Selected background on ARM registers, stack layout, and calling convention

Similar documents
Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Inject malicious code Call any library functions Modify the original code

Just-in-Time Code Reuse

Control-Flow Attacks and Defenses

Return-orientated Programming

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSE 509: Computer Security

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Outline. Memory Exploit

CMPSC 497 Buffer Overflow Vulnerabilities

Exercise 6: Buffer Overflow and return-into-libc Attacks

Practical Malware Analysis

String Oriented Programming Exploring Format String Attacks. Mathias Payer

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

The Geometry of Innocent Flesh on the Bone

Secure Systems Engineering

Advanced Buffer Overflow

Defeating Return-Oriented Rootkits with Return-less Kernels

CS 161 Computer Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Basic Buffer Overflows

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

20: Exploits and Containment

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Lecture 08 Control-flow Hijacking Defenses

Course Administration

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

CS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Buffer Overflow and Protection Technology. Department of Computer Science,

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Advanced Buffer Overflow

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Outline. Format string attack layout. Null pointer dereference

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

CS 161 Computer Security

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Intro to x86 Binaries. From ASM to exploit

Module 8: Atmega32 Stack & Subroutine. Stack Pointer Subroutine Call function

Defense against Code-injection, and Code-reuse Attack

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Outline. Heap meta-data. Non-control data overwrite

Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher

Part 7. Stacks. Stack. Stack. Examples of Stacks. Stack Operation: Push. Piles of Data. The Stack

Buffer Overflow Attack (AskCypert CLaaS)

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Smashing the Buffer. Miroslav Štampar

Software Security: Buffer Overflow Defenses

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Return-Oriented Rootkits

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Runtime Attacks: Buffer Overflow and Return-Oriented Programming

Run-time Environment

Software Security II: Memory Errors - Attacks & Defenses

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Lecture 10 Code Reuse

Advanced Systems Security: Control-Flow Integrity

Writing Exploits. Nethemba s.r.o.

Do-While Example. In C++ In assembly language. do { z--; while (a == b); z = b; loop: addi $s2, $s2, -1 beq $s0, $s1, loop or $s2, $s1, $zero

Chapter 9 :: Subroutines and Control Abstraction

Stack Frames. September 2, Indiana University. Geoffrey Brown, Bryce Himebaugh 2015 September 2, / 15

EE4144: ARM Cortex-M Processor

Systems I. Machine-Level Programming V: Procedures

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

18-600: Recitation #4 Exploits

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Buffer Overflows Defending against arbitrary code insertion and execution

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

CSIS1120A. 10. Instruction Set & Addressing Mode. CSIS1120A 10. Instruction Set & Addressing Mode 1

Architecture-level Security Vulnerabilities

Lecture 4 September Required reading materials for this class

INTRODUCTION TO EXPLOIT DEVELOPMENT

x86 assembly CS449 Fall 2017

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Systems Architecture The Stack and Subroutines

Implementing Procedure Calls

CSE509 System Security

Architecture. Digital Computer Design

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

CS 480 Fall Runtime Environments. Mike Lam, Professor. (a.k.a. procedure calls and heap management)

Lecture 7: Procedures and Program Execution Preview

Biography. Background

Memory Usage 0x7fffffff. stack. dynamic data. static data 0x Code Reserved 0x x A software convention

CSE 127 Computer Security

Architecture-level Security Vulnerabilities. Julian Stecklina

Everybody be cool, this is a roppery!

Native Language Exploitation

ARM Cortex-M4 Architecture and Instruction Set 4: The Stack and subroutines

Return oriented programming

Sneha Rajguru & Prajwal Panchmahalkar

Transcription:

Selected background on ARM registers, stack layout, and calling convention

ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption Follows RISC design Mostly single-cycle execution Fixed instruction length Dedicated load and store instructions ARM features XN (execute Never) Bit

ARM Overview Some features of ARM Conditional Execution Two Instruction Sets ARM (32-Bit) The traditional instruction set THUMB (16-Bit) Suitable for devices that provide limited memory space The processor can exchange the instruction set on-the-fly Both instruction sets may occur in a single program 3-Register-Instruction Set instruction destination, source, source ADD r0,r1,r2 r0 = r1 + r2

ARM Registers ARM s 32 Bit processor features 16 registers All registers r0 to r15 are directly accessible Function arguments and results from function (caller-save) Register variables (callee-save) r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 Holds Top Address of the Stack Holds Return Address Status Register: e.g., Carry Flag Sometimes used for long jumps, i.e., branches that require the full ARM 32 Bit address space Intra Procedure Call Register Stack Pointer Link Register Program Counter Control Program Status Register r12/ip r13/sp r14/lr r15/pc Next address of instruction to be executed cpsr

High Addresses Stack grows downwards ARM Stack Layout Stack Frame Function Arguments Return Address Saved Frame Pointer Callee-Save Registers* Local Variables The first four arguments are passed via r0 to r3. This area is only used if more than four 4-Byte arguments are expected, or when the callee needs to save function arguments Frame Pointer (r7 or r11) Low Addresses Stack Pointer (sp) * Note that a subroutine does not always store all callee-save registers (r4 to r11); instead it stores those registers that it really uses/changes

The Stack and Stack Frame Elements Stack is a last in, first out (LIFO) memory area where the Stack Pointer points to the last stored element on the stack The stack can be accessed by two basic operations 1. PUSH elements onto the stack (SP is decremented) 2. POP elements off the stack (SP is incremented) Stack is divided into individual stack frames Each function call sets up a new stack frame on top of the stack 1. Function arguments Arguments provided by the caller of the function 2. Callee-save Registers Registers that a subroutine (callee) needs to reset before returning to the caller of the subroutine 3. Return address Upon function return control transfers to the code pointed to by the return address (i.e., control transfers back to the caller of the function) 4. Saved Frame Pointer/Saved Base Pointer Frame pointer/base pointer of the calling function Variables and arguments are accessed via an offset to the frame pointer/base pointer Provided in register r11 (ARM code), r7 (THUMB code), or EBP (x86 code) 5. Local variables Variables that the called function uses internally

Function Calls on ARM Branch with Link BL addr Branches to addr, and stores the return address in link register lr/r14 The return address is simply the address that follows the BL instruction Branch with Link and exchange instruction set BLX addr reg Branches to addr reg, and stores the return address in lr/r14 This instruction allows the exchange between ARM and THUMB ARM->THUMB: LSB=1 THUMB->ARM: LSB=0

Function Returns on ARM Branch with exchange instruction set BX lr Branches to the return address stored in the link register lr Register-based return for leaf functions POP {pc} Pops top of the stack into the program counter pc/r15 Stack-based return for non-leaf functions

THUMB Example for Calling Convention Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee-save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, Function Epilogue 2: ADD sp,sp,#16 Reallocates the space for local variables Function Epilogue 2: POP {r4,r7,pc} The POP instruction pops the callee-save register r4, the saved frame pointer r7, and the return address off the stack which is loaded it into the program counter pc Hence, the execution will continue in the main function Stack Return Address lr SFP (r7) r4 Code <main>: BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp

THUMB Example for Calling Convention Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee-save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, Function Epilogue 2: ADD sp,sp,#16 Reallocates the space for local variables Function Epilogue 2: POP {r4,r7,pc} The POP instruction pops the callee-save register r4, the saved frame pointer r7, and the return address off the stack which is loaded it into the program counter pc Hence, the execution will continue in the main function Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code <main>: BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp

THUMB Example for Calling Convention Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee-save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, Function Epilogue 2: ADD sp,sp,#16 Reallocates the space for local variables Function Epilogue 2: POP {r4,r7,pc} The POP instruction pops the callee-save register r4, the saved frame pointer r7, and the return address off the stack which is loaded it into the program counter pc Hence, the execution will continue in the main function Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code <main>: BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp

THUMB Example for Calling Convention Function Call: BL Function_A The BL instruction automatically loads the return address into the link register lr Function Prologue 1: PUSH {r4,r7,lr} Stores callee-save register r4, the frame pointer r7, and the return address lr on the stack Function Prologue 2: SUB sp,sp,#16 Allocates 16 Bytes for local variables on the stack Function Body: Instructions, Function Epilogue 2: ADD sp,sp,#16 Reallocates the space for local variables Function Epilogue 2: POP {r4,r7,pc} The POP instruction pops the callee-save register r4, the saved frame pointer r7, and the return address off the stack which is loaded it into the program counter pc Hence, the execution will continue in the main function Stack Return Address lr SFP (r7) r4 16 Bytes for local variables Code <main>: BL Function_A <Function_A>: PUSH {r4,r7,lr} SUB sp,sp,#16 ADD sp,sp,#16 POP {r4,r7,pc} sp

Let s go back to runtime attacks

Running Example

Launching a code injection attack against the vulnerable program

Code Injection Attack on ARM Adversary Stack Return Address SFP & Other Regs. Local Buffer Buffer[80] sp Code <main>: BLX echo() BLX printf(), <echo>: Function Prologue BLX gets(buffer), Function Epilogue Program Memory

Code Injection Attack on ARM Stack Adversary Corrupt Control Structures NEW RETURN ADDR PATTERN SHELLCODE Code <main>: BLX echo() BLX printf(), sp <echo>: Function Prologue BLX gets(buffer), Function Epilogue Program Memory

Code Injection Attack on ARM Adversary Stack NEW RETURN ADDR PATTERN SHELLCODE sp Code <main>: BLX echo() BLX printf(), <echo>: Function Prologue BLX gets(buffer), Function Epilogue Program Memory

Code-Reuse Attacks

It started with return-into-libc Basic idea of return-into-libc Redirect execution to functions in shared libraries Main target is UNIX C library libc Libc is linked to nearly every Unix program Defines system calls and other basic facilities such as open(), malloc(), printf(), system(), execve(), etc. Attack example: system ( /bin/sh ), exit()

Implementation of return-into-libc attacks on ARM

Stack Adversary Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Inject environment variable Environment Variables $SHELL = "/bin/sh" Program Memory

Stack Adversary Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Stack Adversary Return Address SFP & Other Regs. Local Buffer Buffer[80] sp Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Adversary Corrupt Control Structures Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp echo() now returns! Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Execution redirected to XYZ_function Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Load argument in R0, i.e., address to /bin/sh string is loaded into R0 Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp Execution is now redirected to system Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Adversary Stack Pointer to system Pointer to $SHELL Return Pointer Address to XYZ SFP PATTERN & Other Regs. 2 Local Buffer PATTERN 1 Buffer[80] sp system ( /bin/sh ) executes Program Code <main>: BLX echo() <echo>: Function Prologue BLX gets(buffer), Function Epilogue Library Code <system>: Function Prologue Function Epilogue <XYZ_function>: POP {R0} Environment Variables $SHELL = "/bin/sh" Program Memory

Limitations No branching, i.e., no arbitrary code execution Critical functions can be eliminated or wrapped

Generalization of return-into-libc attacks: return-oriented programming (ROP) [Shacham, ACM CCS 2007]

The Big Picture Re t u r n o r ien ted Pro g ra mm ing

ROP Adversary Model/Assumption Application Shared Libraries Code Area MEMORY Application Address Space 4 Adversary can write ROP payload in the data area (stack/heap) Data Area ROP Payload 3 1 Adversary can hijack control-flow (buffer overflow) 2 Adversary knows the memory layout (memory disclosure) Adversary can construct gadgets MOV ADD Gadget Space (e.g., Shared Libraries) ESP CALL LNOP XOR LOAD STORE

ROP Attack Technique: Overview Program Code Sequence 1 asm_ins SP Corrupt Control Structures Program Stack Return Address 3 Value 2 Value 1 Return Address 2 Return Address 1 REG1: REG2: Sequence 2 POP REG1 POP REG2 Sequence 3 asm_ins

ROP Attack Technique: Overview Program Code Sequence 1 asm_ins SP Program Stack Return Address 3 Value 2 Value 1 Return Address 2 Return Address 1 REG1: REG2: Sequence 2 POP REG1 POP REG2 Sequence 3 asm_ins

ROP Attack Technique: Overview Program Code Sequence 1 asm_ins SP Program Stack Return Address 3 Value 2 Value 1 Return Address 2 Return Address 1 REG1: REG2: Sequence 2 POP REG1 POP REG2 Sequence 3 asm_ins Value 1

ROP Attack Technique: Overview Program Code Sequence 1 asm_ins SP Program Stack Return Address 3 Value 2 Value 1 Return Address 2 Return Address 1 REG1: Sequence 2 POP REG1 POP REG2 Sequence 3 asm_ins Value 1 REG2: Value 2

ROP Attack Technique: Overview Program Code Sequence 1 asm_ins Program Stack Sequence 2 POP REG1 POP REG2 SP Return Address 3 Value 2 Value 1 Sequence 3 asm_ins... Return Address 2 Return Address 1 REG1: Value 1 REG2: Value 2

Summary of Basic Idea Perform arbitrary computation with return-into-libc techniques Approach Use small instruction sequences (e.g., of libc) instead of using whole functions Instruction sequences range from 2 to 5 instructions All sequences end with a return (POP{PC}) instruction Instruction sequences are chained together to a gadget A gadget performs a particular task (e.g., load, store, xor, or branch) Afterwards, the adversary enforces his desired actions by combining the gadgets

Special Aspects of ROP

Code Base and Turing-Completeness Application Code Shared Libraries Static Analysis MOV reg1, 0x1 RET MOV reg2, 0x2 RET ADDGADGET reg1, reg2 SPACE RET

Code Base and Turing-Completeness Application Code Shared Libraries Static Analysis MOV CALL Uncond. JMP Logic. Cond. JMP STORE LOAD Arith. GADGET SPACE Optional Turing-complete language Mandatory

Gadget Space on Different Architectures Architectures with no memory alignment, e.g., Intel x86 Architectures with memory alignment, e.g., SPARC, ARM GADGET SPACE GADGET SPACE B8 13 00 00 00 E9 C3 F8 FF FF Intended Code mov $0x13,%eax jmp 3aae9 00 00 00 E9 C3 Unintended Code add %al,(%eax) add %ch,%cl ret

Stack Pivot [Zovi, RSA Conference 2010] Stack pointer plays an important role It operates as an instruction pointer in ROP attacks Challenge In order to launch a ROP exploit based on a heap overflow, we need to set the stack pointer to point to the heap This is achieved by a stack pivot

Stack Pivot in Detail Stack SP TOP of Stack Heap Return Address 3 Return Address 2 Return Address 1 Code label_pivot: Stack Pivot MOV SP, REG1* Function Ptr *REG1 is controlled by the adversary and holds beginning of ROP payload

Stack Pivot in Detail Stack SP TOP of Stack Heap Return Address 3 Return Address 2 Return Address 1 Code label_pivot: Stack Pivot MOV SP, REG1* label_pivot *REG1 is controlled by the adversary and holds beginning of ROP payload

Stack Pivot in Detail Stack SP TOP of Stack Heap Return Address 3 Return Address 2 Return Address 1 Code label_pivot: Stack Pivot MOV SP, REG1* label_pivot *REG1 is controlled by the adversary and holds beginning of ROP payload

ROP Variants Motivation: return address protection (shadow stack) Validate every return (intended and unintended) against valid copies of return addresses [Davi et al., AsiaCCS 2011] Exploit indirect jumps and calls ROP without returns [Checkoway et al., ACM CCS 2010]

CURRENT RESEARCH

1997 2001 2005 2007 2008 2009 2010 2011/ 2012 2013 ROP Rootkits Hund et al (USENIX) ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunk Exploitation Krahmer ROP on SPARC Buchanan et al (CCS) ROP without Returns Checkoway et al (CCS) JIT-ROP Snow et al (IEEE S&P) Blind ROP Bittau et al (IEEE S&P) ROP on x86 Shacham (CCS) ROP on PowerPC FX Lindner (BlackHat) ROP on Atmel AVR Francillon et al (CCS) Practical ROP Zovi (RSA Conference) Out-Of-Control Göktas et al (IEEE S&P) SELECTED ROP on ARM/iOS Miller et al (BlackHat) Pwn2Own (ios/ie) Iozzo et al / Nils Real-World Exploits 2014 Stitching Gadgets Davi et al (USENIX) Flushing Attacks Schuster et al (RAID) ROP is Dangerous Carlini et al (USENIX)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback