Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Similar documents
Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Control-Flow Integrity

CMPSC 497 Execution Integrity

Inject malicious code Call any library functions Modify the original code

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security II: Memory Errors - Attacks & Defenses

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Return-orientated Programming

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Defenses

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 161 Computer Security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

On Compilers, Memory Errors and Control-Flow Integrity

Vulnerability Analysis I:

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Software Security: Buffer Overflow Attacks

Advanced Systems Security: Program Diversity

Remix: On-demand Live Randomization

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Defeating Return-Oriented Rootkits with Return-less Kernels

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

The Geometry of Innocent Flesh on the Bone

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Abstraction Recovery for Scalable Static Binary Analysis

Securing Untrusted Code

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

CS 161 Computer Security

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CSE 509: Computer Security

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Defenses and Miscellaneous

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CMPSC 497 Buffer Overflow Vulnerabilities

Lecture 10 Code Reuse

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Outline. Memory Exploit

Inline Reference Monitoring Techniques

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

in memory: an evolution of attacks Mathias Payer Purdue University

CODE reuse attacks (CRAs) emerged as a powerful attack, HCIC: Hardware-assisted Control-flow Integrity Checking

Advanced Systems Security: Ordinary Operating Systems

Lecture 08 Control-flow Hijacking Defenses

Q: Exploit Hardening Made Easy

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Exploit Mitigation - PIE

Return-Oriented Rootkits

Outline. Heap meta-data. Non-control data overwrite

On the Effectiveness of Type-based Control Flow Integrity

CSE 127 Computer Security

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

Midterm 1 Review. Memory Safety & Web Attacks

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Control Flow Integrity

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Selected background on ARM registers, stack layout, and calling convention

Biography. Background

Practical and Efficient Exploit Mitigation for Embedded Devices

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

CSE Spring Assignment 3: Return-oriented Programming

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

0x1A Great Papers in Computer Security

Exploits and gdb. Tutorial 5

Università Ca Foscari Venezia

Outline. Format string attack layout. Null pointer dereference

Memory Safety (cont d) Software Security

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

From Over ow to Shell

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Defense against Code-injection, and Code-reuse Attack

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Control Flow Integrity for COTS Binaries Report

Static Analysis. Systems and Internet Infrastructure Security

20: Exploits and Containment

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Is Exploitation Over? Bypassing Memory Protections in Windows 7

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Just-in-Time Code Reuse

Advanced Buffer Overflow

Smashing the Buffer. Miroslav Štampar

CSE 127 Computer Security

Low Level Software Security: Attacks and Defenses; Control Flow Integrity. System Security Seminar Presenter: Cătălin Hrițcu

CSE 127 Computer Security

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

CMPSC 497: Midterm Review

Practical Malware Analysis

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (urn address) Stack (buffer), heap, format string vulnerability Second -- attacker uses control of program flow to launch attacks Code injection Defense: NX, W (xor) X urn-to-libc Defense: remove unwanted functions (e.g., system) How to overcome these limitations??? Return-oriented programming 30

Return-Oriented Programming Arbitrary exploitation without code injection or whole-function reuse (urn-to-libc) 31

Return-Oriented Programming 32

ROP Thesis 33

Return-to-libc 34

ROP vs urn-to-libc 35

ROP Attacks 36

Machine Instructions 37

ROP Execution 38

Building ROP Functionality 39

Building ROP Functionality 40

Building ROP Functionality 41

Creating Programs 42

Finding Gadgets 43

ROP Conclusions 44

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x8048000 jump G3... Memory 0x8048000$= Return Address buf

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x8048000 jump G3... Memory 0x8048000$= Return Address buf

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x8048000 jump G3... Memory 0x8048000$= Return Address buf

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax$= %ebx$= 5... Memory 0x8048000$=

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax$= %ebx$= 5... Memory 0x8048000$=

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax$= %ebx$= 5 0x8048000... Memory 0x8048000$=

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax$= %ebx$= 5 0x8048000... Memory 0x8048000$=

ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x8048000 jump G3 Return Address buf... Registers Memory %eax$= 5 0x8048000$= 5 %ebx$= 0x8048000

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses Q. Is subverting control-flow the only goal of an attacker? 47

Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, urns,... Challenges Building accurate model Efficient enforcement 48

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 49

Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp nop IMM 2 if(**esp!= nop IMM 2 ) halt urn CFG excerpt NB: Need to ensure bit patterns for nops appear nowhere else in code memory A call A call+1 50 B 1 B

More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } if(*fp!= nop IMM 1 ) halt call fp nop IMM 1 F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 51

Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can urn to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B call+1 succ(b ) = {A call+1, D call+1 } F D call F B nop IMM 2 if(**esp!= nop IMM 2 ) halt urn CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). 52

No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 Solution II: Duplicate code to remove zig-zags CFG excerpt A call B 1 C 1 C 1A E call E call C 1E 53

More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 54

ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,...????????? Stack Heap Data??? Text 55

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Windows Only few programs in Linux use PIE Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities 56

Conclusion Defense against control-flow and data attacks is an ongoing arms race Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers However, they have implementation limitations Active area of research 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback