Return-orientated Programming

Similar documents
The Geometry of Innocent Flesh on the Bone

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Architecture-level Security Vulnerabilities

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Outline. Memory Exploit

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Architecture-level Security Vulnerabilities. Julian Stecklina

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Lecture 08 Control-flow Hijacking Defenses

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Return oriented programming

Practical Malware Analysis

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Defeating Return-Oriented Rootkits with Return-less Kernels

Program Exploitation Intro

Function Call Convention

Università Ca Foscari Venezia

Selected background on ARM registers, stack layout, and calling convention

Advanced Buffer Overflow

Secure Systems Engineering

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CS 161 Computer Security

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CS642: Computer Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

20: Exploits and Containment

Advanced Buffer Overflow

CS 161 Computer Security

Assembly Language: Function Calls

CSE 127 Computer Security

CSE 127 Computer Security

Assembly Language: Function Calls" Goals of this Lecture"

CSE 127 Computer Security

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

Software Security: Buffer Overflow Defenses

Assembly Language: Function Calls" Goals of this Lecture"

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Exercise 6: Buffer Overflow and return-into-libc Attacks

Lecture 4 CIS 341: COMPILERS

Jump-Oriented Programming: A New Class of Code-Reuse Attack

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Remix: On-demand Live Randomization

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Smashing the Buffer. Miroslav Štampar

Software Security: Buffer Overflow Attacks

Writing Exploits. Nethemba s.r.o.

ISA564 SECURITY LAB. Shellcode. George Mason University

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

CS241 Computer Organization Spring 2015 IA

CS429: Computer Organization and Architecture

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Outline. Heap meta-data. Non-control data overwrite

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Return-Oriented Rootkits

Intro to x86 Binaries. From ASM to exploit

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Biography. Background

Exploits and gdb. Tutorial 5

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Outline. Format string attack layout. Null pointer dereference

OpenBSD Remote Exploit

Is stack overflow still a problem?

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Defense against Code-injection, and Code-reuse Attack

Process Layout and Function Calls

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

From Over ow to Shell

Return Oriented Programming

CSE 509: Computer Security

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Software Security II: Memory Errors - Attacks & Defenses

Second Part of the Course

18-600: Recitation #4 Exploits

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

On Compilers, Memory Errors and Control-Flow Integrity

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

x86 assembly CS449 Fall 2017

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Inject malicious code Call any library functions Modify the original code

Q: Exploit Hardening Made Easy

Transcription:

Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming 11/23 / 42

Arms Race : Buffer overflows Vulnerabilities Classic: buffer overflow (stack/heap) Integer overflows, format strings, double free,... Countermeasures Canaries on the stack Copy or encrypt jump targets (ret addr, function ptr) Strict Harvard architecture: separate code and data (Non-executable stacks, heaps W X) Hardware: bit in page table entries preventing code execution from a page (AMD: NX, Intel: XD) Return-Oriented oriented Programming programming 22/23 / 42

Arms Race II - ret2libc Indirect code injection (mis)use existing code (libc.so.6, msvcrt.dll) Return-into-libc: Overwrite stack frame (ret addr) Attacker can call any function with arbitrary arguments (even chaining is possible) But: cannot execute arbitrary code Defense Remove all unnecessary functions, e.g. system() ASLR to add noise to jump target addresses Return-Oriented oriented Programming programming 33/23 / 42

Arms Race III ROP Use short instruction sequences ending in a ret Combine them to achieve complexer tasks Turing complete No function calls, control flow via returns 'In any sufficiently large code base are enough short sequences allowing an attacker to perform arbitrary computations.' Return-Oriented oriented Programming programming 44/23 / 42

Short Sequences Gadgets Where to get these instruction sequences dense x86 instruction encoding f7 c7 07 00 00 00 0f 95 45 c3 test $0x00000007, %edi setnzb 61(%ebp) c7 07 00 00 00 0f movl $0x0f000000, (%edi) 95 xchg %ebp, %eax 45 inc %ebp c3 ret Return-Oriented oriented Programming programming 55/23 / 42

Discovery of usable Gadgets Search executable segments of libc for ret opcode (c3) Scan backwards, disassemble, gather valid entry points into a tree test $0x7,%edi setnzb 61(%ebp) f7 c7 07 00 00 00 0f 95 45 c3 f7 c7 07 00 00 00 0f 95 45 c3 f7 c7 07 00 00 00 0f 95 45 c3 f7 c7 07 00 00 00 0f 95 45 c3 f7 c7 07 00 00 00 0f 95 45 c3 Return-Oriented oriented Programming programming 66/23 / 42 95 45 c3 ret inc %ebp xchg %ebp, %eax

Recap: Ordinary Execution inst inst inst inst inst %eip Current instruction is decoded and executes eip points after the current instruction to the next one to be executed control flow changes value of eip Return-Oriented oriented Programming programming 77/23 / 42

Recap: Ordinary Execution inst inst inst inst inst %eip Current instruction is decoded and executes eip points after the current instruction to the next one to be executed control flow changes value of eip Return-Oriented oriented Programming programming 88/23 / 42

Recap: Ordinary Execution inst inst inst inst inst %eip Current instruction is decoded and executes eip points after the current instruction to the next one to be executed control flow changes value of eip Return-Oriented oriented Programming programming 99/23 / 42

Recap: Ordinary Execution inst inst inst inst inst Current instruction is decoded and executes eip points after the current instruction to the next one to be executed control flow changes value of eip %eip Return-Oriented oriented Programming programming 10/23 / 42

Recap: Ordinary Execution inst inst inst inst inst Current instruction is decoded and executes eip points after the current instruction to the next one to be executed control flow changes value of eip %eip Return-Oriented oriented Programming programming 11/23 / 42

Return-Oriented Programming pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp Assume the next instruction is a ret The return addresses on the stack are our new instruction pointer Stack: pointers to code snippets to call + data Control transfer via return operations Return-Oriented oriented Programming programming 12/23 / 42

Return-Oriented Programming pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp Assume the next instruction is a ret The return addresses on the stack are our new instruction pointer Stack: pointers to code snippets to call + data Control transfer via return operations Return-Oriented oriented Programming programming 13/23 / 42

Return-Oriented Programming pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp Assume the next instruction is a ret The return addresses on the stack are our new instruction pointer Stack: pointers to code snippets to call + data Control transfer via return operations Return-Oriented oriented Programming programming 14/23 / 42

Return-Oriented Programming pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp Assume the next instruction is a ret The return addresses on the stack are our new instruction pointer Stack: pointers to code snippets to call + data Control transfer via return operations Return-Oriented oriented Programming programming 15/23 / 42

Return-Oriented Programming pop %edx; ret mov %eax, (%edx); ret more code; ret data %esp Assume the next instruction is a ret The return addresses on the stack are our new instruction pointer Stack: pointers to code snippets to call + data Control transfer via return operations Return-Oriented oriented Programming programming 16/23 / 42

Return-Oriented Programming pop %edx; ret mov %eax, (%edx); ret more code; ret data Assume the next instruction is a ret %esp The return addresses on the stack are our new instruction pointer Stack: pointers to code snippets to call + data Control transfer via return operations Return-Oriented oriented Programming programming 17/23 / 42

Gadgets Building Blocks Load/Store operations (reg/mem) ALU (arithm./logic) Conditional jumps System calls Shellcode q.e.d. Return-Oriented oriented Programming programming 18/23 / 42

Load a Constant Return-Oriented oriented Programming programming 19/23 / 42

Load from Memory Return-Oriented oriented Programming programming 20/23 / 42

Store to Memory Return-Oriented oriented Programming programming 21/23 / 42

Add Value from Memory to eax Return-Oriented oriented Programming programming 22/23 / 42

XOR Ideally: xorl (%edx), %eax (but not available) Code snippet found: xorb %al, 0x48908c0(%ebx) and $0xff, %al push %ebp or $0xc9, %al ret xorl: rotate 4 times and xor bytewise push %ebp; ret let %ebp point to a ret Return-Oriented oriented Programming programming 23/23 / 42

Control Flow Jumps Unconditional jumps pop %esp, ret Conditional jumps Test condition %eflags hold result Jumps change instruction pointer, we need to conditionally change the stack pointer Three steps Test condition Copy flags to general purpose register (add-with-carry) Mask desired bit, change esp accordingly Return-Oriented oriented Programming programming 24/23 / 42

Control Flow Jumps Test condition flags change Copy flags to general purpose register clear ecx; adc %cl, %cl 0 or 1 Modify esp depending on ecx negl ecx 0 or 0xFFFFFFFF andl with relative jump distance add to esp Return-Oriented oriented Programming programming 25/23 / 42

Conditional Jumps: Step 2 Return-Oriented oriented Programming programming 26/23 / 42

System Calls Typical syscall wrapper: Load arguments to registers Invoke kernel (sysenter/int 80) Check for error, cleanup 89 da mov %ebx, %edx 8b 5c 24 04 movl 4(%esp), %ebx b8 3c 00 00 00 mov $0x0000003c, %eax 65 ff 10 00 00 00 lcall %gs:0x10(,0) 89 d3 mov %edx, %ebx c3 ret wrapper fo sysenter or int 0x80 Return-Oriented oriented Programming programming 27/23 / 42

No-argument Syscall Return-Oriented oriented Programming programming 28/23 / 42

Shellcode Set %eax (syscall number) to 0xb Let %ebx point to the string ( /bin/sh ) Load %ecx to point to argv vector Clear %edx (pointer to environment) Trap into kernel Game over Return-Oriented oriented Programming programming 29/23 / 42

c3 / ret Statistics 5,483 out of 975,626 bytes are 0xc3 3,429 are actually ret instructions 1,692 are add imm32,%ebx (81 c3 imm32) 290 are displacements (relative calls and jumps or data offsets like movb %al, 61(%ebp) encoded as 88 45 c3) Constants, SIB byte, floating point operation,... Return-Oriented oriented Programming programming 30/23 / 42

Avoid Spurious ret? Get rid of unintended c3 bytes (compiler) No moves from %eax to %ebx, no add %reg, %ebx Avoid offsets by c3 (rearrange instructions & data But: c3 is only one type of return (near return) There are four: Far ret, near ret with stack unwinding, far ret with stack unwinding Much harder to use (far returns also pop the code segment selector, but possible) Register spring: jmp %reg if reg points to a ret Even better: jmp *%reg, indirect jump Return-Oriented oriented Programming programming 31/23 / 42

Address Space Layout Randomization Add random to placement of movable sections Stack Heap Libraries Attacker has to guess addresses of return opcodes (c3) Most probably program crashes if guess was wrong Amount of randomness influences search space Return-Oriented oriented Programming programming 32/23 / 42

Address Space Layout Randomization First run stack libc ld heap text Offsets still need to be page aligned Text segment cannot be moved Addresses must not leak in any way Second run libc ld stack heap text Return-Oriented oriented Programming programming 33/23 / 42

ASLR Efficiency On The Effectiveness of Address-Space Randomization (CSS'04) 32bit architectures number of bits to randomize is limited PaX Executable: Code, Data, BSS 16 bit random Mapped: heap, libs, thread stack, 16 bit Stack: normal user stack 24 bit random offset Return-Oriented oriented Programming programming 34/23 / 42

ASLR Efficiency Fork vs. Exec() Fork: the address space layout does not change Exec: new layout every time the program runs Example: Web server spawns (forks) new processes for every client request A return-to-libc attack needs to guess 16 bit, the offset of the libc text segment Mount a return-2-libc attack to call usleep() Guessed offset wrong child crashed, connection resets Right offset connection hangs for some seconds Run second stage attack with de-randomized addresses Return-Oriented oriented Programming programming 35/23 / 42

ASLR Efficiency Apache web server with added buffer overflow Infer delta_mmap through brute force (usleep) After 216 seconds on average sucessful start second stage attack, circumventing ALSR Conclusion: on 32bit architectures and only 16 bit random for mapped area serious problems But: 64bit is there, at least 40 bit usable for address space randomization, practically brute forcing no more thread Return-Oriented oriented Programming programming 36/23 / 42

Return-less Kernels Defeating Return-Oriented Rootkits With Return-Less Kernels (EuroSys 2010) Get rid of all return instructions in the kernel no returns, no return-oriented exploits Idea: return indirection Caller puts return address into a global table and pushes the index onto the stack Callee on return does a table lookup and jumps to the intended instruction after the call No more normal call/ret instructions Return-Oriented oriented Programming programming 37/23 / 42

Return-less Kernels Remove all remaining c3 bytes from the code Relative offsets in jumps add nops jmp ffc3 nop; jmp ffc2; Relative offsets to data adapt register mov %eax, 0xc3(%ebx) dec %ebx; mov %eax, 0xc4(%ebx) Peephole optimization to replace instructions by equivalent ones without c3 (ret) Return-Oriented oriented Programming programming 38/23 / 42

Normal Call-Return Pairing Return-Oriented oriented Programming programming 39/23 / 42

Return Indirection Return-Oriented oriented Programming programming 40/23 / 42

Summary Buffer overflows, format string attacks, double frees, many ways to penetrate a system Counter code injection with W X: never execute writable code segments Return-oriented programming: use existing code snippets (gadgets) Sufficiently large code bases to take gadgets from turing completeness ALSR with 64bit seems to solve this (for now) Return-Oriented oriented Programming programming 41/23 / 42

In A Nutshell Code fractions from sufficiently large code base yield Turing completeness Avoiding return opcodes won't help No code injection at all, thus circumventing DEP Questions: Ret2libc with ASLR: guess one address ROP with ASLR: guess many return targets ASLR with 48/64 bit problem postponed? Return-Oriented oriented Programming programming 42/23 /

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback