PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Similar documents
A Binary Rewriting Defense against Stack based Buffer Overflow Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Practical Malware Analysis

Assembly Language: Function Calls

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Function Call Convention

CS 480 Fall Runtime Environments. Mike Lam, Professor. (a.k.a. procedure calls and heap management)

Inject malicious code Call any library functions Modify the original code

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Lecture 4 September Required reading materials for this class

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Buffer-Overflow Attacks on the Stack

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

CSE 509: Computer Security

Buffer-Overflow Attacks on the Stack

Program semantics-aware Intrusion Detection. Prof. Tzi-cker Chiueh Computer Science Department Stony Brook University

Machine Language, Assemblers and Linkers"

Advanced Buffer Overflow

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Subprograms, Subroutines, and Functions

CSC 2400: Computer Systems. Using the Stack for Function Calls

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Procedure-Calling Conventions October 30

Shellcode Analysis. Chapter 19

CSC 8400: Computer Systems. Using the Stack for Function Calls

CIT Week13 Lecture

Binary Code Analysis: Concepts and Perspectives

Digital Forensics Lecture 3 - Reverse Engineering

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Protecting Against Unexpected System Calls

Autodesk AutoCAD DWG-AC1021 Heap Corruption

Return-orientated Programming

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Generation. representation to the machine

Buffer Overflow Attacks

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

CSE P 501 Exam 8/5/04 Sample Solution. 1. (10 points) Write a regular expression or regular expressions that generate the following sets of strings.

Advanced Buffer Overflow

Overview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading

Multi-level Page Tables & Paging+ segmentation combined

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

The Geometry of Innocent Flesh on the Bone

Buffer Overflow Attack

Operating Systems and Protection CS 217

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Computer Systems Lecture 9

SA31675 / CVE

Is stack overflow still a problem?

Control Flow Integrity for COTS Binaries Report

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

How to Sandbox IIS Automatically without 0 False Positive and Negative

16.317: Microprocessor Systems Design I Fall 2014

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

Summary: Direct Code Generation

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Ramblr. Making Reassembly Great Again

Today s Menu. >Use the Internal Register(s) >Use the Program Memory Space >Use the Stack >Use global memory

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

T Jarkko Turkulainen, F-Secure Corporation

Control-flow Enforcement Technology H.J. Lu. Intel November, 2018

THEORY OF COMPILATION

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

SOEN228, Winter Revision 1.2 Date: October 25,

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018

Buffer Overflows Defending against arbitrary code insertion and execution

Program Exploitation Intro

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

String Oriented Programming Exploring Format String Attacks. Mathias Payer

CSE 361S Intro to Systems Software Lab Assignment #4

Design Pattern Recovery from Malware Binaries

T Reverse Engineering Malware: Static Analysis I

CS429: Computer Organization and Architecture

CSC 8400: Computer Systems. Machine-Level Representation of Programs

The Instruction Set. Chapter 5

0x1A Great Papers in Computer Security

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Instruction Set Architecture

CS 161 Computer Security

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Instruction Set Architecture

Complex Instruction Set Computer (CISC)

Shellzer: a tool for the dynamic analysis of malicious shellcode

Transcription:

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion

Buffer Over2low Attacks Lack of array bound checking in the compiler results in: Overwriting return address on the stack. Corrupting memory pointer variables on the stack. Solutions: Build bound checking mechanisms in the compiler. Require applications to strictly follow programming guidelines. Implement a binary rewriting solution that provides same level of protection.

Challenges Where should the protection instructions be inserted? How to insert the instructions without disturbing existing code?

Binary Disassembly Identifies boundary of every procedure in the input program Linear sweep v/s Recursive algorithms Challenges: Data embedded in code region Variable instruction size Indirect branch instruction Callback functions Hand crafted assembly code

Binary Disassembly Consider the following code sequence 0x0F 0x85 0xC0 0x0F 0x85 jne offset 0x0F test eax, eax jne offset

Disassembly Engine Binary rewriting inserts protection code at the start of each procedural call. Need to identify as many code bytes as possible. Original program semantics must be maintained.

Disassembly Engine Step 1: Dispatch Tables Implementation Identify as potential address bytes in the dispatch table. Step 2: Main Entry point Perform control flow analysis. Identify code and data sections. Step 3: Callback Functions Identify interesting pieces of code associated with callback functions.

Disassembly Engine Implementation Step 4: Reset Points Parse instructions from reset point until an unconditional branch is encountered. Step 5: Unconditional branch instructions All code sequences end with an unconditional branch (jmp or ret). Bytes immediately after an unconditional branch must be: Data bytes Code byte which has been marked as function entry point.

Where to insert RAD code? Interesting Functions Function prolog: A copy of the return address is saved in the return address repository (RAR). Function Epilog Check the return address on the stack with the address saved in the RAR.

RAD Code JMP instruction transfers control to RAD prolog and then executes function prolog. For epilog the following order is observed: Function epilog until the RET instruction. RAD epilog checking code. RET instruction if there are no problems. Some instructions in the function need to be replaced by a JMP instruction (5 bytes).

Prolog Function Prolog of an interesting function compromises 3 instructions: push ebp mov ebp, esp sub esp, x // 1byte // 2 bytes // 3 6 bytes Thus, the function prolog contains at least 6 bytes.

Epilog Stack frame de-allocation uses the following instructions: mov esp, ebp pop ebp ret Or leave ret // 2 bytes // 1 byte // 1 byte // 1 byte // 1 byte Thus, the function epilog can be done in 2 4 bytes of instructions. Some more instructions prior to the stack frame de-allocation instructions must be replaced.

Epilog In some cases, it can be difficult to find instructions to be replaced. Use an interrupt to solve this problem. Replace first byte of instruction prior to RET with INT 3 instruction. Exception handler performs return address check.

Prototype Implementation We will discuss: Software Architecture RAR Initialization Limitations of the implementation

Software Architecture

A high level picture MEMORY.CODE Header Code + interleaved data

A high level picture MEMORY.CODE.RAD Header Code + interleaved data Legend: Existing stuff Newly added stuff RAD Set R during run-time Mine zones RAR Set RW RAD Set R during run-time

RAR Initialization Creating a mine section to protect Return Address Repository (RAR) Call win32 API VirtualProtect() Problem: How to call it? Case a: It is called by target program. Solution: Resides in its Import Address Table Case b: Not loaded in its address space. Solution: Idea to load it is derived from a virus code!

Limitations Limitations of disassembler Two types of problems: 1. Missed functions It can happen when either when a sequence of bytes is identified fully as code or when it is identified as data. Usually happens with callback functions 2. Falsely identified functions RAR might overflow Can happen with hand-crafted assembly

Limitations Limitations of RAD It helps exclusively in the case where return address is modified. No protection if GOT or IAT is modified e.g. printf might point to malicious code. Mutithreaded applications not handled Self modified code cannot be handled

Results Space overhead Disassembly accuracy

Results Disassembly accuracy (cont d) Runtime overhead

Final Thoughts Pros: It works on binaries, hence it can protect legacy applications Runtime overhead is quite reasonable The implementation and problems are described in good detail Cons: It protects only against stack buffer overflow attacks Some cases go unhandled due to less than 100% accuracy with disassembly

THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback