What Cannot be Read, Cannot be Leveraged?

Size: px

Start display at page:

Download "What Cannot be Read, Cannot be Leveraged?"

Maude O’Connor’
5 years ago
Views:

1 What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany

2 Overview Code Reuse Attacks/Defenses JavaScript JavaScript JIT Compilation Existing JIT Attacks/Defenses New JIT Gadget Creation New JIT Defense Native Code 2

3 Revisiting Code Reuse 3

4 Code Reuse Find useful code fragments Chain gadgets and functions together Trigger execution of the gadget chain saved RBP array[].text 4881C C7C0 595AC EC5DC3 pop rcx pop rdx ret libraries int execv(..) 4

5 Code Reuse Defenses Fine-grained ASLR Find useful code fragments Chain gadgets and functions together Trigger execution of the gadget chain Defenses: Randomize memory segments saved RBP array[] ASLR libraries int?????????????? execv(..).text 4881C791121?????????? C7C0????????????? 595AC3 c60001?????? EC5DC3?????? pop rcx pop movb rdx [rax],1 ret Fine-grained code randomization 5

6 JIT-ROP [S&P 13] Leak and collect code pointers JS Memory Map G1 GN Stack Read code pages to find gadgets and function pointers GN: execv(..) Libraries Chain gadgets and functions together & Heap Trigger execution of the gadget chain G1: pop rdi; ret Executable 6

7 Execute-no-Read (XnR) Schemes Memory Map Mark code pages non-readable [CCS 14, S&P 15, CCS 15, CODASPY 15, NDSS 16] JS G1 GN Stack Randomize code GN: execv(..) Libraries Hide code pointers & Heap G1: pop rdi; ret Executable 7

8 JIT code reuse without reading code?! 8

9 JIT Spraying [WOOT 10] Create JS functions containing operations on immediate values Trigger JIT-compilation of created functions JavaScript function f(){ x=0x3c909090& 0x3C909090& 0x3C909090; } JIT Compile unaligned x86 mov eax,0x3c and eax,0x3c and eax,0x3c and eax,0x3c Divert the CF in the middle of one of the constants nop, nop, nop cmp al, 0x25 nop, nop, nop cmp al, 0x25 Unaligned Jump 9

10 Defenses in Browsers Constant Blinding (IE + Chrome) Store constant XORed with a random key to a register XOR the register again with the key mov eax,0x3c mov eax,0x f xor eax,0x1981f6af 0x3C NOP Insertion (IE) Randomly add random number of NOP instructions mov eax,0x3c and eax,0x3c mov eax,0x3c lea esp,[esp] and eax,0x3c Only large constants (>2B) are blinded 10

11 2B Gadgets The Devil is in the Constants [NDSS 15] JavaScript x86 Encode OPs in 2B unblinded constants function r8(a){ return a+0x5841; } JIT Compile add eax, 0x5841 <epilogue> ret Use intended return instruction from JIT-compiled code x86 Find and use emitted gadgets Limitations: pop r8 <epilogue> ret Requires readable code to find gadgets Aligned return instruction 11

12 Gadgets via Control Flow Instructions 12

13 Emitting Gadgets via Control Flow Instructions Displacement: Encodes the offset from a base address, e.g., from rax or rip Used in: Instructions accessing the memory: mov rax, [rbx+0x ] ; read memory at rbx+0x Control flow instructions (implicit base address is rip) : jz 0x ; jump at address rip+0x if zero flag is set call 0x ; call the function at address rip+0x DITC, JIT-Spraying Prefixes Opcode ModR/M SIB Displacement Immediate 1B 1-3B 1B 1B 1,2,4,8 B 1,2,4,8 B Constant Blinding We will use JavaScript statements that are compiled to conditional jumps and direct calls to emit gadgets 13

14 Conditional Jumps in JS JavaScript if statement: Emits conditional jumps after compilation Displacement field denotes the size of the compiled if body Change the size of if body changes the value in the displacement field JavaScript function f(c){ if(c) { //Statements //Compiled //Size=Gadget } return; } JIT Compile x86 test eax, eax jz 0x ; Compiled ; If Body ; Size=gadget <epilogue> ret Size=Gadget Alternatives to if statement: while/for/switch/break The size of the compiled if statement's body determines emitted Gadget 14

15 Direct Calls in JS Direct calls in JS: Displacement: the distance between the caller and the callee Create a large JS function: Use i=i+j (16B) 0x100`000 times Emitted values [0x000005, 0xFFFFF5] Prepend the function with i=1 (8B) to change 5 into 13 (0xD) JS function f(){ var i, j; i=i+j; i=1; // 8B i=i+j; /* i=i+j 0x100`000 /* i=i+j Times 0x100`000 */ Times */ i=i+j; return; i=i+j; } return; } JIT Compile x86 call ;8B 0x from i=1 call 0x D call 0x54C3fff5 call 0x54C3FFFD call 0x54C380C5 call 0x54C380CD call 0x54C30005 call 0x54C3000D call 0x call 0x D 0x1`000`000 Find callee/caller address: Compiler s heap Return address from stack JS objects (e.g., from Math.random) Goal: Created Calls: call 0x54C380CD call 0x54XXXXX5 0x54XXXXXD 15

16 Applying Concepts to Modern Browsers 16

17 Gadgets in Chrome 51 (64-bit) Direct calls (syscall, pop rcx, pop rdx): Align LSHB of displacements to 0xd Emit direct calls (j++ 0x80`000 times) pop r8; ret pop r9; ret pop rcx; ret pop rdx; ret int 0x80; ret Conditional jumps (pop r8, pop r9): Stack two if statements (for pop r8 and pop r9) Fill the inner (pop r8) with 0xc35841 bytes Add additional 0xed bytes to the outer if body +0x13 bytes from if statement=0x100 Goal: Gadget generation time 1.3 seconds 4158c3 4159c3 59c3 5ac3 cd80c3 JS function syscall(){ var j=0; // align displacements // LSHB to 0xd j++;j++;j++;j++; // j++ 0x80`000 times } function popr8r9(r8,r9){ var i=0, j=0; if(r9){ // j=0x times // => 0xbd j++;j=i;j=i; // => 0xed if(r8){ // => 0x100 // j=0x times // => 0x1641 // j++ 399`888 times // => 0xC35841 } // => 0xC35941 } } 17

18 Limitations in Internet Explorer Challenges in IE: 1. Limited JIT-compiled function size Maximum function size 1MB No 3B displacements in conditional jumps No huge functions with direct calls 2. NOP insertion Non-predictable offsets inside the function Steps to make direct calls work: 1. Get code page at the correct distance from the callee 2. Fill the page with gadget emitting functions 3. Emit the direct call at the correct address, or recompile 18

19 Allocating Code Page at a Correct Distance IE code-page size is 0x20`000 bytes Memory Map Fn3 Fn4 Compile 200 JavaScript functions of size 0x10`000 bytes each to allocate 100 code pages 0x9BC3BC00 Fn199 Fn200 0x1234BC00 Choose the code page at the correct distance 0x5678BC00 Math.random Fn7 Fn8 0x0ABCBC00 Fn1 Fn2 19

20 Gadgets in IE Emitting Gadgets (1) Deallocate the function (2) Fill the code page up to the correct distance from the callee 0x9BC3BC00 Fn3 Fn4 Math.random (1) Math.random (2) f1 f2 f3 Math.random 0x9BC38C00 (3) Compile gadget-emitting JS function (4) Check if the direct call was emitted at the correct place (5) If yes, then gadget is found, else deallocate the function and goto (3) f1 f2 f3 Math.random (5:N) Check Math.random address Found (5:Y) (4) (3) f1 f2 f3 call 0x9BC380CX Math.random 0x9BC380CX 20

21 Gadgets in IE 11 (32-bit) popa; ret Goal: int 0x80; ret Direct calls (syscall, popa): Use i=math.random() 250 times ( 0x1`000 bytes ) Check the address of emitted direct call 61c3 cd80c3 JS function syscall(){ var j=0; i=math.random(); //i=math.random(); 240x check(math.random()); //i=math.random(); 10x } Emitting gadgets: (1) Find and fill up the correct code page ( 4 seconds) (2) Compile syscall and popa at correct places ( 4 seconds) (3) Recompile syscall until the gadget is emitted ( 2 seconds) function popa(){ var j=0; i=math.random(); //i=math.random(); 232x check(math.random()); //i=math.random(); 18x } Average gadget generation time 32 seconds 21

22 Gadgets in Browsers Conditional jumps + Work in Chrome and Firefox - Only upto 2B gadgets possible in IE Conditional Jumps Direct Calls Direct calls + Work in Chrome and IE - Do not work in Firefox 22

23 Removing the Gadgets 23

24 Defense Direct Calls For each direct call: 0x00: call ADDRESS (1) 0x00: mov r10,absolute_address 0x0a: call r10 (1) If the address of the callee is known, replace the call with the indirect call (2) If the address is not known: (a) (b) convert the direct call into the indirect one blind the emitted relative address (2.a) 0x00: lea r10,[rip+address] 0x07: call r10 (2.b) 0x00: lea r10,[rip+(address& KEY)] 0x07: lea r10,[r10+(address&~key)] 0x0e: call r10 24

25 Defense Conditional Jumps For each conditional jump: (1) Convert a direct (relative) jump into an indirect one 0x00: jz ADDRESS 0x06: <if_body> XXXX: <else> (1) 0x00: NOP ; 2-byte NOP 0x02: lea r10,[rip+(address& KEY)] 0x09: lea r10,[r10+(address&~key)] 0x10: jmp r10 0x13: <if_body> YYYY: <else> (2) Add the inverted conditional jump to jump into <if_body> (2) 0x00: jnz 0x11 0x02: lea r10,[rip+(address& KEY)] 0x09: lea r10,[r10+(address&~key)] 0x10: jmp r10 0x13: <if_body> YYYY: <else> 25

26 Defense Overhead Cost of the defense in V8: V8 s JS Benchmark Suite: 2% performance overhead on average Microbenchmarks: 14% and 10% overhead on average V8 s JS Benchmark Suite (Code-size): 26% overhead (1,123 kb 1,411 kb) Original Modified Overhead Richards 36,263 35, % DeltaBlue 63,641 62, % Crypto 33,366 32, % RayTrace 77,198 75, % EarleyBoyer 44,900 43, % RegExp 6,525 6, % Splay 21,095 20, % NavierStokes 31,924 31, % Total 32,255 31, % 26

27 Summary Displacement fields of x86 instructions can be used to inject arbitrary 3 byte values in JIT-compiled code Predictable code output from JIT compilers allows adversaries to generate and reuse gadgets without reading the code Gadgets in displacements fields can be removed by converting direct jumps/calls into indirect ones Thank you! 27

Dachshund. Digging for and Securing Against (Non-)Blinded Constants in JIT Code

Dachshund. Digging for and Securing Against (Non-)Blinded Constants in JIT Code Dachshund Digging for and Securing Against (Non-)Blinded Constants in JIT Code Giorgi Maisuradze, Michael Backes, Chris;an Rossow CISPA, Saarland University, Germany NDSS Symposium 2017 Overview Code reuse