Protecting Against Unexpected System Calls

Similar documents
Protecting Against Unexpected System Calls

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

The Geometry of Innocent Flesh on the Bone

Università Ca Foscari Venezia

CPEG421/621 Tutorial

Return-orientated Programming

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CS5460/6460: Operating Systems. Lecture 21: Shared libraries. Anton Burtsev March, 2014

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Protection and System Calls. Otto J. Anshus

Fixing/Making Holes in Binaries

ECE 598 Advanced Operating Systems Lecture 10

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Post exploitation techniques on OSX and Iphone. Vincenzo Iozzo

Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

CSC369 Lecture 2. Larry Zhang

Overview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin

Mechanisms for entering the system

Machine Code and Assemblers November 6

ROP It Like It s Hot!

Linking and Loading. ICS312 - Spring 2010 Machine-Level and Systems Programming. Henri Casanova

3. Process Management in xv6

Outline. Outline. Common Linux tools to explore object/executable files. Revealing Internals of Loader. Zhiqiang Lin

Inline Reference Monitoring Techniques

CSC369 Lecture 2. Larry Zhang, September 21, 2015

ECE 471 Embedded Systems Lecture 4

Program Exploitation Intro

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Virtual Memory Paging

Outline. Unresolved references

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Overview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading

Securing Untrusted Code

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Incremental Linking with Gold

µ-kernel Construction (12)

Control Flow Integrity for COTS Binaries Report

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK

The x86 Architecture

Buffer Overflow Vulnerability

Biography. Background

CSC 405 Computer Security Shellcode

Confinement (Running Untrusted Programs)

Register Allocation, iii. Bringing in functions & using spilling & coalescing

Process Address Spaces and Binary Formats

Comparison Of File Infection On The Windows And Linux lclee_vx / F-13 Labs, lychan25/f-13 Labs

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Implementing Subroutines. Outline [1]

Rootkits n Stuff

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

TABLE OF CONTENT 1. Abstract: Terminology Introduction Basic Shellcoding Solving The Addressing Problem Hash API

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Assembly Language: Function Calls" Goals of this Lecture"

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

T Jarkko Turkulainen, F-Secure Corporation

How to Sandbox IIS Automatically without 0 False Positive and Negative

CSE 509: Computer Security

Agenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1

CMSC 313 Lecture 14 Reminder: Midterm Exam next Tues (10/26) Project 4 Questions Virtual Memory on Linux/Pentium platform

Runtime Process Insemination

From Over ow to Shell

Assembly Language: Function Calls" Goals of this Lecture"

Linux Forensics. Newbug Tseng Oct

U23 - Binary Exploitation

Process Environment. Pradipta De

Shellcode Analysis. Chapter 19

THEORY OF COMPILATION

COS 318: Operating Systems. Overview. Prof. Margaret Martonosi Computer Science Department Princeton University

System Calls. A contract between processes and the operating system. Michael E. Locasto. Department of Computer Science UofC CPSC 457

Outline. Memory Exploit

Lecture 4 CIS 341: COMPILERS

x86 Assembly Crash Course Don Porter

OpenBSD Remote Exploit

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

AS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions

CSE 153 Design of Operating Systems Fall 18

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Machine and Assembly Language Principles

Systems Architecture I

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Digital Forensics Lecture 3 - Reverse Engineering

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

What You Need to Know for Project Three. Dave Eckhardt Steve Muckle

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization

Homework. In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, Practice Exam 1

Vulnerability Analysis I:

Assembly Language: Function Calls

ISA564 SECURITY LAB. Shellcode. George Mason University

Shellcode. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona. Tel Fax

CSE 153 Design of Operating Systems

Runtime Defenses against Memory Corruption

Transcription:

Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan

Code Injection What is a system call? What is code Injection? How it works? Exploit a vulnerability in a program (usually a server) Introduces the attacker code into the program Trick the program to run the attacker code To do real damage (get root shell, change permissions,..) the attacker code will execute one or more system calls

How to defeat it? Use a mix of defense mechanism to prevent code injection Defense mechanisms Novice: Interrupt address table (IAT) Disguising system call instruction Code Pocketing Existing ones Dead and useless code insertion Randomization and Binary obfuscation

Some Basics System call mechanism Load arguments in registers EBX, ECX, EDX, ESI and EDI (if more push it on the stack) Load syscall number into EAX Execute int 0x80 HW Pushs PC on the stack (next instruction) Pass control to the kernel ELF (Executable and Linkable format) Extensible Binary file format It contains a Header that describes the subsequent sections that contain code, data, bss and GOT Dynamic Vs Static linking?

More basics Static linking Reference to library function are included during compile-time/link-time. Dynamic Linking Linked during runtime by the dynamic loader Each routine has unique entries in the GOT (global offset table) and PLT (procedure linkage table) In lazy binding, these entries points to the dynamic linker which will locate the referenced routines (first call only) and update the GOT and PLT tables In eager binding, the linker will resolve all entries during the setup phase of he program

Attack Model The attacker ultimate goal is to execute a system call How? Attacker code invoke the system call directly (direct) Attacker will scan the code for a function that makes system call (mimicry attacks)

Prevention I (Direct System call attack) Interrupts Address Table (IAT) Add semantic information about the system calls invoked in the program Each system call entry in the IAT of the next instruction and the system call number The IAT is stored in an internal data structure in the kernel (Why?) In dynamic linking, the linker will load the library IAT If an attacker calls a system call and the call is not in the table or the next instruction (on the stack) doesn t match any then it is an intrusion

Prevention II (code scanning attack) Disguising System Calls Replace system calls with faulting instructions (div by zero) Kernel lookup the IAT and if it is a disguise the kernel executes the correct Instruction Hiding the location of functions that make a system call Delete all symbol information that refers to linked functions What about dynamic linking? (it needs the these information) Unmap the shared object s symbol table Add fake entries in the PLT and GOT

Prevention II Cont d If the attackers cannot fine system call or functions they will scan for byte sequence (fingerprints) To prevent this: Add dead and useless code such as nop; add $0, r; push r; pop r; Layout randomization and binary obfuscation Pocketing

Experiment and Results Target m88ksim (it has a lot of system calls) Devised an attack for each case: Known address attack Scanning attack Identify system calls directly Identify functions that will lead to system calls All the these synthetic attacks were unsuccessful

Cost (Overhead) IAT checking overhead on average (SpecInt-2000) Runtime/system call: 0.25 usec File size: 0.11% Memory Size: 0.45% Total exec time: 1.7% Transformation costs (to avoid scanning attacks) Randomization and nops :Much smaller than other optimization techniques Pocketing: 85% overhead

Take Away If you can integrate related ideas together in a reasonable manner, you can end up with a good idea Criticism Many, much, few (Do the math) Review the paper before submittingx

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback