Advanced Systems Security: Program Diversity

Similar documents
Readactor: Practical Code Randomization Resilient to Memory Disclosure

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Control-Flow Integrity

Software Security II: Memory Errors - Attacks & Defenses

Inject malicious code Call any library functions Modify the original code

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

CSE 544 Advanced Systems Security

SoK: Eternal War in Memory

Remix: On-demand Live Randomization

CMPSC 497 Buffer Overflow Vulnerabilities

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Q: Exploit Hardening Made Easy

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Ordinary Operating Systems

CS 161 Computer Security

Return-orientated Programming

Advanced Systems Security: Ordinary Operating Systems

CS 161 Computer Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Static Analysis. Systems and Internet Infrastructure Security

Software Security: Buffer Overflow Attacks

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Inline Reference Monitoring Techniques

HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Practical and Efficient Exploit Mitigation for Embedded Devices

CSE 127 Computer Security

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Defenses

Is Exploitation Over? Bypassing Memory Protections in Windows 7

CSE 565 Computer Security Fall 2018

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Bypassing Browser Memory Protections

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher

CMPSC 497: Midterm Review

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

Software Security: Buffer Overflow Attacks (continued)

Outline. Memory Exploit

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CSE 127 Computer Security

Lecture 1: Buffer Overflows

Advanced Systems Security: New Threats

Execute-Only Attacks against Execute-Only Defenses 1

Intel Analysis of Speculative Execution Side Channels

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

in memory: an evolution of attacks Mathias Payer Purdue University

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Lecture 10 Code Reuse

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Selected background on ARM registers, stack layout, and calling convention

CS161 Midterm 1 Review

BlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA

Advanced Buffer Overflow

CSE 127 Computer Security

Smashing the Buffer. Miroslav Štampar

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Information Leaks. Kyriakos Kyriakou

Leakage-Resilient Layout Randomization for Mobile Devices

Address-Oblivious Code Reuse: On the Effectiveness of Leakage-Resilient Diversity

CMPSC 497 Attack Surface

Buffer overflow background

Exploiting and Protecting Dynamic Code Generation

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

CSE 544 Advanced Systems Security

Cyber Moving Targets. Yashar Dehkan Asl

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

No-Execute-After-Read: Preventing Code Disclosure in Commodity Software

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

Outline. Format string attack layout. Null pointer dereference

Outline. Heap meta-data. Non-control data overwrite

HDFI: Hardware-Assisted Data-flow Isolation

CMPSC 497 Other Memory Vulnerabilities

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Advanced Buffer Overflow

What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses

Malware

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

QPSI. Qualcomm Technologies Countermeasures Update

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR

The Geometry of Innocent Flesh on the Bone

Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan

Advanced System Security: Vulnerabilities

Transcription:

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Program Diversity Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1

Anatomy of Control Flow Attacks Two steps First, the attacker changes the control flow of the program In buffer overflow, overwrite the return address on the stack Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack Or use existing code in ROP attack CFI prevents exploitation (incomplete) Page 2

Anatomy of Control Flow Attacks Two steps First, the attacker changes the control flow of the program In buffer overflow, overwrite the return address on the stack Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack Or use existing code in ROP attack Another way to prevent both? Page 3

Apply Crypto to Code Can we randomize the program s execution in such a way that an adversary cannot select gadgets? Given a secret key and a program address space, encrypt the address space such that the probability that an adversary can locate a particular instruction (start of gadget or flawed code) is sufficiently low and the program still runs correctly and efficiently Called address space randomization Page 4

Goal Move the code and data so that you cannot predict where gadgets will be What is the best way to make unpredictable? What is the easiest way to make unpredictable? Stack Heap Data Text Page 5

Goal Move the code and data so that you cannot predict where gadgets will be What is the best way to make unpredictable? Randomize code and data location for each instruction and variable What is the easiest way to make unpredictable? Stack Heap Data Text Page 6

Goal Move the code and data so that you cannot predict where gadgets will be What is the best way to make unpredictable? Randomize code and data location for each instruction and variable What is the easiest way to make unpredictable? Just move the base address of the segment Called Address Space Layout Randomization Stack Heap Data Text Page 7

ASLR Impact How does it prevent exploitation of attacks? Suppose you find a buffer overflow flaw You insert shellcode onto the stack And jump to the stack address With ASLR on the stack segment Cannot predict the target stack address Can you overflow return address? Stack Heap Data Text Page 8

ASLR Impact How does it prevent finding of attacks? Suppose you find a heap overflow flaw You want to modify a function pointer Stack At known offset oops, still works At unknown offset cannot predict With ASLR on the heap segment Cannot predict absolute addresses Why not? Heap Data Text Page 9

ASLR Impact How does it prevent exploitation of attacks? Suppose you find a buffer overflow flaw You launch an ROP attack And jump to the code address of first gadget With ASLR on the code segment Cannot predict the target code address Why not? Stack Heap Data Text Page 10

Relationship to DEP ASLR is a complementary defense relative to DEP/CFI DEP restricts what may be executed as code CFI restricts control flow paths that may be executed ASLR prevents some memory attacks Absolute writes over memory (e.g., global) Relative writes are still possible Also, ASLR makes gadgets harder to find Page 11

What Makes Good ASLR? Symantec paper investigates ASLR in Windows What are choices regarding ASLR use? Page 12

What Makes Good ASLR? Symantec paper investigates ASLR in Windows What are choices regarding ASLR use? How many offsets? Limits? Impact on libraries? Page 13

What Makes Good ASLR? Symantec paper investigates ASLR in Windows What are choices regarding ASLR use? How many offsets? Limits? Impact on libraries? Distribution? Impact of an uneven distribution? Page 14

What Makes Good ASLR? Symantec paper investigates ASLR in Windows What are choices regarding ASLR use? How many offsets? Limits? Impact on libraries? Distribution? Impact of an uneven distribution? Sequence? What should the next offset be? Page 15

Risks How would you attack ASLR? Page 16

Memory Disclosure Attacks What is the risk to ASLR? Memory Disclosure Consider a buffer overread E.g., Heartbleed Instead of reading a key value What would you read to attack ASLR? Page 17

Direct Disclosure Adversary is able to directly read code pointers from code pages Direct disclosure Code page 1 JMP label CALL Func_A Code page 2 Code page 3 label: asm_ins asm_ins... Func_A: asm_ins asm_ins... Adversary Indirect Data pages Function pointer 2 Page 18

Indirect Disclosure Adversary harvests code pointers stored on the data pages of the application that are necessarily readable Adversary Indirect disclosure Data pages Function pointer 2 Return address Readable-writable Readable-executable Function pointer 1 Stack / Heap Code pages Figure 1: Direct and indirect memory disclosure. Page 19

Fine-Grained Randomization Can we make harvesting more difficult with finegrained randomization of code and data? Yes, but at a significant cost E.g., cache locality is completely lost See, P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, S&P, 2014. Page 20

Other Alternatives Prevent read access to code pages that are not currently executing Prevents only direct disclosures Adversary can bypass this countermeasures using indirect disclosures E.g., virtual tables for C++ Doing disassembly on the fly Page 21

Readactor Solution To prevent attacks based on direct disclosure, Leverage virtualization capabilities in commodity x86 processors to map code pages with execute-only permissions at all times To prevent attacks based on indirect disclosure, Hide the targets of all function pointers and return addresses Use compiler-based solution to obtain more precise control-flow information for indirect targets Page 22

Memory Management Readacted applications use virtualization hardware to map pages differently than legacy applications Can work together, however Readacted App Legacy App Code Pages Data Pages Code Pages Data Pages Operating System Hypervisor Readacted mapping Normal mapping Processor MMU Access Violations Readable-executable Readable-writable Execute-only Page 23

Memory Management See difference between how code and data pages are mapped Why does this prevent direct disclosure? Virtual Memory CODE Page 1 DATA Page 2 read-write Guest Physical Memory Page 1 Page 2 EPT Page Table readexecute executeonly read-write Host Physical Memory Page 1 Page 2 Figure 4: Relation between virtual, guest physical, and host physical memory. Page tables and the EPT contain the access permissions that are enforced during the address translation. Page 24

Trampoline Point function pointers and return addresses (indirect control transfers) to trampoline code Data pages (readable-writeable) Function pointer 1 Return address Stack / Heap Code page (execute-only) Readactor Trampolines Trampoline A Trampoline B Code page (execute-only) Function A: asm_ins asm_ins JUMP Trampoline B Call_Site_B:... Data reference to code Works because the trampoline layout is not correlated with the layout of functions I.e., trampoline addresses do not leak information about non-trampoline code Code reference to code Figure 3: Readacted applications replace code pointers in Page 25

Trampoline for Calls Data page (read-write) Legacy Application Code page (read-execute) Readacted Application Data page (read-write) Diversified Code page (execute-only) vtable: vtable pointer Method_A: asm_ins asm_ins vtable: vtable_trampoline Function_B: asm_ins asm_ins C++ object: Function pointer Function_B: asm_ins asm_ins C++ object: funcptr_trampoline Method_A: asm_ins asm_ins Indirect disclosure possible Data reference to code Code reference to code Adversary Read access prevented by Readactor Trampolines: JUMP Method_A JUMP JUMP Function_B Figure 7: Hiding code pointers stored in the heap and in C++ vtables. Without Readactor, pointers to functions and methods may leak (left). With Readactor, only pointers to jump trampolines may leak and the layouts of functions and jump trampolines are randomized (right). Page 26

Trampoline for Returns Stack page (read-write) Legacy Application Code page (read-execute) Stack page (read-write) Readacted Application Diversified Code page (execute-only) Return_addr_1 CALL Method_A call_site_1: Ret_trampoline_1 JUMP Function_B_tramp call_site_2: Return_addr_2 CALL Function_B call_site_2: Ret_trampoline_2 JUMP Method_A_tramp call_site_1: Indirect disclosure possible Data reference to code Code reference to code Adversary Read access prevented by Readactor Trampolines: CALL Method_A JUMP call_site_1 CALL Function_B JUMP call_site_2 Figure 8: Hiding return addresses stored on the machine stack. Without Readactor, each activation frame on the stack leaks the location of a function (left). With Readactor, calls go through call trampolines so the return addresses pushed on the stack can only leak trampoline locations not return sites (right). Page 27

Readactor Limitations Are there any limitations for the Readactor approach? Page 28

Other Forms of Diversity N-version programming Run multiple versions of same program presumably with different flaws Moving target defense Change the system configuration incrementally (IP addrs) After N time units or when under attack Deception Build false versions of legitimate behaviors (honeypot) Build inconsistent versions of legitimate behaviors Page 29

Inconsistent Syscall Behavior Hypothesis: malware is more sensitive to inconsistent system call behavior than normal software Experiment Vary execution of some system calls Not all can be varied without breaking programs Strategies Silence system calls (return bogus value) Change response size or some bytes of file offset Change delays Page 30

Inconsistent Syscall Behavior Hypothesis: malware is more sensitive to inconsistent system call behavior than normal software low benign code to run. We found that the following system calls are critical to process start-up and execution, and cannot be easily varied: fstat(), getuid(), ioperm(), set thread area(), and mprotect(). In other cases, perturbing system call parameters leads to non-fatal deviations. For instance, decreasing the length of a write() will cause a keylogger to lose keystrokes, silencing a send() might cause a process to fail sending an e-mail, and extending the time of a nanosleep() will just slow down a process. We try to balance risks to benign processes with harm to malware through an experimentally-determined unpredictability threshold, which bounds the amount of unexpected variation in system call behavior. We studied these strategies for spectrum behavior: Strategy 1: Silence the system call: we immediately return a fabricated value upon system call invocation. This strategy only succeeds when subsequent system calls are not highly dependent on the silenced action. For example, this strategy worked for read() and write(), but not on open(), where a subsequent read() or write() would fail. Strategy 2: Change bu er bytes: we randomly change some bytes or shorten the length of a bu er passed to a system call, such as read(), write(), send() and recv(). This strategy corrupts execution of some scripts, and can frustrate attempts to read or exfiltrate sensitive data. Strategy 3: Add more wait time: the goal of this strategy is to slow down a questionable process, for example rate-limiting network attacks. We randomly ins crease the time a nanosleep() call yields the CPU. Experimental Results Malware behavior degraded performance Only want to apply to unknown software Figure 1: Comparison of email bytes sent from bots in predictable and unpredictable environments. Figure 2: Comparison of SYN-flood attacks in standard and unpredictable environments. Unpredictability can increase the DDoS resource requirements. ment on the ability of the bot to send spam emails, shown in Figure 1. In the normal environment, nine emails varying in length from 10 to 90 bytes were successfully sent. In the unpredictable environment only partial ranpage 31

Take Away Memory errors are the classic vulnerabilities in C programs (buffer overflow) Despite years of exploration into defenses a Turingcomplete approach to exploitation remains given an appropriate memory error (return-oriented programming) ASLR has been suggested as the way to block memory attacks, such as ROP May be victimized by disclosure attacks Readactor aims to eliminate disclosure Alternatives, such as deception, could be applied Page 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback