Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Similar documents
C- based applica-on exploits and countermeasures

C and C++: vulnerabilities, exploits and countermeasures

Runtime Defenses against Memory Corruption

Software Security: Buffer Overflow Defenses

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Software Security II: Memory Errors - Attacks & Defenses

Return-orientated Programming

Lecture 08 Control-flow Hijacking Defenses

Dnmaloc: a more secure memory allocator

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Attacks (continued)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CS 161 Computer Security

Buffer Overflow Attacks

The Geometry of Innocent Flesh on the Bone

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 1: Buffer Overflows

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Smashing the Buffer. Miroslav Štampar

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Università Ca Foscari Venezia

CS 161 Computer Security

Architecture-level Security Vulnerabilities

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Advanced Buffer Overflow

Outline. Memory Exploit

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Outline. Format string attack layout. Null pointer dereference

CSE 127 Computer Security

CSE 127 Computer Security

Outline. Heap meta-data. Non-control data overwrite

CSE 127 Computer Security

Software Security: Buffer Overflow Attacks

CSE 565 Computer Security Fall 2018

Architecture-level Security Vulnerabilities. Julian Stecklina

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Secure Systems Engineering

Advanced Buffer Overflow

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Inject malicious code Call any library functions Modify the original code

Bypassing Browser Memory Protections

SoK: Eternal War in Memory

Buffer Overflows Defending against arbitrary code insertion and execution

Software Security: Buffer Overflow Defenses and Miscellaneous

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

20: Exploits and Containment

CSE 509: Computer Security

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

CS161 Midterm 1 Review

CSC 405 Computer Security Stack Canaries & ASLR

Practical Malware Analysis

On Compilers, Memory Errors and Control-Flow Integrity

Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Code Injection Attacks Buffer Overflows

Biography. Background

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Memory Error Exploits and Defenses

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Memory Allocator Security

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CMPSC 497 Buffer Overflow Vulnerabilities

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

From Over ow to Shell

6.858 Lecture 3. char *p = malloc(256); char *q = p + 256; char ch = *q; //Does this raise an exception? //Hint: How big is the baggy bound for p?

Intro to x86 Binaries. From ASM to exploit

Return-Oriented Rootkits

CSE509 System Security

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Writing Exploits. Nethemba s.r.o.

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

So$ware Security (II): Buffer- overflow Defenses

Lecture 4 September Required reading materials for this class

Buffer Overflow and Format String Overflow Vulnerabilities

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Basic Buffer Overflows

Control Hijacking Attacks

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Transcription:

Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT)

Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation harder or sometimes impossible Attackers have developed techniques to evade Talk will Illustrate how these countermeasures work Discuss how attackers bypass them Investigate advances in protection 2

Presentation overview Introduction EMET Countermeasures Probabilistic countermeasures Paging-based countermeasures Verification countermeasures Bounds checkers Conclusion 3

EMET Enhanced Mitigation Experience Toolkit Standalone tool (free) from Microsoft Adds a number of extra mitigations to Windows Focused on making using particular exploitation techniques harder Different from regular mitigations that make exploiting of vulnerabilities harder Tool fits into multiple categories, EMET techniques will be discussed in those categories separately Also configures a number of OS mitigations 4

Presentation overview Introduction EMET Countermeasures Probabilistic countermeasures Paging-based countermeasures Verification countermeasures Bounds checkers Conclusion 5

Probabilistic countermeasures Based on randomness Canary-based approach Place random number in memory Check random number before performing action If random number changed an overflow has occurred Obfuscation of memory addresses Address Space Layout Randomization Instruction Set Randomization 6

Canary-based countermeasures StackGuard (SG): Cowan et al. Places random number before the return address when entering function Verifies that the random number is unchanged when returning from the function If changed, an overflow has occurred, terminate program 7

StackGuard (SG) f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Canary IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Local variables f0 Arguments f1 Return address f1 Saved frame pointer f1 Canary Pointer data SP Buffer 8

StackGuard (SG) f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Canary Local variables f0 IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Arguments f1 Return address f1 Saved frame pointer f1 Canary Pointer data SP Injected code 9

StackGuard (SG) f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Canary Local variables f0 IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Arguments f1 Return address f1 Saved frame pointer f1 Canary Pointer data SP Injected code 10

Canary-based countermeasures Propolice (PP): Etoh & Yoda Same principle as StackGuard Protects against indirect pointer overwriting by reorganizing the stack frame: All arrays are stored before all other data on the stack (i.e. right next to the random value) Overflows will cause arrays to overwrite other arrays or the random value Part of GCC >= 4.1 Stack Cookies in Visual Studio 11

Propolice (PP) f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Canary IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Local variables f0 Arguments f1 Return address f1 Saved frame pointer f1 Canary Buffer data SP Pointer 12

Propolice (PP) f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Canary IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Local variables f0 Arguments f1 Return address f1 Saved frame pointer f1 Canary Buffer data SP Pointer 13

Stack cookies in Visual Studio Invalid cookies would throw an exception Attackers could overwrite the exception handler pointers on a thread s stack SafeSEH Creates a table of exception handling pointers at link time If a pointer is not in this table, exception is invalid Must relink executable for it to work SEHOP Verifies integrity of the structured exception handler call chain 14

SEHOP Exception handling chain is a structure with next pointers and a pointer to a handler SEHOP adds a symbolic registration record at the end of the chain at runtime Verifies chain before calling the exception, due to ASLR, an attacker can t set a valid pointer to the symbolic record Next Handler Function Next Handler Shellcode Next Handler Function Invalid Next Handler Function 15

Heap protector (HP) Chunk1 Chunk2 Size of prev. chunk Size of chunk1 Checksum User data Size of chunk1 Size of chunk2 Checksum Forward pointer Backward pointer Old user data Heap protector: Robertson et al. Adds checksum to the chunk information Checksum is XORed with a global random value On allocation checksum is added On free (or other operations) checksum is calculated, XORed, and compared Vista has something similar 16

Contrapolice (CP) Chunk1 Chunk2 Canary1 Size of prev. chunk Size of chunk1 User data Canary1 Canary2 Size of chunk1 Size of chunk2 Forward pointer Backward pointer Old user data Canary2 Contrapolice: Krennmair Stores a random value before and after the chunk Before exiting from a string copy operation, the random value before is compared to the random value after If they are not the same, an overflow has occurred 17

Problems with canaries Random value can leak (information leak) For SG: Indirect Pointer Overwriting For PP: overflow from one array to the other (e.g. array of char overwrites array of pointer) For HP, SG, PP: 1 global random value CP: different random number per chunk CP: no protection against overflow in loops 18

Probabilistic countermeasures Obfuscation of memory addresses Also based on random numbers Numbers used to encrypt memory locations Usually XOR a XOR b = c c XOR b = a Function pointer encoding in Visual Studio 19

Obfuscation of memory addresses PointGuard: Cowan et al. Protects all pointers by encrypting them (XOR) with a random value Decryption key is stored in a register Pointer is decrypted when loaded into a register Pointer is encrypted when loaded into memory Forces the compiler to do all memory access via registers Can be bypassed if the key or a pointer leaks Randomness can be lowered by using a partial overwrite 20

Partial overwrite XOR: 0x41424344 XOR 0x20304050 = 0x61720314 However, XOR encrypts bitwise 0x44 XOR 0x50 = 0x14 If injected code relatively close: 1 byte: 256 possibilities 2 bytes: 65536 possibilities 21

Partial overwrite f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Data IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Other Local variables f0 Arguments f1 Return address f1 Saved frame pointer f1 Encrypted pointer SP Buffer 22

Partial overwrite f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Data Other Local variables f0 IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Arguments f1 Return address f1 Saved frame pointer f1 Encrypted pointer SP Injected code 23

Partial overwrite f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 Data Other Local variables f0 IP f1: ptr buffer[] = &data; overflow() buffer[] overflow(); *ptr = value; FP Arguments f1 Modified return address Saved frame pointer f1 Encrypted pointer SP Injected code 24

Probabilistic countermeasures Address space layout randomization: PaX team Compiler must generate Position Independent Code (PIC) Randomizes the base addresses of the stack, heap, code and shared memory segments Makes it harder for an attacker to know where in memory his code is located Can be bypassed if attackers can print out memory addresses: possible to derive base address Implemented in Windows Vista / Linux >= 2.6.12 Windows 8 allows Force ASLR, randomize DLLs that aren t compiled with ASLR support (preferred base not available) 25

Heap-spraying Technique to bypass ASLR If an attacker can control memory allocation in the program (e.g. in the browser via javascript) Allocate a significant amount of memory For example: 1GB or 2GB Fill memory with a bunch of nops, place shell code at the end Reduces amount of randomization offered by ASLR Jumping anywhere in the nops will cause the shellcode to be executed eventually 26

Probabilistic countermeasures Randomized instruction sets: Barrantes et al./kc et al. Encrypts instructions while they are in memory Decrypts them when needed for execution If attackers don t know the key their code will be decrypted wrongly, causing invalid code execution If attackers can guess the key, the protection can be bypassed High performance overhead in prototypes: should be implemented in hardware 27

Virtual Table Guard Use after free vulns will often rely on creating a fake C++ object with a controlled vtable VTGuard adds a random value to the vtable Checks if random value is unchanged before using the vtable Enabled by adding an annotation to a C++ class IE10 does this for a number of key classes Attacker doesn t know random value without info disclosure Regular object Virtual function Virtual function Virtual function VTGuard Fake object Pointer to shellcode Pointer to shellcode Pointer to shellcode 28

Probabilistic countermeasures Rely on keeping memory secret Programs that have buffer overflows could also have information leakage Example: char buffer[100]; strncpy(buffer, input, 100); Printf( %s, buffer); Strncpy does not NULL terminate (unlike strcpy), printf keeps reading until a NULL is found 29

Presentation overview Introduction EMET Countermeasures Probabilistic countermeasures Paging-based countermeasures Verification countermeasures Bounds checkers Conclusion 30

Paging-based countermeasure Non-executable memory (called NX or XN) Pages of memory can be marked executable, writeable and readable Older Intel processors would not support the executable bit which meant that readable meant executable Eventually the bit was implemented, allowing the OS to mark data pages (such as the stack and heap writable but not executable) OpenBSD takes it further by implementing W^X (writable XOR executable) Programs doing JIT have memory that is both executable and writable 31

Stack-based buffer overflowed on NX Stack f0: call f1 Other stack frames Return address f0 Saved frame pointer f0 Local variables f0 IP f1: buffer[] overflow() FP Arguments f1 Overwritten return address SP Injected code 32

Stack-based buffer overflow on NX Stack f0: f1: call f1 buffer[] overflow() crash: memory not executable SP IP Other stack frames Return address f0 Saved frame pointer f0 Local variables f0 Injected code 33

Bypassing non-executable memory Early exploits would return to existing functions (called return-to-libc) to bypass these countermeasures Places the arguments on the stack and then places the address of the function as the return addres This simulates a function call For example calling system( /bin/bash ) would place the address of the executable code for system as return address and would place a pointer to the string /bin/bash on the stack 34

Return-to-libc f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 IP f1: buffer[] overflow() FP Local variables f0 Arguments f1 Overwritten Return address return address f1 Saved frame pointer f1 SP Injected Buffer code 35

Return-to-libc f0: call f1 Stack Other stack frames Return address f0 Saved frame pointer f0 IP f1: buffer[] overflow() string /bin/bash Pointer to /bin/bash FP Overwritten return address system: int 0x80 SP 36

Return oriented programming More generic return-to-libc Returns to existing assembly code, but doesn t require it to be the start of the function: Any code snippet that has the desired functionality followed by a ret can be used For example: Code snippet that does pop eax, followed by ret Next code snippet does mov ecx, eax followed by ret Final code snippet does jmp ecx Code gets executed at the address in ecx Shown to be Turing complete for complex libraries like libc 37

Return oriented programming f0: call f1 f3: mov ecx, eax ret Stack Other stack frames Return address f0 Saved frame pointer f0 IP f1: buffer[] overflow() f4: call ecx return after mov return after pop To be popped in eax FP Overwritten return address f2: pop eax ret SP 38

Return oriented programming x86 has variable length instructions, ranging from 1 to 17 bytes. ROP doesn t have to jump to the beginning of an instruction The middle of an instruction could be interpreted as an instruction that has the desired functionality, followed by a ret (either as part of that instruction or the following instruction) Also possible that jumping into a middle of an instruction causes subsequent instructions to be interpreted differently 39

Return oriented programming movl [ebp-44], 0x00000001 machine code: c7 45 d4 01 00 00 00 test edi, 0x00000007 machine code: f7 c7 07 00 00 00 setnzb [ebp-61] machine code: 0f 95 45 c3 00 f7 add bh, dh c7 07 00 00 00 0f mov edi, 0x0F000000 95 xchg eax, ebp 45 inc ebp c3 ret Example adapted from Return-oriented Programming: Exploitation without Code Injection by Buchanan et al. 40

JIT Spraying Heap-spraying has the drawback that it will not work with non-executable memory JIT spraying uses the Just In Time compiler in browsers that transforms scripting code (JS, Flash, AS) to native code By carefully crafting the script, the native code could be interpreted differently when interpretation starts at a different address Filling memory with this code can result in native that is marked executable that bypasses ASLR 41

Heap Spray Allocations Mitigation in EMET that aim to make heap spraying harder Places guard pages at popular heap spraying addresses: 0xa0a0a0a, 0x0b0b0b0b, 0x0c0c0c0c, etc. Configurable via registry Only effective against exploits that do not know about EMET 42

Presentation overview Introduction EMET Countermeasures Probabilistic countermeasures Paging-based countermeasures Verification countermeasures Bounds checkers Conclusion 43

Verification countermeasures Ensure that the values in use are sane A typical example of this is safe unlinking Safe unlinking was introduced to various heap allocators to ensure that the doubly linked list is sane before being used For example before unlinking, do the following checks: P->fd->bk should be equal to P P->bk->fd should also be equal to P 44

EMET Caller checks In critical functions: Function must have been called and not returned or jumped into Disassembles backwards from return address When call is found, the call target must point to the critical function If no correct call was found: possible ROP Easily bypassed by returning to existing call instruction for critical or to a dynamic call (e.g. CALL EAX) 45

EMET Simulated Execution Simulates forward from critical function call Follow return addresses that executed after critical function Each return must be preceded by a call Simulate instructions that modify stack/frame pointer Defaults to 15 simulated instructions Bypassable by performing a number of innocuous calls after calling critical function 46

Control Flow Integrity Abadi et al. Based on 3 assumptions: Unique ID Non-writable code Non-executable data Instruments program based on CFG: Add labels at control transfer destination Before transferring control, verify label Formal proof if assumptions hold 47

Control Flow Integrity f0: call f1 f0: call f1 123 f1: buffer[] overflow() ret f1: buffer[] mov overflow() ecx, [esp] cmp [ecx], 123 jne error add [esp], 4 ret 48

Presentation overview Introduction EMET Countermeasures Probabilistic countermeasures Paging-based countermeasures Verification countermeasures Bounds checkers Conclusion 49

Bounds checkers Ensure arrays and pointers do not access memory out of bounds through runtime checks Slow: Bounds checking in C must check all pointer operations, not just array index accesses (as opposed to Java) Usually too slow for production deployment Some approaches have compatibility issues Two major approaches: add bounds info to pointers, add bounds info to objects 50

Bounds checkers Add bounds info to pointers Pointer contains Current value Upper bound Lower bound Two techniques Change pointer representation: fat pointers Fat pointers are incompatible with existing code (casting) Store extra information somewhere else, look it up Problems with existing code: if (global) pointer is changed, info is out of sync 51

Bounds checkers Add bounds info to objects Pointers remain the same Look up bounds information based on pointer s value Check pointer arithmetic: If result of arithmetic is larger than base object + size -> overflow detected Pointer use also checked to make sure object points to valid location Other lighter-weight approaches 52

Bounds checkers Jones and Kelly Most existing bounds checkers (at the time) not compatible with existing code Maps object size onto descriptor of object (base, size) Pointer dereference/arithmetic Check descriptor If out of bounds: error Object created in checked code Add descriptor Pointers can be passed to existing code 53

Bounds checkers CRED: Ruwase and Lam Extension of Jones and Kelly Problems with pointer arithmetic 1) pointer goes out-of-bounds, 2) is not dereferenced, 3) goes inbounds again Out-of-bounds arithmetic causes error Many programs do this Create OOB object when going out-of-bounds When OOB object dereferenced: error When pointer arithmetic goes in-bounds again, set to correct value 54

Bounds checkers PariCheck: Younan et al. Bounds are stored as a unique number over a region of memory Object inhabits one or more regions, each region has the same unique number Check pointer arithmetic Look up unique number of object that pointer is pointing to, compare to unique number of the result of the arithmetic, if different -> overflow Faster than existing bounds checkers: ~50% overhead 55

Bounds checkers Visual Studio 11 adds simple range checks char buf[max]; int i; buf[i]= \0 ; If an attacker controls i, they could write outside the bounds of buf, bypassing the cookie Adds: if (i>=max) range_exception(); Due to performance reasons, it is only done when a NULL is set on a char array (not on a pointer) 56

Presentation overview Introduction EMET Countermeasures Probabilistic countermeasures Paging-based countermeasures Verification countermeasures Bounds checkers Conclusion 57

Countermeasures in modern OSes Various countermeasures have been deployed in modern operating systems ASLR StackGuard/Stack Cookies Safe unlinking Non-executable memory Limited bounds checking These have made exploitations of these attacks significantly harder However, attackers have found various ways of bypassing these countermeasures 58

Countermeasures in modern OSes Windows 8 Significantly improves on existing implementations of countermeasures Much higher entropy for ASLR (especially on 64-bit) Force ASLR Heap Allocation order randomization Prohibits mapping of the first 64k of memory to prevent exploits of kernel NULL pointer dereferences Injects guard pages at specific points in the heap to prevent overflowing from one area of heap memory into another 59

Conclusion Many attacks, countermeasures, countercountermeasures, etc. exist Search for good and fast countermeasures to protect C continues More information: Y. Younan, W. Joosen and F. Piessens. Runtime countermeasures for code injection attacks against C and C++ programs Y. Younan. Efficient countermeasures for software vulnerabilities due to memory management errors Ú. Erlingsson, Y. Younan, F. Piessens, Low-level software security by example Ken Johnson, Matt Miller: Exploit mitigation improvements in Windows 8 Elias Bachaalany: Inside EMET 4.0 60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback