Lecture 08 Control-flow Hijacking Defenses

Similar documents
Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

CSC 405 Computer Security Stack Canaries & ASLR

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

20: Exploits and Containment

CMPSC 497 Buffer Overflow Vulnerabilities

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Software Security: Buffer Overflow Defenses

Advanced Buffer Overflow

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Basic Buffer Overflows

Software Security II: Memory Errors - Attacks & Defenses

Writing Exploits. Nethemba s.r.o.

Architecture-level Security Vulnerabilities

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Return-orientated Programming

Software Security (cont.): Defenses, Adv. Attacks, & More

Software Security: Buffer Overflow Attacks (continued)

CSE 127 Computer Security

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Università Ca Foscari Venezia

Outline. Format string attack layout. Null pointer dereference

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Advanced Buffer Overflow

Architecture-level Security Vulnerabilities. Julian Stecklina

CSE 127 Computer Security

Memory corruption countermeasures

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Outline. Heap meta-data. Non-control data overwrite

CSE 127 Computer Security

CS 161 Computer Security

Buffer Overflow and Protection Technology. Department of Computer Science,

Buffer overflows. Specific topics:

Smashing the Buffer. Miroslav Štampar

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Buffer Overflows Defending against arbitrary code insertion and execution

Software Security: Buffer Overflow Attacks

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Sungkyunkwan University

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Machine-Level Programming V: Buffer overflow

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

CS 241 Honors Security

Runtime Defenses against Memory Corruption

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Q: Exploit Hardening Made Easy

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Lab 2: Buffer Overflows

CS 161 Computer Security

INTRODUCTION TO EXPLOIT DEVELOPMENT

Sandwiches for everyone

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

From Over ow to Shell

18-600: Recitation #4 Exploits

Software Security: Buffer Overflow Defenses and Miscellaneous

Buffer Overflow Attacks

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

The Geometry of Innocent Flesh on the Bone

Lecture 1: Buffer Overflows

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

Biography. Background

Buffer Overflow Attack

ROP It Like It s Hot!

Buffer Overflow Vulnerability

Secure Systems Engineering

1/31/2007 C. Edward Chow. CS591 Page 1

Buffer Overflow Attack

Buffer Overflow Attack (AskCypert CLaaS)

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

(Early) Memory Corruption Attacks

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CSE 565 Computer Security Fall 2018

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Control Hijacking Attacks

18-600: Recitation #4 Exploits (Attack Lab)

Stack overflow exploitation

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

buffer overflow exploitation

Machine- Level Programming V: Advanced Topics

Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

CSE 509: Computer Security

Lecture 10 Code Reuse

Buffer Overflow Attacks

Buffer Overflow. An Introduction

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Transcription:

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley

Control Flow Hijack: Always control + computation shellcode (aka payload) padding &buf computation + control code injection return-to-libc Heap metadata overwrite return-oriented programming... Same principle, different mechanism 2

Control Flow Hijacks happen when an attacker gains control of the instruction pointer. Two common hijack methods: buffer overflows format string attacks 3

Control Flow Hijack Defenses Bugs are the root cause of hijacks! Find bugs with analysis tools Prove program correctness Mitigation Techniques: Canaries Data Execution Prevention/No execute Address Space Layout Randomization 4

CANARY / STACK COOKIES http://en.wikipedia.org/wiki/file:domestic_canary_-_serinus_canaria.jpg 5

A x68. \xef\xbe\xad\xde #include<string.h> int main(int argc, char **argv) { } char buf[64]; strcpy(buf, argv[1]); Dump of assembler code for function main: 0x080483e4 <+0>: push %ebp 0x080483e5 <+1>: mov %esp,%ebp 0x080483e7 <+3>: sub $72,%esp 0x080483ea <+6>: mov 12(%ebp),%eax 0x080483ed <+9>: mov 4(%eax),%eax 0x080483f0 <+12>: mov 0x080483f4 <+16>: lea 0x080483f7 <+19>: mov 0x080483fa <+22>: call 0x080483ff <+27>: leave 0x08048400 <+28>: ret %eax,4(%esp) -64(%ebp),%eax %eax,(%esp) 0x8048300 <strcpy@plt> argv argc return addr caller s ebp buf (64 bytes) argv[1] buf %ebp %esp 6 6

A x68. \xef\xbe\xad\xde #include<string.h> int main(int argc, char **argv) { } char buf[64]; strcpy(buf, argv[1]); Dump of assembler code for function main: 0x080483e4 <+0>: push %ebp 0x080483e5 <+1>: mov %esp,%ebp 0x080483e7 <+3>: sub $72,%esp 0x080483ea <+6>: mov 12(%ebp),%eax 0x080483ed <+9>: mov 4(%eax),%eax 0x080483f0 <+12>: mov 0x080483f4 <+16>: lea 0x080483f7 <+19>: mov 0x080483fa <+22>: call 0x080483ff <+27>: leave 0x08048400 <+28>: ret %eax,4(%esp) -64(%ebp),%eax %eax,(%esp) corrupted overwritten overwritten 0x8048300 <strcpy@plt> argv argc 0xDEADBEEF return addr caller s AAAAebp buf (64 bytes) AAAA (64 in total) argv[1] buf %ebp %esp 7 7

StackGuard [Cowen etal. 1998] Idea: prologue introduces a canary word between return addr and locals epilogue checks canary before function returns arg 2 arg 1 return addr caller s ebp callee-save CANARY locals %ebp Wrong Canary => Overflow %esp 8

gcc Stack-Smashing Protector (ProPolice) Dump of assembler code for function main: 0x08048440 <+0>: push %ebp 0x08048441 <+1>: mov %esp,%ebp 0x08048443 <+3>: sub $76,%esp 0x08048446 <+6>: mov %gs:20,%eax 0x0804844c <+12>: mov 0x0804844f <+15>: xor 0x08048451 <+17>: mov 0x08048454 <+20>: mov 0x08048457 <+23>: mov 0x0804845b <+27>: lea 0x0804845e <+30>: mov 0x08048461 <+33>: call 0x08048466 <+38>: mov 0x08048469 <+41>: xor 0x08048470 <+48>: je 0x08048472 <+50>: call 0x08048477 <+55>: leave 0x08048478 <+56>: ret %eax,-4(%ebp) %eax,%eax 12(%ebp),%eax 4(%eax),%eax %eax,4(%esp) -68(%ebp),%eax %eax,(%esp) 0x8048350 <strcpy@plt> -4(%ebp),%edx %gs:20,%edx 0x8048477 <main+55> 0x8048340 < stack_chk_fail@plt> Compiled with v4.6.1: gcc -fstack-protector -O1 return addr caller s ebp CANARY buf (64 bytes) 9

Canary should be HARD to Forge Terminator Canary 4 bytes: 0,CR,LF,-1 (low->high) terminate strcpy(), gets(), Random Canary 4 random bytes chosen at load time stored in a guarded page need good randomness 10

Ideas for defeating stack canaries? Use targeted write, e.g., format string Overwrite data pointer first Overwrite function pointer loaded and used from higher up the stack memcpy buffer overflow with fixed canary Canary leak return addr caller s ebp CANARY buf (64 bytes)

Bypass: Data Pointer Subterfuge Overwrite a data pointer first int *ptr; char buf[64]; memcpy(buf, user1); *ptr = user2; return addr caller s ebp CANARY ptr buf (64 bytes) 12

Overwrite function pointer higher up void contrived(const char *user, void (*fun)(char *)) { char buf[64]; strcpy(buf, user); fun fun(buf); user } Overflow buffer to overwrite fun on the stack Tricky! Compiler can load fun into a register before strcpy (this can happen with optimization) Works better with structs with function pointers (e.g., OpenSSL) or C++ classes return addr caller s ebp CANARY buf (64 bytes)

memcpy/memmove with fixed canary Fixed canary values like 00 0d 0a ff (0, CR, NL, -1) are designed to terminate string operations like strcpy and gets However, they are trivial to bypass with memcpy vulnerabilities

Canary leak I: two vulnerabilities Exploit one vulnerability to read the value of the canary Exploit a second to perform a buffer overflow on the stack, overwriting the canary with the correct value

Canary leak II: pre-fork servers Some servers fork worker processes to handle connections In the main server process Establish listening socket Fork all the workers; if any die, fork a new one In the worker process (in a loop) Accept a connection on the listening socket Process request

Canary leak II: pre-fork servers This design interacts poorly with stack canaries Since each worker is forked from the main process, it initially has exactly the same memory layout and contents, including stack canary values! Attacker can often learn the canary a byte at a time by overflowing just a single byte of the canary, trying values 00 through ff until it doesn t crash; then move on to the next byte

What is Canary? Wikipedia: the historic practice of using canaries in coal mines, since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system. 18

DATA EXECUTION PREVENTION (DEP) / NO EXECUTE (NX)/ EXECUTE DISABLED (XD)/ EXECUTE NEVER (XN) 19

How to defeat exploits? shellcode padding &buf computation + control DEP Canary 20

Memory permissions Set (or clear) a bit in a page table entry to prevent code from being executed Enforced by hardware: Trying to fetch an instruction from a page marked as non-executable causes a processor fault

Data Execution Prevention shellcode padding &buf CRASH Mark stack as non-executable using NX bit (still a Denial-of-Service attack!) 23

W ^ X shellcode padding &buf CRASH Each memory page is exclusively either writable or executable. (still a Denial-of-Service attack!) 24

Actually a pretty old idea MIPS R2000 (from 1986) has per-page readable, writable, executable bits Intel 80386 (from 1985) does not. Mapped pages are always readable and executable Intel 80286 (from 1982) introduced 16-bit protected mode where code, data, and stack segments can be separated The 386 has a 32-bit protected mode but most OSes set code, data, and stack segments to be the entire virtual address space

Physical Address Extension Intel added an extension to increase the size of allowable physical memory beyond 4 GB PAE changed the page table format, added a third level of translation, and added the execute disable bit (but the OS has to enable both PAE and NX support) x86-64 uses the PAE format and thus supports NX

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) 27

buf[63] addr of buf (0xffffd5d8) caller s ebp buf 0xffffd618 Address Space Layout Randomization addr of buf (0xffffd5d8) caller s ebp buf 0xffffe428 buf[0] Shellcode 0xffffd5d8 Shellcode 0xffffe3f8 Oops 0xffffd5d8 28

ASLR Traditional exploits need precise addresses stack-based overflows: location of shell code return-to-libc: library addresses (we ll talk about this next time) Problem: program s memory layout is fixed stack, heap, libraries etc. Solution: randomize addresses of each region! 29

Image source: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

Running cat Twice Run 1 Run 2 31

Bits of randomness (32-bit x86) Depends on the OS, but roughly Program code and data: 0 bits (fixed addresses) Heap: 13 bits (2^13 possible start locations) Stack: 19 bits (2^19 possible start locations) Libraries: 8 bits (2^8 possible start locations) With position-independent executables (PIE) Program code and data: 8 bits Others the same 64-bit has much more randomness

Support for ASLR added over time Initially by the PaX team for Linux All major OSes support it for applications Kernel ASLR now supported by major OSes

Is DEP + ASLR a panacea? Not really Next time: DEP bypass via code reuse attacks How can we bypass ASLR?

Image source: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

Bypassing ASLR Older Linux would let local attackers read the stack start address from /proc/<pid>/stat Non-PIE binaries have fixed code and data addresses Each region has a random offset, but fixed layout => learning a single address in a region gives every address in the region Servers that re-spawn (even with new randomization) can be brute forced when number of bits of randomness is low

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback