Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Transcription

1

2 2

3 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption ARM features XN (execute Never) Bit This Bit allows operating systems to enforce the W xor X (Writable xor Executable) security model Follows RISC design Mostly single cycle execution Fixed instruction length Dedicated load and store instructions 3

4 Some features of ARM Conditional Execution Reducing branch overhead by allowing instructions only to be executed under certain conditions Two Instruction Sets ARM (32 Bit) The traditional instruction set THUMB (16 Bit) Suitable for devices that provide limited memory space The processor can switch the instruction set on the fly Both instruction sets may occur in a single program 3 Register Instruction Set instruction destination, source, source ADD r0,r1,r2 r0 = r1 + r2 4

5 ARM s 32 Bit processor features 16 registers All registers r0 to r15 are directly accessible Hence, in contrast to Intel x86, it is possible to directly change the program counter r15 Caller Save registers are registers that the callee (e.g., a subroutine) can freely change, i.e., the caller has to back up these registers himself Callee save registers are registers that the callee needs to reset to their original content before returning to the caller Function arguments and results from function (caller save) Register variables (callee save) r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 Intra Procedure Call Register Holds Top Address of Stack Pointer the Stack Link Register Program Counter Holds Return Address Status Register: e.g., Carry Flag Sometimes used for long jumps, i.e., branches that require the full ARM 32 Bit address space Control Program Status Register r12/ip r13/sp r14/lr r15/pc Next address of instruction to be executed cpsr 5

6 Specified in AAPCS ARM Architecture Procedure Call Standard No dedicated call and return instructions Instead any jump instruction can be used as call and return Example for Function Call Instructions BL addr Branch with Link Branches to addr, and stores the return address in the link register r14 The return address is simply the address that follows the BL instruction BLX addr/reg Branch with Link and Exchange (allows indirect calls) Branches to addr or to an address that is specified in a processor register reg As BL, the BLX instruction stores the return address in r14 This instruction allows the exchange between ARM and THUMB A change from ARM to THUMB is performed when the last bit of the target address is set (address is odd) A change from THUMB to ARM is performed when the last bit of the target address is not set (address is even) 6

7 Example for Function Return Instructions BX lr Branch to Link Register r14 Branches to the return address stored in the link register POP {pc} Pops top of the the stack into the program counter r15 In case the return address has been saved on the stack, this instruction would allow the return address to be loaded in the program counter 7

8 To understand how a runtime attack works, we take a deeper look at the stack frame and its elements High Addresses Stack grows downwards Stack Frame Low Addresses Stack Function Arguments Return Address Saved Frame Pointer Callee Save Registers* Local Variables Frame Pointer (r7 or r11) Stack Pointer (sp) *Note that a subroutine does not always store all callee save registers (r4 r11); instead it stores those registers that it really uses/changes 8

9 Stack is a last in, first out (LIFO) memory area where the stack pointer (sp) points to the top word on the stack Usually, the stack grows downwards (from high to low memory addresses) The stack can be accessed by two basic operations 1. Push elements onto the stack (SP is decremented) 2. Pop elements off the stack (SP is incremented) Stack is divided into individual stack frames Each function call sets up a new stack frame on top of the stack 1. Function arguments 2. Callee save Registers Registers that a subroutine (callee) needs to reset before returning to the caller of the subroutine 3. Saved Frame Pointer (on x86, referred to as Saved Base Pointer) Frame pointer of the calling function Variables/arguments are accessed via an offset to the frame pointer Provided in register r11 (ARM code) or r7 (THUMB code) 4. Return address Upon function return, control transfers to the code pointed to by the return address (i.e., control transfers back to the caller of the function) Provided in link register lr 5. Local variables 9

10 Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Stack sp <main>: Code BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} 10

11 Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee save register r4, the frame pointer r7, and the return address lr on the stack <main>: Stack Return Address lr SFP (r7) r4 Code BL Function_A sp <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} 11

12 Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack <main>: Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code BL Function_A sp <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} 12

13 Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, <main>: Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp 13

14 Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, Function Epilogue 2: ADD sp,sp,#16 Reallocates the space for local variables <main>: Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp 14

15 Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, Function Epilogue 2: ADD sp,sp,#16 Reallocates the space for local variables Function Epilogue 2: POP {r4,r7,pc} The POP instruction pops the callee save register r4, the saved frame pointer r7, and the return address off the stack which is loaded it into the program counter pc Hence, the execution will continue in the main function <main>: Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp 15

16 16

17 Runtime attacks are major threats to today's applications Control flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks Software is written in unsafe languages such as C/C++ Thus, it suffers from various memory related vulnerabilities Most prominent example: Buffer overflow Are known for 2 decades Various techniques exist (e.g., Stack Smashing, Heap Overflow, Integer Overflow, Format String) 17

18 18 18

19 Basic Block BBL 1 entry ins, ins, ins, exit BBL 3 entry ins, ins, ins, exit BBL 2 entry ins, ins, ins, exit BBL 4 entry ins, ins, ins, exit BBL 5 entry ins, ins, ins, exit Entry: Any instruction that is target of a branch (e.g., first instruction of a function) Exit: Any branch (e.g., indirect or direct jump/call, return) 19

20 Basic Block BBL 1 entry ins, ins, ins, exit BBL 3 entry ins, ins, ins, exit BBL 2 entry ins, ins, ins, exit 1 Code Injection Attacks Malicious Code Shellcode 2 Code Reuse Attacks Library Code BBL 4 BBL 5 Instruction Sequences Library Functions entry ins, ins, ins, exit entry ins, ins, ins, exit Entry: Any instruction that is target of a branch (e.g., first instruction of a function) Exit: Any branch (e.g., indirect or direct jump/call, return) 20

21 21 21

22 Target of Buffer Overflow Attacks Subvert the usual execution flow of a program by redirecting it to a injected (malicious) code The attack consists of 1. injecting new (malicious) code into some writable memory area, 2. and changing a code pointer (usually the return address) in such a way that it points to the injected malicious code Code Injection Code can be injected by overflowing a local buffer allocated on the stack The target of the injected code is usually to launch a shell to the adversary Therefore the injected code is often referred to as shellcode 22

23 Simple Echo program suffering from a stack overflow vulnerability The gets() function does not provide bounds checking 23

24 24 24

25 Stack Adversary <main>: Code BL echo() BL printf(), <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 25

26 Stack Adversary <main>: Code BL echo() BL printf(), <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 26

27 Adversary Stack Return Address SFP & Other Regs. Local Buffer Buffer[80] sp <main>: Code BL echo() BL printf(), <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 27

28 Stack Adversary Corrupt Control Structures <main>: Return Address SFP & Other Regs. Local Buffer Buffer[80] Code BL echo() BL printf(), sp <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 28

29 Stack Adversary Corrupt Control Structures NEW RETURN ADDR PATTERN <main>: SHELLCODE Code BL echo() BL printf(), sp <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 29

30 Stack Adversary Corrupt Control Structures echo() now returns! NEW RETURN ADDR PATTERN <main>: Code BL echo() BL printf(), <echo>: SHELLCODE Function Prologue BL gets(buffer), Function Epilogue sp Program Memory 30

31 Adversary Stack NEW RETURN ADDR PATTERN SHELLCODE sp Corrupt Control Structures echo() now returns! <main>: Code BL echo() BL printf(), <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 31

32 Adversary Stack NEW RETURN ADDR PATTERN SHELLCODE sp Shellcode executes <main>: Code BL echo() BL printf(), <echo>: Function Prologue BL gets(buffer), Function Epilogue Program Memory 32

33 Why the attack is possible? The gets() function provides no bounds checking C/C++ includes various functions providing no boundschecking, e.g., strcpy(): Copies a string into a buffer strcat(): Concatenates two strings scanf(): Read data from stdin (Standard Input) General defense against code injection attacks is W ^ X (Writable Xor Executable) With W ^ X memory pages can be either marked writable or executable Stack is marked writable Hence, the adversary can only inject his malicious code, but cannot execute it 33

34 34 34

35 35 35

36 Basic idea Instead of injecting code, use existing code Subvert the usual execution flow by redirecting it to functions in linked system libraries The process's image consists of 1. writable memory areas like stack and heap, 2. and executable memory areas such as the code segment and the linked system libraries The target for useful code can be found in the C library libc The C library libc Libc is linked to nearly every Unix program This library defines system calls and other basic facilities such as open(), malloc(), printf(), system(), execve(), etc. E.g., system ( /bin/sh ) 36

37 Libc provides the following useful functions to the adversary The system() function Executes a new program within a running program Example: system ("/bin/sh") This function executes the /bin/sh file (i.e., a new shell is launched) The execve() function Execute a new program and replace the (old) running program Example: execve (argv[0], argv, NULL); argv is a string array, where argv[0] = "/bin/sh" This function launches a new shell and replaces the running program 37

38 38 38

39 Stack Adversary Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Inject environment variable Environment Variables $SHELL = "/bin/sh" Program Memory 39

40 Stack Adversary Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 40

41 Stack Adversary Return Address SFP & Other Regs. Local Buffer Buffer[80] sp Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 41

42 Stack Adversary Return Address SFP & Other Regs. Local Buffer Buffer[80] sp Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 42

43 Adversary Corrupt Control Structures Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Program Code Library Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 43

44 Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp echo() now returns! Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 44

45 Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Load argument in R0, i.e., address to /bin/sh string is loaded into R0 Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 45

46 Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Execution is now redirected to system Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 46

47 Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ Saved PATTERN Base Pointer 2 Local Buffer PATTERN 1 Buffer[80] sp system ( /bin/sh ) executed The stackisalso changedby system, but thisisnot shown here Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ>: POP {R0} POP {PC} Environment Variables $SHELL = "/bin/sh" Program Memory 47

48 Return into libc attacks bypass security mechanisms such as the W ^ X model, but suffer from the following restrictions The adversary relies on functions available in libc. Hence, the designers of libc could eliminate critical functions such as system(). The adversary can only invoke one function after the other. Hence, no branching is possible 48

49 Inject malicious code Call any library functions Modify the original code 49 49

50 Re t u r n o r ien ted Pro g ra mm ing 50 50

51 Return oriented Programming Are there any attacks using this techique? 51 51

52 2007 Intel x SPARC Atmel AVR 2009 Z80 PowerPc ARM 2010 Internet Explorer Apple Jailbreak Adobe Reader Quicktime Player 52 52

53 Video:

54 Request /iphone3,1_4.0.pdf 1) Exploit PDF Viewer Vulnerability by means of Return Oriented Programming 2) Start Jailbreak 3) Download required system files 4) Jailbreak Done 54 54

55 User visits adversary web page Malicious webpage with embedded ROP payload SMS Database leaked to adversary 55 55

56 Attack Technique How does Return oriented Programming work? 56 56

57 Perform arbitrary computation with return into libc techniques Approach Use small instruction sequences (e.g., of libc) instead of using whole functions Instruction sequences range from 2 to 5 instructions All sequences end with a return instruction Instruction sequences are chained together to a gadget A gadget performs a particular task (e.g., load, store, xor, or branch) Afterwards, the adversary enforces his desired actions by combining the gadgets 57

58 Adversary 1 Corrupt Control Structures Data Stack Return Address 3 Return Address Return Address 1 Libraries Instruction sequence Return Instruction sequence Return Instruction sequence Return sp Code Program Memory 58 58

59 Instruction sequences never intended by the programmer Get new code out of existing code Possible due to Unaligned Memory Access Variable Length Instructions B Start interpretation of Byte Stream two Bytes later E9 C3 E9 C3 F8 FF FF Intended Code mov $0x13,%eax jmp 3aae9 Unintended Code add %al,(%eax) add %ch,%cl ret 59 59

60 Gadget Example Loading a word to memory 60 60

61 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1 Note that return stands for POP {PC} in this example 61

62 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1 Note that return stands for POP {PC} in this example 62

63 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1 Note that return stands for POP {PC} in this example 63

64 Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the register r1 pop {r1} Note that return stands for POP {PC} in this example 64