String Oriented Programming Exploring Format String Attacks. Mathias Payer

Similar documents
I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation. Mathias Payer

in memory: an evolution of attacks Mathias Payer Purdue University

Return-orientated Programming

Architecture-level Security Vulnerabilities

Writing Exploits. Nethemba s.r.o.

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CS 161 Computer Security

Architecture-level Security Vulnerabilities. Julian Stecklina

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CSE 509: Computer Security

Smashing the Buffer. Miroslav Štampar

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

The Geometry of Innocent Flesh on the Bone

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

On Compilers, Memory Errors and Control-Flow Integrity

CS 161 Computer Security

Buffer Overflows Defending against arbitrary code insertion and execution

Exploit Mitigation - PIE

Exploits and gdb. Tutorial 5

Software Security: Buffer Overflow Defenses

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Outline. Memory Exploit

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Exercise 6: Buffer Overflow and return-into-libc Attacks

CMPSC 497 Buffer Overflow Vulnerabilities

Secure Systems Engineering

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Outline. Heap meta-data. Non-control data overwrite

Biography. Background

SoK: Eternal War in Memory

18-600: Recitation #4 Exploits

Software Security: Buffer Overflow Attacks (continued)

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Advanced Buffer Overflow

20: Exploits and Containment

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Selected background on ARM registers, stack layout, and calling convention

CSE 127 Computer Security

Lecture 08 Control-flow Hijacking Defenses

CSE 127 Computer Security

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CSE 127 Computer Security

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Outline. Format string attack layout. Null pointer dereference

Advanced Buffer Overflow

CPEG421/621 Tutorial

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CS527 Software Security

Università Ca Foscari Venezia

Jump-Oriented Programming: A New Class of Code-Reuse Attack

Buffer Overflow Attacks

Lecture 10 Code Reuse

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

From Over ow to Shell

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Is stack overflow still a problem?

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Q: Exploit Hardening Made Easy

18-600: Recitation #4 Exploits (Attack Lab)

Function Call Convention

Advanced Systems Security: Control-Flow Integrity

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

Remix: On-demand Live Randomization

Software Security II: Memory Errors - Attacks & Defenses

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

INTRODUCTION TO EXPLOIT DEVELOPMENT

CSE509 System Security

Return-Oriented Rootkits

Midterm 1 Review. Memory Safety & Web Attacks

Inject malicious code Call any library functions Modify the original code

Advanced Computer Networks Smashing the Stack for Fun and Profit

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Software Security: Buffer Overflow Attacks

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Buffer Overflow and Protection Technology. Department of Computer Science,

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Payload Already Inside: Data re-use for ROP Exploits

Memory Safety (cont d) Software Security

Lecture 4 CIS 341: COMPILERS

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Transcription:

String Oriented Programming Exploring Format String Attacks Mathias Payer

Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to construct (new protection mechanisms) Define a way to deterministically exploit format string bugs

Attack model Attacker with restricted privileges forces escalation Attacker knows source code and binary Successful attacks Redirect control flow to alternate location Injected code is executed or alternate data is used for existing code

Outline Motivation Attack model Attack vectors and protection mechanisms String Oriented Programming Conclusion

Code injection* Injects additional code into the runtime image Buffer overflow used to inject code as data 0xffe0 0xfff0 tmp saved base pointer return address 1 st argument: usr* void foo(char *usr) { char tmp[len]; strcpy(tmp, usr); } length of user input 0xffe0 nop slide & tmp exploit code 0xfff0 saved don't base care pointer return address 1 st argument: usr* 0xffff next stack frame 0xffff next stack frame * Aleph1, Phrack #49

Code injection* Injects additional code into the runtime image Buffer overflow used to inject code as data void foo(char *usr) { char tmp[len]; strcpy(tmp, usr); } Modern hardware and operating systems separate data and code Code injection is no longer feasible due to W X If the attacked program uses a JIT then WX pages might be available * Aleph1, Phrack #49

Protection mechanisms Data Execution Prevention (DEP / ExecShield) Enforces the executable bit (W X) on page granularity Changes: HW, kernel, loader Address Space Layout Randomization (ASLR) All memory addresses (heap / stack / libraries) are dynamic Application itself is static Changes: loader ProPolice (in gcc) Uses canaries on the stack to protect from stack-based overflows Changes: compiler

Return Oriented Programming (ROP)* ROP prepares several stack invocation frames Executes arbitrary code Stack-based buffer overflow as initial attack vector 0xffe0 Gadget catalog (at static addrs) 0xfff0 0xffff insns tmp ret insns ret insns ret saved base pointer return insns address ret 1 st argument: usr* next stack frame length of user input 0xffe0 0xfff0 0xffff (don't care) (don't care) return address (data) return address (data) return address (data) * Shacham, CCS'07

Return Oriented Programming (ROP)* ROP prepares several stack invocation frames Executes arbitrary code Stack-based buffer overflow as initial attack vector Executes alternate data with existing code Circumvents W X Hard to get around ASLR, ProPolice * Shacham, CCS'07

Jump Oriented Programming (JOP)* Uses dispatchers and indirect control flow transfers JOP extends and generalizes ROP Any data region can be used as scratch space Scratch space (at static addrs) gadget address (data) gadget address (data) gadget address (data) Gadget catalog (at static addrs) insns jmp * insns jmp * insns jmp * insns jmp * Dispatcher, e.g., add %edx, 4; jmp *(%edx) * Bletsch et al., ASIACCS'11

Jump Oriented Programming (JOP)* Uses dispatchers and indirect control flow transfers JOP extends and generalizes ROP Any data region can be used as scratch space Executes alternate data with existing code Circumvents W X Hard to get around ASLR, ProPolice (if stack data used) * Bletsch et al., ASIACCS'11

Format string attack* Attacker controlled format results in random writes Format strings consume parameters on the stack %n token inverses order of input, results in indirect memory write Often string is on stack and can be used to store pointers printf( "AAAACAAA" /* encode 2 halfword pointers */ "%1$49387c" Write 0xc0f3babe /* to 0x41414141: write 0xc0f3 8 bytes */ "%6$hn" printf("aaaacaaa%1$49387c%6$hn%1$63947c /* store at second HW */ "%1$61204c%5$hn" %5$hn"); /* repeat with 0xb007 */ ); Random writes are used to: Redirect control flow Prepare/inject malicious data * many, e.g., Haas, Defcon 18

Outline Motivation Attack model Attack vectors and protection mechanisms String Oriented Programming Conclusion

String Oriented Programming (SOP) SOP executes arbitrary code (through data) Needed: format string bug, attacker-controlled buffer on stack Not needed: buffer overflow, executable memory regions Executing code SOP builds on ROP/JOP Overwrites static instruction pointers (to initial ROP/JOP gadgets)

String Oriented Programming SOP patches and resolves addresses Application is static (this includes.plt and.got) Static program locations used to resolve relative addresses Resolving hidden functions ASLR randomizes ~10bit for libraries Modify parts of static.got pointers Hidden functions can be called without loader support

Running example void foo(char *arg) { char text[1024]; if (strlen(arg) >= 1024) return; strcpy(text, arg); printf(text); } // buffer on stack // length check // vulnerable printf foo(user_str); // unchecked user data

SOP: No Protection All addresses are known, no execution protection, no stack protection Redirects control flow to code in the format string saved ebp (0xFFE4) RIP to foo ptr to 0xFBD4 copy of &arg 0xFBD4 0xFFD4 0xFFF0 printf data printf frame 1024b buffer... foo frame... 12b unused... saved ebp eip to caller &arg main frame?... saved ebp (0xFFE4) RIP RIP to to 0xFBD4 foo ptr to 0xFBD4 copy of &arg 0xFBD4 0xFFD4 0xFFF0 printf data random write & exploit code... 12b unused... saved ebp eip to caller &arg?...

SOP: Only DEP DEP prevents code injection, rely on ROP/JOP instead GNU C compiler adds frame_lift gadget saved ebp (0xFFE4) RIP to foo ptr to 0xFBD4 copy of &arg 0xFBD4 0xFFD4 0xFFF0 printf data printf frame 1024b buffer... foo frame... 12b unused... saved ebp eip to caller &arg main frame?... saved ebp (0xFFE4) RIP to RIP frame_lift to foo ptr to 0xFBD4 copy of &arg 0xFBD4 random write & stack invocation frames 0xFFD4 0xFFF0 printf data... 12b unused... saved ebp eip to caller &arg?... add $0x1c,%esp pop %ebx pop %esi pop %edi pop %ebp ret

SOP: DEP & ProPolice ProPolice uses/enforces stack canaries Reuse attack mechanism, keep canaries intact printf data printf frame saved ebp (0xFFE4) RIP to foo ptr to 0xFBD8 copy of canary &arg 16b unused copy of canary &arg 12b unused 0xFBD8 1024b foo frame buffer... 0xFFD8 stack canary 0xFBD8 12b unused random write & stack invocation frames 0xFFD8 printf data saved ebp (0xFFE4) RIP to RIP frame_lift to foo ptr to 0xFBD8 copy of canary &arg 16b unused copy of canary &arg stack canary add $0x1c,%esp pop %ebx pop %esi pop %edi pop %ebp ret 0xFFF0 8b unused saved ebp eip to caller &arg main frame?... 0xFFF0 8b unused saved ebp eip to caller &arg?...

SOP: ASLR, DEP, ProPolice Combined defenses force SOP to reuse existing code Static code sequences in the application object Imported functions in the application (.plt and.got) Use random byte-writes to adjust.got entries void foo(char *prn){ char Enable text[1000]; other functions /// gadgets protected that on are stack not strcpy(text, prn); printf(text); imported // vulnerable printf puts("logged in\n"); // 'some' function } Combine stack invocation frames and indirect jump/call gadgets

SOP: ASLR, DEP, ProPolice Application (static) Libraries, heap, stack(s) (dynamic).init.plt system@plt puts@plt.text lift_esp_gadget.fini RX RW.got:.got.plt: printf "/bin/sh\0" stack_chk_fail puts Place data in RW section libc (text, data, got) heap Redirect imported function (JOP) printf data saved ebp (0xFFE4) RIP to foo ptr to 0xFBD8 copy of canary &arg 16b unused copy of canary &arg 12b unused 3 random writes & string array stack invocation frames stack canary 8b unused saved ebp eip to caller &arg 0xFBD8 0xFFD8?... 0xFFF0 Use ROP for fun & profit

Outline Motivation Attack model Attack vectors and protection mechanisms String Oriented Programming Conclusion

Conclusion String Oriented Programming (SOP) Relies on format string exploit Extends data oriented programming (ROP / JOP) Naturally circumvents DEP and ProPolice Reconstructs pointers and circumvents ASLR Format string bugs result in complete compromise of the application and full control for the attacker Protection against SOP needs more work (virtualization?) Look at the complete toolchain

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback