Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Similar documents
Practical and Efficient Exploit Mitigation for Embedded Devices

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Inject malicious code Call any library functions Modify the original code

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Selected background on ARM registers, stack layout, and calling convention

Control Flow Integrity for COTS Binaries Report

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

COE608: Computer Organization and Architecture

Remix: On-demand Live Randomization

The Geometry of Innocent Flesh on the Bone

The Activation Record (AR)

How to Sandbox IIS Automatically without 0 False Positive and Negative

Advanced Computer Architecture

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

CS 161 Computer Security

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

MIPS Functions and Instruction Formats

Spectre and Meltdown. Clifford Wolf q/talk

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Lecture 7: Examples, MARS, Arithmetic

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Traps, Exceptions, System Calls, & Privileged Mode

Return-orientated Programming

a) Do exercise (5th Edition Patterson & Hennessy). Note: Branches are calculated in the execution stage.

comp 180 Lecture 10 Outline of Lecture Procedure calls Saving and restoring registers Summary of MIPS instructions

Runtime Defenses against Memory Corruption

Architectural Supports to Protect OS Kernels from Code-Injection Attacks

Computer Architecture. Chapter 2-2. Instructions: Language of the Computer

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Calling Conventions. Hakim Weatherspoon CS 3410, Spring 2012 Computer Science Cornell University. See P&H 2.8 and 2.12

Do-While Example. In C++ In assembly language. do { z--; while (a == b); z = b; loop: addi $s2, $s2, -1 beq $s0, $s1, loop or $s2, $s1, $zero

Compiling Code, Procedures and Stacks

Computer Systems Laboratory Sungkyunkwan University

Assembler. Lecture 8 CS301

Virtual Machines and Dynamic Translation: Implementing ISAs in Software

Is Exploitation Over? Bypassing Memory Protections in Windows 7

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Protecting Against Unexpected System Calls

Operating System Security

16 Sharing Main Memory Segmentation and Paging

Software Security: Buffer Overflow Defenses

CS 61C: Great Ideas in Computer Architecture CALL continued ( Linking and Loading)

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Instruction Set Principles and Examples. Appendix B

Porting Linux to x86-64

Software Security II: Memory Errors - Attacks & Defenses

Confinement (Running Untrusted Programs)

ECE 331 Hardware Organization and Design. Professor Jay Taneja UMass ECE - Discussion 3 2/8/2018

CS 161 Computer Security

Inline Reference Monitoring Techniques

Efficient Software Based Fault Isolation. Software Extensibility

Implementing Procedure Calls

Subroutines. int main() { int i, j; i = 5; j = celtokel(i); i = j; return 0;}

Thomas Polzer Institut für Technische Informatik

Malware

Lec 10: Assembler. Announcements

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Program semantics-aware Intrusion Detection. Prof. Tzi-cker Chiueh Computer Science Department Stony Brook University

15 Sharing Main Memory Segmentation and Paging

ELEC / Computer Architecture and Design Fall 2013 Instruction Set Architecture (Chapter 2)

From Code to Program: CALL Con'nued (Linking, and Loading)

CS4617 Computer Architecture

Popcorn Linux: System Software for Emerging Heterogeneous Platforms

CS 61c: Great Ideas in Computer Architecture

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

200 points total. Start early! Update March 27: Problem 2 updated, Problem 8 is now a study problem.

MIPS Functions and the Runtime Stack

Instruction Set Architectures (4)

Branch Addressing. Jump Addressing. Target Addressing Example. The University of Adelaide, School of Computer Science 28 September 2015

Instructions: Language of the Computer

CS222: MIPS Instruction Set

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Compilers and computer architecture: A realistic compiler to MIPS

Syscalls, exceptions, and interrupts, oh my!

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Chapter 5 (Part II) Large and Fast: Exploiting Memory Hierarchy. Baback Izadi Division of Engineering Programs

Separating Access Control Policy, Enforcement, and Functionality in Extensible Systems. Robert Grimm University of Washington

0x1A Great Papers in Computer Security

MIPS Procedure Calls. Lecture 6 CS301

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2015 Lecture 23

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Chapter 2A Instructions: Language of the Computer

CS 61c: Great Ideas in Computer Architecture

Code Genera*on for Control Flow Constructs

CSC258: Computer Organization. Functions and the Compiler Tool Chain

Recap from Last Time. CSE 2021: Computer Organization. Levels of Programming. The RISC Philosophy 5/19/2011

ECE 498 Linux Assembly Language Lecture 1

Version:1.1. Overview of speculation-based cache timing side-channels

Computer Science and Engineering 331. Midterm Examination #1. Fall Name: Solutions S.S.#:

Prof. Kavita Bala and Prof. Hakim Weatherspoon CS 3410, Spring 2014 Computer Science Cornell University. See P&H 2.8 and 2.12, and A.

Architecture II. Computer Systems Laboratory Sungkyunkwan University

Procedure Calling. Procedure Calling. Register Usage. 25 September CSE2021 Computer Organization

Securing Untrusted Code

CSE 220: System Fundamentals I Unit 14: MIPS Assembly: Multi-dimensional Arrays. Kevin McDonnell Stony Brook University CSE 220

ECE260: Fundamentals of Computer Engineering. Supporting Procedures in Computer Hardware

Computer Organization MIPS ISA

Recap: Memory Management

5/17/2012. Recap from Last Time. CSE 2021: Computer Organization. The RISC Philosophy. Levels of Programming. Stored Program Computers

Shuffler: Fast and Deployable Continuous Code Re-Randomization

Transcription:

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org 9 th International Conference on Trust & Trustworthy Computing Vienna, August 2016 1

Embedded Devices? 2

Internet of Things! 3

Embedded Devices Produced in large quantities not a computer, but actually a computer Mostly low cost/power/end RISC-based CPUs exceptions, e.g. CPUs for smartphones Devices run open/free software such as Linux light software stacks, for example uclibc 4

Embedded Device Security Valuable targets always on contain interesting personal data control important things Contain software vulnerabilities e.g. memory corruption exploited like desktops and servers 5

Embedded Device Security Valuable targets always on contain interesting personal data control important things Contain software vulnerabilities e.g. memory corruption exploited like desktops and servers Mitigations not state of the art! 6

Exploit Mitigation - State of the Art Exploit stages: Inject payload Hijack control flow Run payload 7

Exploit Mitigation - State of the Art Inject payload Data Execution Prevention Address Space Layout Randomization Hijack control flow Control Flow Integrity Run payload Policies for system call usage System call based IDS 8

Exploit Mitigation - State of the Art Inject payload Data Execution Prevention MMU hardware support required (SW emulation slow) Address Space Layout Randomization limited address space on embedded devices Hijack control flow Control Flow Integrity source code beneficial high overhead hardware support only for next-gen Intel processors Run payload Policies for system call usage requires writing policies for every application System call based IDS mimicry attacks, overhead 9

Goal: SotA Mitigations for embedded RISC devices Leightweight exploit mitigation also suitable for budget SoCs Use RISC hardware features Tailor for binary only / COTS source code is not always available 10

RISC Architecture Features Register only operations load / store architecture Many registers and specialized registers e.g. control flow Fixed instruction length easier disassembly Instruction / address alignment no jumping into the middle of an instruction 11

Exploits revisited Exploits use OS functionality read/write data, launch process, Exploit OS usage differs from original program different syscall, different parameters,... 12

Exploits revisited Exploits use OS functionality read/write data, launch process, Exploit OS usage differs from original program different syscall, different parameters,... Ensure that runtime OS usage is coherent with OS usage in binary executable BINtegrity 13

Threat Model Trusted kernel we protect user space code Trusted binaries on disk executable and libraries not modified by attacker Memory is untrusted we try to fight off memory corruption attacks! 14

BINtegrity Overview launch program binary executable runtime process corrupted? inspect system call BINtegrity intercept / kernel OS service 15

Process Runtime State function call system call program library (system call wrapper) kernel (system call handler) link address return address System call return address ret sc System call information System call number System call arguments Link address ret lr specific to RISC register containing return address of last function invocation Indirect jump target (on MIPS) 16

Code Invariant Extraction function prologue argument assignment function call link address offset addiu $sp, -0x28 sw $ra, 0x28-4... jal sub02 disassemble lui $a1, 0x46 backwards li $a2, 7 lui $t9, mmap@plt jalr $t9 nop execute forwards Leightweight execution state (only registers) Invariants = concrete values at end of execution Static analysis on the binary executable on disk 17

Enforcing Integrity 1. Code Provenance where do function invocations originate from? only allow legit locations 2. Code Integrity is the call chain reflected by the binary? do the system call arguments match the invariants? 3. Symbol Integrity are called system call wrappers actually imported? 18

Enforcing Code Provenance Trusted Application Code Base (TACB) valid code regions of the process runtime image mapped text segments of a running process includes text segments of libraries fixated after linking stage Call chain has to originate from the TACB return addresses: both ret sc and ret lr everything outside TACB is invalid 19

Enforcing Code Integrity program code... lui $a3, 0x46 li $a0, 7 lui $t9, mmap@plt jalr $t9 nop syscall wrapper... lw $t0, 0xcafe or $a3, t0 li $v0, 0x101D syscall 0 nop Is the predecessor of ret sc really a syscall? has the right syscall been invoked? Is the predecessor of ret lr really a control flow transfer? does the target of the branch match the callee? Do the actual syscall arguments match the invariants? does the syscall wrapper modify arguments? 20

Enforcing Symbol Integrity program mmap() library link address return address Dynamic linking uses function symbols Symbol mmap has to be exported by the library imported by the program Match symbol of function identified by return address imports of binary identified by link address 21

Exploit Mitigation Attack class Technique Defense Code injection Code reuse inject code in data segment inject (and overwrite existing) code in text segment use indirect jump gadget use gadget that calls library function code provenance code integrity (instruction mismatch) code integrity (target of branch does not match) symbol integrity (function not imported) argument integrity (argument mismatch) 22

Exploit Mitigation: Code Reuse lui $t9, mmap_address Indirect jump gadget... lui $t9, write@plt li $a0, 2 jalr $t9 nop mmap Violates call chain integrity register $t9 does not match invariant 23

Exploit Mitigation: Code Reuse lui $a0, 12 Fixed jump gadget... lui $a0, 1 jal write nop Violates argument integrity runtime state value for $a0 contradicts invariant write can only access stdout 24

Exploit Mitigation: Code Reuse lui $a2, 7 Fixed jump gadget... lui $a2, 5 jal mmap nop Violates argument integrity runtime state value for $a2 contradicts invariant: RWX (7) vs. RX (5) mmap can only map read/write 25

Exploit Mitigation: Code Reuse lui $t9, system_address Indirect jump gadget... beq $a0, locb li $a0, 2 jalr $t9 nop system Violates symbol integrity system is not imported by the program 26

The BINtegrity System Process Runtime Information Binary Library 1 N stripped binaries Emulation Engine ELF Parser Disassembler Emulator ARM (+thumb) MIPS TACB Invariant Cache State Integrity Enforcer BINtegrity Kernel Module 27

Performance Evaluation Buffalo Router WZR-HP-G450H (MIPS) Apache benchmark & nginx runtime overhead: 2.03% Galaxy Nexus Phone (ARM) AnTuTu benchmark measures Android runtime & I/O subsystem runtime overhead: 1.2% 28

Internal Performance Evaluation Costly operations reading and parsing files instruction emulation Memory footprint Kernel module code Cache cache invariants for < 257 code points 16 bytes per code point requires total of 12KB per process 29

Performance: Caching 30

Performance: Invariant Extractions 31

Conclusions Cover-all-bases mitigation approach from payload injection, over hijacking control flow, to running the payload Practical no rewriting, no instrumentation, no configuration transparent to applications Efficient only 2% overhead in application-level benchmarks Open source download at http://www.bintegrity.org/ 32

End 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback