Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Similar documents
Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Control-Flow Integrity

CMPSC 497 Execution Integrity

Return-orientated Programming

Advanced Systems Security: Program Diversity

Software Security: Buffer Overflow Defenses

Inject malicious code Call any library functions Modify the original code

CS 161 Computer Security

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Inline Reference Monitoring Techniques

The Geometry of Innocent Flesh on the Bone

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Software Security: Buffer Overflow Attacks (continued)

CS 161 Computer Security

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Software Security: Buffer Overflow Attacks

Remix: On-demand Live Randomization

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CMPSC 497 Buffer Overflow Vulnerabilities

Vulnerability Analysis I:

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Software Security II: Memory Errors - Attacks & Defenses

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

String Oriented Programming Exploring Format String Attacks. Mathias Payer

On Compilers, Memory Errors and Control-Flow Integrity

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University

Outline. Memory Exploit

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Advanced Systems Security: Ordinary Operating Systems

0x1A Great Papers in Computer Security

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

CSE 127 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Lecture 08 Control-flow Hijacking Defenses

Q: Exploit Hardening Made Easy

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

Biography. Background

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Selected background on ARM registers, stack layout, and calling convention

Software Security: Buffer Overflow Defenses and Miscellaneous

Abstraction Recovery for Scalable Static Binary Analysis

18-600: Recitation #4 Exploits

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127 Computer Security

From Over ow to Shell

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Exploit Mitigation - PIE

CMPSC 497: Midterm Review

20: Exploits and Containment

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Lecture 10 Code Reuse

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Securing Untrusted Code

HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities

Defeating Return-Oriented Rootkits with Return-less Kernels

Control Flow Integrity

Advanced Buffer Overflow

CSE 509: Computer Security

Just-in-Time Code Reuse

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Midterm 1 Review. Memory Safety & Web Attacks

On the Effectiveness of Type-based Control Flow Integrity

This exam contains 8 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE Spring Assignment 3: Return-oriented Programming

in memory: an evolution of attacks Mathias Payer Purdue University

Return-Oriented Rootkits

Control Flow Integrity for COTS Binaries Report

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Advanced Buffer Overflow

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Exploits and gdb. Tutorial 5

CSE 127 Computer Security

A survey of Hardware-based Control Flow Integrity (CFI)

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

18-600: Recitation #4 Exploits (Attack Lab)

Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

Outline. Heap meta-data. Non-control data overwrite

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

CS 161 Computer Security

CSE 127 Computer Security

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Architecture-level Security Vulnerabilities

Secure Systems Engineering

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

1358 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 7, JULY 2018

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region How is code injection done? 2 2

Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both What can adversary do to circumvent these defenses and still execute useful code (for them)? 3 3

Return-Oriented Programming Arbitrary exploitation without code injection 4 4

Return-Oriented Programming 5 5

ROP Thesis 6 6

Return-to-libc 7 7

ROP vs return-to-libc 8 8

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers Memory %eax = 0x8048000 = %ebx = 9

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers %eax = %ebx = 5 Memory 0x8048000 = 10

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers %eax = %ebx = 5 Memory 0x8048000 = 11

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers %eax = %ebx = 5 0x8048000 Memory 0x8048000 = 12

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers %eax = %ebx = 5 0x8048000 Memory 0x8048000 = 13

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers %eax = %ebx = 5 0x8048000 Memory 0x8048000 = 14

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack G1: G2: G3: pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 G2 0x8048000 jump G3 G3 Return Address buf... Registers Memory %eax = 5 0x8048000 = 5 %ebx = 0x8048000 15

Machine Instructions 16 16

ROP Execution 17 17

Building ROP Functionality 18 18

Building ROP Functionality 19 19

Building ROP Functionality 20 20

Creating Programs 21 21

Finding Gadgets 22 22

ROP Conclusions 23 23

Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes legal control flows E.g., control-flow graph Enforce the model on program execution Instrument indirect control transfers Jumps, calls, returns,... Challenges Building accurate model Efficient enforcement 24 24

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 25 25

Our Mechanism F A F B call fp return 26 26-1

Our Mechanism F A F B call fp return CFG excerpt A call B 1 A call+1 B ret 26 26-2

Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp return CFG excerpt A call B 1 A call+1 B ret 26 26-3

Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp nop IMM 2 if(**esp!= nop IMM 2 ) halt return CFG excerpt NB: Need to ensure bit patterns for nops appear nowhere else in code memory A call A call+1 26 B 1 B ret 26-4

More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } call fp F C 27 27-1

More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } if(*fp!= nop IMM 1 ) halt call fp nop IMM 1 F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 27 27-2

Imprecise Return Information F A Q: What if F B can return to many functions? CFG excerpt A call+1 D call+1 B ret call F B F B succ(b ret ) = {A call+1, D call+1 } F D return call F B 28 28-1

Imprecise Return Information F A Q: What if F B can return to many functions? CFG excerpt A call+1 D call+1 B ret call F B nop IMM 2 F B succ(b ret ) = {A call+1, D call+1 } F D if(**esp!= nop IMM 2 ) halt return call F B nop IMM 2 28 28-2

Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can return to many functions? A: Imprecise CFG F B CFG excerpt A call+1 B D ret call+1 succ(b ret ) = {A call+1, D call+1 } F D if(**esp!= nop IMM 2 ) halt return call F B nop IMM 2 28 28-3

Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can return to many functions? A: Imprecise CFG F B CFG excerpt A call+1 B D ret call+1 succ(b ret ) = {A call+1, D call+1 } F D call F B nop IMM 2 if(**esp!= nop IMM 2 ) halt return CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). 28 28-4

No Zig-Zag Imprecision CFG excerpt A call B 1 E call C 1 29 29-1

No Zig-Zag Imprecision CFG excerpt A call B 1 E call C 1 29 29-2

No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 E call C 1 29 29-3

No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 Solution II: Duplicate code to remove zig-zags CFG excerpt A call B 1 C 1 C 1A E call E call C 1E 29 29-4

CFG Imprecision Best reduced by a technique developed in the HyperSafe system HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity IEEE Symposium on Security and Privacy, 2010 On indirect call (forward edge) Check the proposed target against the set of legal targets from the CFG On return (backward edge) Check the proposed return location against the set of legal return locations from the CFG Tricky to make that efficient (see the paper) 30 30

Shadow Stack What should be the target of a return instruction? Return to caller But, need a way to protect return value Shadow stack Stack that can only be accessed by trusted code (e.g., software fault isolation) Off limits to overflows 31 31

CFG Computation What should be the target of a call instruction? Direct call - hard coded, so no problem Indirect call (function pointer) - would be any legal value for the function pointer That is, anywhere it can point The points-to problem in general, which is undecidable So, there are various techniques to overapproximate the target set for each indirect call 32 32

More Challenges Predicting return targets can be hard Exceptions, signals, and setjmp/longjmp Runtime generation of indirect jumps E.g., dynamically linked libraries Indirect jumps using arithmetic operators E.g., assembly Is enforcing fine-grained CFI sufficient to prevent exploits? 33 33

Recent Result Suppose a program is protected by fine-grained CFG on calls and a shadow stack on returns Further suppose that the program contains an arbitrary write primitive (e.g., based on a memory error) For these programs, exploits can be generated over 80% of the time, even against CFI defenses Block Oriented Programming: Automating Data-Only Attacks, ACM CCS 2018 Exploits follow CFG, but manipulate memory to complete exploit Called data-oriented programming 34 34

Alternatives to CFI? What are the fundamental enablers of ROP attacks? (1) CFI: violate control flow (2) Adversary can choose gadgets Can we prevent adversaries from choosing useful gadgets? In general, adversaries can create/ obtain the same binary as is run by the victim But, that need not be the case 35 35

Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? Given a secret key and a program address space, encrypt the address space such that the probability that an adversary can locate a particular instruction (start of gadget) is sufficiently low and the program still runs correctly and efficiently Called address space randomization 36 36

ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,... Stack Heap Data Text 37 37-1

ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,...????????? Stack Heap Data??? Text 37-2 37

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Only few programs in Linux use PIE Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] 38 38

ASLR Limitations Attacks may leak randomization information Disclosure attacks Use buffer over-read to read unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities So, what can we do? How do we avoid leaking the key? 39 39

Conclusion Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system may need to use a combination of these defenses Q. Is subverting control-flow the only goal of an attacker? 40 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback