Memory corruption vulnerability exposure can be mitigated through memory hardening practices

Similar documents
CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Lecture 08 Control-flow Hijacking Defenses

Bypassing Browser Memory Protections

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Return-orientated Programming

CS 161 Computer Security

20: Exploits and Containment

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Bypassing Windows heap protections

Software Security: Buffer Overflow Defenses

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

The Geometry of Innocent Flesh on the Bone

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Smashing the Buffer. Miroslav Štampar

Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform

How to Impress Girls with Browser Memory Protection Bypasses

CSC 405 Computer Security Stack Canaries & ASLR

CSE 509: Computer Security

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Software Security II: Memory Errors - Attacks & Defenses

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Memory corruption countermeasures

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Autodesk AutoCAD DWG-AC1021 Heap Corruption

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Practical Malware Analysis

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Secure Software Programming and Vulnerability Analysis

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Architecture-level Security Vulnerabilities

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

SA31675 / CVE

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Software Security: Buffer Overflow Attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Università Ca Foscari Venezia

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Return Oriented Programming

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Intrusion Detection and Malware Analysis

Software Security: Buffer Overflow Attacks (continued)

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Architecture-level Security Vulnerabilities. Julian Stecklina

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Runtime Defenses against Memory Corruption

Advanced Heap Manipulation in Windows 8 10/26/12

Outline. Memory Exploit

CSE509 System Security

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Writing your first windows exploit in less than one hour

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

FFRI,Inc. Monthly Research Understanding bypassing ASLR by a pointer at a fixed address. Ver

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

CS 161 Computer Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

OpenBSD Remote Exploit

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

FLARE-On 4: Challenge 3 Solution greek_to_me.exe

Q: Exploit Hardening Made Easy

From Over ow to Shell

Buffer-Overflow Attacks on the Stack

Biography. Background

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

Ghost in the allocator Abusing the windows 7/8 Low Fragmentation Heap

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Inject malicious code Call any library functions Modify the original code

Buffer Overflows Defending against arbitrary code insertion and execution

SA33901 / CVE

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

Buffer-Overflow Attacks on the Stack

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Apology of 0days. Nicolás Waisman

Buffer overflow prevention, and other attacks

Practical Techniques for Regeneration and Immunization of COTS Applications

Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998

Pharos Static Analysis Framework

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Memory Corruption 101 From Primitives to Exploit

Function Call Convention

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Outline. Heap meta-data. Non-control data overwrite

BUFFER OVERFLOW. Jo, Heeseung

Is stack overflow still a problem?

Buffer Overflow. Jo, Heeseung

Buffer Overflow and Format String Overflow Vulnerabilities

Vulnerabilities in C/C++ programs Part I

Lec07: Return-oriented programming. Taesoo Kim

Transcription:

Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory manager Microsoft is raising the technology bar to combat external threats

Microsoft is raising the technology bar to combat external threats New features you ve probably heard about Privilege Separation IE Protected Mode Kernel Patch Protection Code Integrity New features we are covering today Address Space Layout Randomization Windows Vista Dynamic Memory Allocator

Red Hat Enterprise Linux Images Section reordering DLL randomization EXE randomization* Stack Protected control flow data* Local variable protection* Segment randomization Non-executable Heap Segment randomization Non-executable

OpenBSD Images Apple OS X Images DLL randomization No protection Stack Section reordering Stack No protection Protected control flow data* Heap Local variable protection No protection Segment randomization Non-executable Heap Non-executable Segment randomization

Windows Vista Images EXE randomization DLL randomization Stack Protected exception handlers Protected control flow data Local variable protection Segment randomization Non-executable Heap Protected heap management data Segment randomization Non-executable

A quick look at what you ve already been exposed to: Stack Cookies (/GS) Heap Mitigations (XP SP2) Structured Exception Handling (SafeSEH) Unhandled Exception Filter (MS06-051) Hardware DEP/NX

New in Windows Vista Address Space Layout Randomization The History of ASLR Architectural Considerations Vista ASLR Technical Details Testing Methodology Dynamic Memory Allocator A Short Lesson in Heap Exploitation Improvements in Vista Heap Management Vista Dynamic Memory Allocator Internals Testing Methodology

Windows Vista ASLR is a technology that makes exploitation of a vulnerability a statistical problem Address Space Layout Randomization allows for the relocation of memory mappings, making the a process address space layout unpredictable

ASLR Theory Exploitation relies on prior knowledge of the memory layout of the targeted process Published Research PaX Documentation PaX Team (http://pax.grsecurity.net/docs/aslr.txt) On the Effectiveness of Address Space Layout Randomization Shacham, et al Stanford University

Windows Vista Process Model Most applications are threaded Windows Vista Memory Management File mappings must align at 64k boundaries Shared mappings must be used to keep memory overhead low and preserve physical pages Fragmentation of the address space must be avoided to allow for large allocations Supports hardware NX

Image Mapping Randomization Random base address chosen for each image loaded once per boot 8 bits of entropy Fix-ups applied on page-in Images are mapped at the same location across processes 99.6% Effective

Heap Randomization Random offset chosen for segment allocation using 64k alignment (5-bit entropy) Stack Randomization Random offset chosen for segment allocation using 64k or 256k alignment. Random offset within first half of the first page

Three pieces to the strategy Address Space Randomization Non-Executable Pages Service Restart Policy

Assumptions ASLR will only protect against remote exploitation ASLR requires NX to remain effective ASLR requires a limit on the number of exploitation attempts to remain effective

Prior to Windows Vista, NX could be disabled in a process if PERMANENT flag was not set Loading a DLL that is not NX compatible No relocation information Loaded off removable media Open handle to a data mapping of the file Call NtSetInformationProcess with the MEM_EXECUTE_OPTION_ENABLE flag

In Windows Vista, NX cannot be disabled once turned on for a process Most processes enable NX by default

Reducing the brute force space Code symmetry Each location shifts stack pointer 20 bytes kernel32+0xa1234: retn 16 kernel32+0xb1234: pop ebx pop ebp retn 8 user32+0x01234: jz 0x12345678 sub esp, 16 xor eax, eax ret advapi32+0x51234: lea esp, [esp+20] pop eax call eax Advanced return address location Emulation - EEREAP

Partial overwrites Given known addresses at known offsets, partial overwrites yield predictable results without full knowledge of the address space layout With randomization in play, only bounded overflows can be used reliably for a single partial overwrite

Partial overwrites A single partial overwrite can be used to execute a payload or gain additional partial overwrites D:\>partial banner1: 0040100a banner2: 0040100f hello world! D:\>partial own banner1: 0040100a banner2: 0040100f owned!

Partial overwrites A single partial overwrite can be used to execute a payload or gain additional partial overwrites int main(int argc, char **argv) { struct Object obj1; char buf[32]; struct Object obj2; printf("banner1: %08x banner2: %08x\n", banner1, banner2); if(argv[1]!= 0) strncpy(buf, overflow, sizeof(overflow)); obj1.func(); return 0; } partial!main+0x5a: 004011ea 6a30 004011ec 68b8114200 004011f1 8d4dc4 004011f4 51 004011f5 e816060000 004011fa 83c40c push push lea push call add 30h offset partial!overflow ecx,[ebp-3ch] ecx partial!strncpy (00401810) esp,0ch

Partial overwrites A single partial overwrite can be used to execute a payload or gain additional partial overwrites 0:000> bp 004011f5 0:000> g banner1: 0040100a banner2: 0040100f Breakpoint 0 hit partial!main+0x65: 004011f5 e816060000 call partial!strncpy (00401810) 0:000> dt obj1 Local var @ 0x12ff38 Type Object +0x000 next : (null) +0x004 val : 17895697 +0x008 func : 0x0040100a partial!ilt+5(_banner1)+0 0:000> p partial!main+0x6a: 004011fa 83c40c add esp,0ch 0:000> dt obj1 Local var @ 0x12ff38 Type Object +0x000 next : 0x41414141 Object +0x004 val : 1094795585 +0x008 func : 0x0040100f partial!ilt+10(_banner2)+0 0:000> g owned!

Information Leaking Uninitialized memory Use multiple attempts to gain address layout information that will get you code execution Additional image map locations can usually be inferred from one DLL address Heap spraying reduces the need for accuracy Non-randomized data as arguments to functions SharedUserData / ReadOnlySharedMemoryBase Non-relocatable resource dlls 3rd party binaries

Software Development Process Create NX and ASLR compatible binaries Keep service restart policies in mind Ensure information leak bugs are addressed Technology Use hardware that supports NX

The majority of currently exploited vulnerabilities in Microsoft products are overflows into heap memory Heap exploitation relies on corrupting heap management data or attacking application data within the heap

VTable Overwrites Class objects contain a list of function pointers for each virtual function in the class called a vtable class MyClass { public: MyClass(); virtual ~MyClass(); virtual MemberFunction(); int MemberVariable; }; Overwriting virtual function pointers is the simplest method of heap exploitation

HEAP_ENTRY Overflow Scenario: Heap-based buffer overflow allows for writing into adjacent free heap block Attack: Overwrite FLINK and BLINK values and wait for HeapAlloc() mov dword ptr [ecx],eax mov dword ptr [eax+4],ecx EAX = Flink, EBX = Blink Allows one or two 4-byte writes to controlled locations FREE HEAP BLOCK _HEAP_ENTRY +0x000 Size +0x002 PreviousSize +0x004 SmallTagIndex +0x005 Flags +0x006 UnusedBytes +0x007 SegmentIndex _LIST_ENTRY +0x000 Flink +0x004 Blink

HEAP_ENTRY Overflow Mitigations in XP SP2 LIST_ENTRY->Flink->Blink == LIST_ENTRY->Blink->Flink == LIST_ENTRY List integrity checked during heap allocation 8-bit Cookie Verified on allocation after removal from free list

HEAP_ENTRY Overflow Mitigations in XP SP2 Defeated by attacking the lookaside list First heap overwrite takes control of Flink value in a free chunk with a lookaside list entry Allocation of the corrupted chunk puts the corrupt Flink value into the lookaside list Next HeapAlloc() of the same sized chunk will return the corrupted pointer

Heap segment randomization HEAP_ENTRY integrity checks Block entry randomization Linked-list validation and substitution Function pointer hardening Terminate on Error

HEAP_ENTRY Checksum for Size and Flags Size, Flags, Checksum, and PreviousSize are XOR d against random value Adds extra resilience against overflows into Flink and Blink values

Linked-lists Forward and backward pointer validation on unlink from any list Lookaside lists Replaced by Low-Fragmentation Heap

Function pointer hardening CommitRoutine and InterceptRoutine function pointers encoded CRT atexit() destructors encoded Terminate on Error Opt-in API that cannot be disabled Ensures program cleanup does not utilize tainted heap structures

The Low-Fragmentation Heap is enabled by default in Windows Vista The LFH replaces lookaside lists and is similar in nature 128 buckets of static sized buffers Utilized for reoccuring allocations of the same size

HEAP_ENTRY Doubly-linked list pointers are only validated when unlinking a node Attack If list head pointers can be corrupted prior to an insert, the destination of a 4-byte write can be controlled The address of the free chunk being inserted into the list will be written to the corrupted linked list pointer Assessment Writing the address of the chunk may be only be helpful in limited circumstances It is difficult to find a list head to overwrite InsertHeadList(ListHead, Entry) Flink = ListHead->Flink; Entry->Flink = Flink; Entry->Blink = ListHead; Flink->Blink = Entry; ListHead->Flink = Entry; InsertTailList(ListHead, Entry) Blink = ListHead->Blink; Entry->Flink = ListHead; Entry->Blink = Blink; Blink->Flink = Entry; ListHead->Blink = Entry;

HEAP_UCR_DESCRIPTOR Attack Repeated large allocations will result in the allocation of a new segment HEAP_UCR_DESCRIPTOR is at a static offset from first allocation in a segment If fake descriptor points at allocated memory, the next heap allocation will write a HEAP_UCR_DESCRIPTOR to a controlled address Assessment Limited control of the data written should effectively reduce this to a partial DWORD overwrite Increased complexity with multi-stage attack requires a high degree of control such as active scripting Unused UCR Descriptor Allocated Heap

HEAP_UCR_DESCRIPTOR Attack Repeated large allocations will result in the allocation of a new segment HEAP_UCR_DESCRIPTOR is at a static offset from first allocation in a segment If fake descriptor points at allocated memory, the next heap allocation will write a HEAP_UCR_DESCRIPTOR to a controlled address Assessment Limited control of the data written should effectively reduce this to a partial DWORD overwrite Increased complexity with multi-stage attack requires a high degree of control such as active scripting Unused Unused UCR Descriptor UCR Descriptor Overflow Allocated Heap Function Ptr 0x000a1234 Allocated Heap

HEAP_UCR_DESCRIPTOR Attack Repeated large allocations will result in the allocation of a new segment HEAP_UCR_DESCRIPTOR is at a static offset from first allocation in a segment If fake descriptor points at allocated memory, the next heap allocation will write a HEAP_UCR_DESCRIPTOR to a controlled address Assessment Limited control of the data written should effectively reduce this to a partial DWORD overwrite Increased complexity with multi-stage attack requires a high degree of control such as active scripting _HEAP_UCR_DESCRIPTOR +0x000 ListEntry +0x008 SegmentEntry +0x010 Address +0x014 Size Address points to the next reserved region and defines where a HEAP_UCR_DESCRIPTOR will be written on the next segment allocation Unused UCR Descriptor Overflow Function Ptr Ptr 0x000a1234 XXXX Allocated Heap

_LFH_BLOCK_ZONE Attack New SubSegments are created at the location specified by the FreePointer in the LFH_BLOCK_ZONE structure Control of the FreePointer allows writing a HEAP_SUBSEGMENT to an arbitrary location Allocation size and number of allocations affect fields in the HEAP_SUBSEGMENT structure Assessment Limited control of the data written should effectively reduce this to a partial DWORD overwrite Increased complexity attack requires a high degree of control such as active scripting _LFH_BLOCK_ZONE +0x000 ListEntry +0x008 FreePointer +0x00c Limit _HEAP_SUBSEGMENT +0x000 LocalInfo +0x004 UserBlocks +0x008 AggregateExchg +0x010 BlockSize +0x012 Flags +0x014 BlockCount +0x016 SizeIndex +0x017 AffinityIndex +0x010 Alignment +0x018 SFreeListEntry +0x01c Lock

Default exploit mitigations on popular client operating systems

OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory manager Microsoft is committed to closing the gap as much as possible and Windows Vista will have the strongest pro-active vulnerability defense of any Windows release These protections will continue to evolve to prevent wide-spread exploitation of software vulnerabilities Exploitation mitigations do not solve the problem of software vulnerabilities, but do provide a stopgap during times of exposure

Thank you for attending Please contact us at switech@microsoft.com for feedback on Microsoft s mitigation technologies

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback