Inject malicious code Call any library functions Modify the original code

Similar documents
Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Selected background on ARM registers, stack layout, and calling convention

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Software Security II: Memory Errors - Attacks & Defenses

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

SoK: Eternal War in Memory

CS 161 Computer Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks

Software Security: Buffer Overflow Defenses

CS 161 Computer Security

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Outline. Format string attack layout. Null pointer dereference

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

CSE 127 Computer Security

Return-orientated Programming

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Software Security: Buffer Overflow Attacks

Runtime Attacks: Buffer Overflow and Return-Oriented Programming

Outline. Heap meta-data. Non-control data overwrite

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Just-in-Time Code Reuse

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Remix: On-demand Live Randomization

Lecture 08 Control-flow Hijacking Defenses

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Advanced Buffer Overflow

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Advanced Systems Security: Program Diversity

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Buffer Overflow Attacks

Outline. Memory Exploit

Buffer overflow background

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Buffer overflow prevention, and other attacks

Practical Malware Analysis

0x1A Great Papers in Computer Security

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Secure Systems Engineering

On Compilers, Memory Errors and Control-Flow Integrity

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Software Security: Buffer Overflow Attacks (continued)

Memory Safety (cont d) Software Security

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

The Geometry of Innocent Flesh on the Bone

From Over ow to Shell

Lecture 10 Code Reuse

Advanced Systems Security: Ordinary Operating Systems

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CMPSC 497 Buffer Overflow Vulnerabilities

Advanced Buffer Overflow

Cyber Moving Targets. Yashar Dehkan Asl

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Defense against Code-injection, and Code-reuse Attack

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Biography. Background

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Information Leaks. Kyriakos Kyriakou

Exercise 6: Buffer Overflow and return-into-libc Attacks

Spectre and Meltdown. Clifford Wolf q/talk

Q: Exploit Hardening Made Easy

Memory corruption countermeasures

Exploit Mitigation - PIE

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. Accepted at USENIX Security 2014

Exploits and gdb. Tutorial 5

Malware

1358 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 7, JULY 2018

Midterm 1 Review. Memory Safety & Web Attacks

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Security of Embedded Systems

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSE 127 Computer Security

Smashing the Buffer. Miroslav Štampar

CSE 509: Computer Security

Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

CSE 565 Computer Security Fall 2018

Vulnerability Analysis I:

Software Security: Buffer Overflow Defenses and Miscellaneous

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

Exploiting and Protecting Dynamic Code Generation

Abstraction Recovery for Scalable Static Binary Analysis

Influential OS Research Security. Michael Raitza

Transcription:

Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2

3 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 3

Re t u r n o r ien ted Pro g ra mm ing 4 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 4

5 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 5

2007 Intel x86 2008 SPARC Atmel AVR 2009 Z80 PowerPc ARM 2010 Internet Explorer Apple Jailbreak Adobe Reader Quicktime Player 6 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 6

Video: http://www.youtube.com/watch?v=lsfg3kprd1i 7 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 7

Request http://www.jailbreakme.com/_ /iphone3,1_4.0.pdf 1) Exploit PDF Viewer Vulnerability by means of Return-Oriented Programming 2) Start Jailbreak 3) Download required system files 4) Jailbreak Done 8 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 8

User visits adversary web page Malicious webpage with embedded ROP payload SMS Database leaked to adversary 9 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 9

10 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 10

Perform arbitrary computation with return-into-libc techniques Approach Use small instruction sequences (e.g., of libc) instead of using whole functions Instruction sequences range from 2 to 5 instructions All sequences end with a return instruction Instruction sequences are chained together to a gadget A gadget performs a particular task (e.g., load, store, xor, or branch) Afterwards, the adversary enforces his desired actions by combining the gadgets 11 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Adversary 1 Corrupt Control Structures Data Stack Return Address 3 Return Address 2 2 4 6 Return Address 1 Libraries Instruction sequence Return Instruction sequence Return Instruction sequence Return SP 3 5 7 Code Program Memory 12 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 12

Instruction sequences never intended by the programmer Get new code out of existing code Possible due to Unaligned Memory Access Variable-Length Instructions B8 13 00 00 00 Start interpretation of Byte Stream two Bytes later 00 00 00 E9 C3 E9 C3 F8 FF FF Intended Code mov $0x13,%eax jmp 3aae9 Unintended Code add %al,(%eax) add %ch,%cl ret 13 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 13

14 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 14

15 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 16 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 17 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 18 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register 19 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

20 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 20

Compiler Extensions Programming Languages Countermeasures Randomization and Diversity Binary Instrumentation 21 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Extend standard compilers by integrating additional security techniques Effectiveness The effectiveness depends on the integrated security mechanisms On the next slide we will present a well-known security mechanism (namely stack canaries) that is implemented in today s compilers Various other techniques exist: bounds checking for critical functions, return address stack, variable reordering, etc. Problems Typically, access to the source code is required Recompilation of the program Performance overhead is higher compared to randomization approaches 22 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Stack Arbitrary Stack Value Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 23 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Stack Arbitrary Stack Value Return Address Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 24 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Stack Arbitrary Stack Value Return Address CANARY Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 25 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Pop the canary value and check its value Stack Arbitrary Stack Value Return Address CANARY Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP 26 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Insert random canary values next to sensitive control-flow information, and check if the canary is still valid, when the control-flow information is used Obviously, any attempt of the adversary to overwrite control-flow information will lead to a canary overwrite Effectiveness As long as the canary remains secret, the adversary will not be able to overwrite control-flow information Problems Brute-force or disclosure attacks possible In practice it is hard to protect all controlflow information with random canaries Pop the canary value and check its value Stack Arbitrary Stack Value Return Address CANARY Code <main>: Instruction, CALL Function_A Instruction, <Function_A>: PUSH Canary Function Prologue Instruction, Canary Check RET SP SP SP 27 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Use programming languages that provide type-safety and thereby eliminate buffer overflow vulnerabilities by design Example The Java Programming language provides type-safety by applying a dedicated Bytecode verifier Problems Legacy compliance problem: All programs have to be ported to the new language Today s operating systems are mainly written in native languages due to performance reasons Type-safe languages usually built on native code parts, e.g., the Java virtual machine 28 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea ASLR randomizes the base address of code segments (stack, heap, dynamic libraries) for each execution Implementation ASLR is enabled in modern OSes: Windows 7, Linux Distributions, Mac OS X, Android, ios Effectiveness Prevents return-into-libc and ROP because the adversary does not know the runtime memory addresses of instruction sequences and functions ASLR makes code injection attacks more difficult, because stack/heap are randomized. Hence, the start address of the injected code is difficult to predict. Problems Entropy of the randomization is often too low (brute-force attacks possible) Disclosure attacks possible In practice, not all code segments are randomized. Hence, an adversary can leverage the non-randomized code parts to (1) perform the attack or (2) calculate the base addresses of randomized shared libraries 29 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea Derive n application instances (executables) from one source code, while all instances share the same semantics Effectiveness An exploit sample will only affect one application instance Hence, an adversary has to write n exploits if he aims to compromise the application on n platforms Problems Diversity has to be applied to all shared libraries as well, otherwise the adversary can leverage codereuse attacks like ROP Until today, there is no secure and practical diversification scheme that could be really deployed as a countermeasure against control-flow attacks Source Code of Application A Diversification Engine Compiler Executable A 1 Executable A 2 Executable A n 30 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Idea In general, binary instrumentation is a technique that binds additional code (instrumentation code) to a program for security or profiling purposes Probe-based instrumentation: Add instrumentation code by rewriting the binary at program start. Just-In-Time (JIT) based instrumentation: Instrumentation code is dynamically added. More specifically, the program to be instrumented is executed in a virtual machine (VM) like environment. The VM continuously intercepts program code and rewrites it on-the-fly. Effectiveness As for compiler-based approaches, the effectiveness depends on the integrated security mechanisms On the next slide we will present how jit-based instrumentation could be used to perform enhanced return address checks Further, we present control-flow integrity (CFI) Problems Although binary instrumentation-based solutions require no access to source code, they typically induce higher performance penalties 31 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Intercept Instruction 1 2 Is Call? Is Return? 3 Wait for next Instruction 1a Push TOS onto Shadow Stack Compare TOS of both Stacks 1b Return 4 Return 3 Return 2 Return 1 2a 2b Program Stack Copy of Return 4 Copy of Return 3 Copy of Return 2 Copy of Return 1 Shadow Stack 32 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 32

33 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

34 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

BBL 2 BBL 1 label_1 entry ins, ins, ins, exit BBL 3 label_3 entry ins, ins, ins, exit Malicious Code Shellcode label_2 entry ins, ins, ins, exit 1 2 Library Code Instruction Sequences Library Functions BBL 4 label_4 entry ins, ins, ins, exit CFI Check: *BBL3[exit] == label_5 BBL 5 label_5 entry ins, ins, ins, exit 1. Rewrite all exit instructions with a control-flow check 2. Generate the Control-Flow Graph before the program starts executing 35 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback