instruction sequence Return Instruction sequence Return Code Program Memory 33 33

Instruction Sequences never intended by the programmer Get new code out of existing code Possible due to Unaligned Memory Access Variable-Length Instructions B8 13 00 00 00

34 Instruction Sequences never intended by the programmer Get new code out of existing code Possible due to Unaligned Memory Access Variable-Length Instructions B E9 C3 F8 FF FF Start interpretation of Byte Stream two Bytes later E9 C3 Intended Code mov $0x13,%eax jmp 3aae9 Unintended Code add %al,(%eax) add %ch,%cl ret 34 34

35 35 35

36 36 Goal:Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1

37 37 Goal:Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1

38 38 Goal:Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1

39 39 Goal:Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1

40 40 40

Return 4 Return 3 Return 2 Return 1 2b Program Stack Copy of Return

41 Intercept Instruction 1 2 Is Call? Is Return? 1a 2a Push TOS onto Shadow Stack Compare TOS of both Stacks 1b Return 4 Return 3 Return 2 Return 1 2b Program Stack Copy of Return 4 Copy of Return 3 Copy of Return 2 Copy of Return 1 Shadow Stack 3 Wait for next Instruction 41 41

42 42

43 43

44 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, netbooks

44 44 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, netbooks Advantage: Low power consumption ARM featuresxn (executenever) Bit Follows RISC design Mostly single-cycle execution Fixed instruction length Dedicated load and store instructions

45 SomefeaturesofARM Conditional Execution Reducing branch overhead by allowing instructions only to be executed under certain conditions ARM provides two instruction sets ARM (32 Bit) THUMB (16 Bit) 3-Register-Instruction Set instruction destination, source, source ADD r0,r1,r2 r0 = r1 + r2 45

46 ARM s 32 Bit processor features 16 registers In contrast to Intel x86, each register is directly accessible E.g., it is possible to directly change the program counter (r15) Function arguments and results from function r0 r1 r2 r3 Register variables (callee saved) r4 r5 r6 r7 r8 Scratch Register Stack Pointer Link Register Program Counter r12 r13/sp r14/lr r15/pc r9 r10 r11 Control Program Status Register cpsr 46 46

47 AAPCS - ARM Architecture Procedure Call Standard No dedicated call and return instructions Instead any jump instruction can be used as call and return resp. Function Call BL Branch with Link BLX Branch with Link and Exchange (allows indirect calls) BL andblx loadthereturnaddressintothelink register(r14) Function Return Loading return address into program counter 47 47

48 48 Results Countermeasures that protect return addresses can be bypassed Attack technique is valid for Intel x86 and ARM Turing-complete gadget set and practical attack instantiation for both platforms without any return instruction Approach Use return-like sequences Candidates are indirect jumps On Intel: jmp*%eax On ARM: blxr3 Obstacles Target register (%eax, r3) must be initialized before Returns automatically update the stack pointer; indirect jumps not

49 Candidates for an attack on ARM All indirect jump instructions not part of a function epilogue Instructions where pc is used as destination register Indirect branch instructions, e.g., BLX We inspected libc and libwebcore on Android 2.0 Result: Many sequences end with a BLX instruction Branch to register BLX register Store returnaddressin link register Instruction set exchange 49 49

50 Trampoline sequence for ARM Unfortunately no POP-BLX sequence in our libraries Update-Load-Branch sequence Initialize a register(r j ) so thatitpointstoinjectedjump addresses Update thestateofr j after eachsequence Loada secondregister(r s ) withtheaddressofthenextsequence pointedbyr j BranchwithBLX totheaddressstoredin r s Register r s Sequence 1 Jump Address 1 Jump Addresses instruction instruction BLX Trampoline r j - points to jump addresses r s - address of next sequence r j Jump Address 1 Memory under control of adversary Trampoline ADDS r6,#4 LDR r5,[r6,#124] BLX r

51 Trampoline (ULB) 5 Setup Take control over pc Setup r a, and r j Adversary Jump Addresses r j r a Jump Address 3 Jump Address 2 Jump Address 1 Argument 1 Argument 2 Arguments Memory under control of adversary r a - Pointer to arguments (sp) r j - Pointer to jump addresses 3 6 GADGET 2 Sequence 1 instruction instruction BLX Trampoline GADGET 1 Sequence 2 instruction instruction BLX Trampoline Sequence 1 instruction instruction BLX Trampoline

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption