Just-in-Time Code Reuse

Similar documents
Selected background on ARM registers, stack layout, and calling convention

Inject malicious code Call any library functions Modify the original code

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Return-orientated Programming

Outline. Memory Exploit

Runtime Code Reuse Attacks: A Dynamic Framework Bypassing Fine-Grained Address Space Layout Randomization

Information Leaks. Kyriakos Kyriakou

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

Smashing the Buffer. Miroslav Štampar

CVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Control-Flow Attacks and Defenses

Check my profile: Leveraging static analysis for fast and accurate detection of ROP gadgets

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CS 161 Computer Security

Abstraction Recovery for Scalable Static Binary Analysis

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

Defeating Return-Oriented Rootkits with Return-less Kernels

Practical Malware Analysis

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

Defending against Return-Oriented Programming. Vasileios Pappas

From Over ow to Shell

On Compilers, Memory Errors and Control-Flow Integrity

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. Accepted at USENIX Security 2014

The Geometry of Innocent Flesh on the Bone

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Q: Exploit Hardening Made Easy

Return-Oriented Rootkits

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Return oriented programming

Advanced Buffer Overflow

Lecture 08 Control-flow Hijacking Defenses

Biography. Background

Exercise 6: Buffer Overflow and return-into-libc Attacks

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

CS 161 Computer Security

Three Decades of Runtime Attacks

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

What Cannot be Read, Cannot be Leveraged?

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher

Vulnerability Analysis I:

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Remix: On-demand Live Randomization

Architecture-level Security Vulnerabilities

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Software Security II: Memory Errors - Attacks & Defenses

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization

Bit Flips in Memory Rowhammer Attacks and Defenses

Università Ca Foscari Venezia

Advanced Buffer Overflow

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

Architecture-level Security Vulnerabilities. Julian Stecklina

From Assembly to JavaScript and Back

HAFIX: Hardware-Assisted Flow Integrity Extension

Lecture 10 Code Reuse

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Physical Unclonable Functions-based Linear Encryption against Code Reuse Attacks

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

16.317: Microprocessor Systems Design I Fall 2014

Software Security: Buffer Overflow Defenses

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

16.317: Microprocessor Systems Design I Fall 2015

ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks

Full control of EIP no longer yields immediate arbitrary code execution

Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion

Writing Exploits. Nethemba s.r.o.

Advanced Systems Security: Control-Flow Integrity

Microgadgets: Size Does Matter In Turing-complete Return-oriented Programming

Is Exploitation Over? Bypassing Memory Protections in Windows 7

CSE 509: Computer Security

Program Exploitation Intro

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Chronomorphic Programs: Using Runtime Diversity to Prevent Code Reuse Attacks

Defense against Code-injection, and Code-reuse Attack

16.317: Microprocessor Systems Design I Spring 2015

TABLE OF CONTENT 1. Abstract: Terminology Introduction Basic Shellcoding Solving The Addressing Problem Hash API

Reverse Engineering II: The Basics

Writing your first windows exploit in less than one hour

Launching Return-Oriented Programming Attacks against Randomized Relocatable Executables

Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?

Packed, Printable, and Polymorphic Return-Oriented Programming

Transcription:

Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University of North Carolina at Chapel Hill 2 CASED/Technische Universität Darmstadt, Germany 1

The Big Picture 2 2

The Big Picture 2 2

The Big Picture Scrip&ng facilitates a0acks 2 2

The Big Picture Scrip&ng facilitates a0acks Large a0ack surface 2 2

The Big Picture Scrip&ng facilitates a0acks Exploit packs automate increasingly complex a0acks Adversary must apply a code- reuse strategy Large a0ack surface 2 2

The Big Picture 3 3

The Big Picture 3 3

The Big Picture Re t u r n o r ien ted Pro g ra mm ing 3 3

Basic ROP Attack Technique 4

Basic ROP Attack Technique Adversary 4

Basic ROP Attack Technique Adversary Stack Heap Code 4

Basic ROP Attack Technique Adversary Stack Heap Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Stack Stack Var 1 Stack Var 2 Heap Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary SP Stack Stack Var 1 Stack Var 2 Heap Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary SP Stack Stack Var 1 Stack Var 2 Heap Inject ROP Payload Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Inject ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability SP Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability SP Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4

Code Reuse Attacks History selected not exhaustive 1997 2001 2005 2007 2008 2009 2010 5

Code Reuse Attacks History selected not exhaustive 1997 ret2libc Solar Designer 2001 2005 2007 2008 2009 2010 5

Code Reuse Attacks History selected not exhaustive 1997 2001 ret2libc Solar Designer Advanced ret2libc Nergal 2005 2007 2008 2009 2010 5

Code Reuse Attacks History selected not exhaustive 1997 2001 2005 ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 2008 2009 2010 5

Code Reuse Attacks History selected not exhaustive 1997 2001 2005 ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 2009 2010 5

Code Reuse Attacks History selected not exhaustive 1997 2001 2005 ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 2010 5

Code Reuse Attacks History selected not exhaustive 1997 2001 2005 ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA) 2010 5

Code Reuse Attacks History selected not exhaustive 1997 2001 2005 ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA) 2010 Roppery Iozzo et al (BlackHat USA) Payload already inside Long Le (BlackHat USA) ROP without Returns Checkoway et al (CCS) Pwn2Own iphone Weinmann & Iozzo Pwn2Own IE Nils Practical ROP Zovi (RSA Conference) 5

ASLR Address Space Layout Randomiza6on 6

Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 7 7

Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Application Run 2 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 7 7

Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) Application Run 2 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 3. Adjust instruction sequence pointers Disclosure Attack e.g., [Sotirov et al., Blackhat 2008] 2. Leak function pointer 1. Exploit disclosure vulnerability 7 7

Example Memory Disclosure Stack Executable Heap Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

Example Memory Disclosure Stack Executable Vulnerable Object array vuln[10] JavaScript String size Heap string data funcpointer Object funcpointer Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

Example Memory Disclosure Stack Executable Vulnerable Object AAAAAAAAAAAAAAAAA array vuln[10] JavaScript String MAX_SIZE size Heap string data funcpointer Object funcpointer Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

Example Memory Disclosure Stack Executable Vulnerable Object AAAAAAAAAAAAAAAAA array vuln[10] JavaScript String MAX_SIZE size Heap string data Object funcpointer funcpointer Library (e.g., user32.dll) Memory Readable as String Data Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8

Tackling the Problems of ASLR via Fine- Grained ASLR 9

Basics of Fine-grained ASLR Application Run 1 Library (e.g., user32.dll) Instruction Sequence 1 Instruction Sequence 2 Instruction Sequence 3 10 10

Basics of Fine-grained ASLR Application Run 1 Library (e.g., user32.dll) Instruction Sequence 1 Instruction Sequence 2 Instruction Sequence 3 Application Run 2 Library (e.g., user32.dll) Instruction Sequence 3 Instruction Sequence 1 Instruction Sequence 2 Different fine- grained ASLR approaches have been proposed recently ORP [Pappas et al., IEEE Security & Privacy 2012] ILR [Hiser et al., IEEE Security & Privacy 2012] STIR [Wartell et al., ACM CCS 2012] XIFER [Davi et al., ASIACCS 2013] All mi&gate single memory disclosure a0acks 10 10

Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized 11

Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr 11

Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original Randomized MOV EBX, $0 11

Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX 11

Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX Register Re-Allocation (in case another register is free to use) Original MOV EAX, &ptr CALL *EAX Randomized 11

Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX Register Re-Allocation (in case another register is free to use) Original MOV EAX, &ptr CALL *EAX Randomized MOV EBX, &ptr CALL *EBX 11

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 BBL_2 BBL_3 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF 0x1000: Randomized BBL_2 BBL_2 MOV (ESP), EAX 0x10A0: BBL_3 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: MOV EBX, EAX CALL 0x10A0 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: MOV EBX, EAX CALL 0x10A0 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 MOV EBX, EAX CALL 0x10A0 JMP 0x1000 12

Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: MOV (ESP), EAX BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 MOV EBX, EAX CALL 0x10A0 JMP 0x1000 12

Instruction Location Randomization Original MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX [Hiser et al., IEEE S&P 2012] 0x10FF: ADD EAX, ECX 13

Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX 0x1000: 0x12A0: MOV (ESP), EAX 0x1F00: 0x10FF: ADD EAX, ECX 0x2000: CALL 0x3000 0x2500: MOV EBX, EAX 0x3000: ADD EAX, ECX 13

Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX 0x1000: 0x12A0: MOV (ESP), EAX 0x1F00: 0x10FF: ADD EAX, ECX 0x2000: CALL 0x3000 0x2500: MOV EBX, EAX 0x2500 -> 0x2000 0x2000 -> 0x1000 0x1000 -> 0x12A0 0x3000 -> 0x1F00 Execution is driven by a fall-through map and a binary translation framework (Strata) 0x3000: ADD EAX, ECX 13

Does Fine- Grained ASLR Provide a Viable Defense in the Long Run? 14

Contributions 15 15

Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 15 15

Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 15 15

Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 3 A prototype exploit framework that demonstrates one instantiation of our idea, called JIT-ROP 15 15

Assumptions Adversary Defender 16 16

Assumptions Adversary Defender Non-Executable Stack and Heap 16 16

Assumptions Adversary Defender Fine-Grained ASLR Non-Executable Stack and Heap 16 16

Assumptions Adversary Memory Disclosure Vulnerability Defender Fine-Grained ASLR Non-Executable Stack and Heap 16 16

Assumptions Adversary Control-Flow Vulnerability Memory Disclosure Vulnerability Fine-Grained ASLR Defender Non-Executable Stack and Heap 16 16

Workflow of Just-In-Time Code Reuse Adversary 17 17

Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer 17 17

Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) 17 17

Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application 17 17

Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Map Memory Description (High-Level Language) Vulnerable Application 17 17

Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Map Memory Find ROP Sequences (Gadgets) Vulnerable Application 17 17

Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Find ROP Sequences (Gadgets) Find API Functions 17 17

Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Compile ROP Program Find ROP Sequences (Gadgets) Find API Functions 17 17

Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Compile ROP Program Find ROP Sequences (Gadgets) Find API Functions 17 17

Challenges 18 18

Challenges Map memory without crashing 18 18

Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime 18 18

Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated 18 18

Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated Demonstrate efficient, practical exploit 18 18

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present 19 19

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present f295afcad42b43 638b2bbf6381ff 72efc88bda4cc0 0732bba1575ccb eb7c025e6b8ad3 0c283baa9f03e4 7464fc814176cd 546bcee28e4232 initial code page 19 19

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page 19 19

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page 19 19

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx 19 19

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile 20 20

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( http://, bot.exe ); WinExec( bot.exe ); ExitProcess(1); 20 20

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( http://, bot.exe ); WinExec( bot.exe ); ExitProcess(1); 20 20

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( http://, bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program Vulnerable Application Code Page Previously Found Sleep() FindWindow() GetActiveWindow() 20 20

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( http://, bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program dynamic library and func&on loading is common solu&on: scan for LoadLibrary and GetProcAddress references instead Vulnerable Application Code Page Previously Found LoadLibrary( library.dll ); LoadLibrary( library.dll ); Sleep() LoadLibrary( library.dll ); GetProcAddress( func1 ) GetProcAddress( func1 ) FindWindow() GetProcAddress( func1 ) GetProcAddress( func2 ) GetProcAddress( func2 ) GetActiveWindow() GetProcAddress( func2 ) 20 20

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( http://, bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program dynamic library and func&on loading is common solu&on: scan for LoadLibrary and GetProcAddress references instead With Vulnerable Dynamic Application Loading LoadLibrary( urlmon.dll ); Code Page Previously Found GetProcAddress(@, URLDownloadToFile ); @( http://, bot.exe ); LoadLibrary( kernel32.dll ); GetProcAddress(@, WinExec ); @( bot.exe ); LoadLibrary( library.dll ); LoadLibrary( library.dll ); Sleep() LoadLibrary( library.dll ); GetProcAddress( func1 ) GetProcAddress( func1 ) FindWindow() GetProcAddress( func1 ) GetProcAddress( func2 ) GetProcAddress( func2 ) GetActiveWindow() GetProcAddress( func2 ) 20 20

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx gadgets found 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret gadgets found 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found MovRegG 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov ebx, edx ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found MovRegG 21 21

Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov ebx, edx ret ret MovRegG JumpG ArithmeticG LoadRegG LoadRegG gadgets found MovRegG 21 21

Compiling the ROP program 22 22

Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); GetProcAddress(@, WinExec ); @( calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); GetProcAddress(@, ExitProcess ); @(1); LoadRegG& MovRegG& JumpG& 22 22

Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); GetProcAddress(@, WinExec ); @( calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); GetProcAddress(@, ExitProcess ); @(1); LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 generate possible gadget arrangements 22 22

Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); GetProcAddress(@, WinExec ); @( calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); GetProcAddress(@, ExitProcess ); @(1); LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22

Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); GetProcAddress(@, WinExec ); @( calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); GetProcAddress(@, ExitProcess ); @(1); LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22

Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); GetProcAddress(@, WinExec ); @( calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); GetProcAddress(@, ExitProcess ); @(1); LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Serialize Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22

Take it to the Next Level JIT-ROP is only our initial prototype of just-in-time code reuse. Potential Improvements: Map Memory Find API Calls Find Gadgets Compile Run Time Improve ability to discern code from embedded data. Explore direct use of system calls. Lower conservativeness at expense of complexity. Define more composite gadgets implementing an operation. Optimize code throughout. Bigger changes: apply JIT code reuse to jump-oriented programming, return-less ROP, or ret-to-libc styles of code reuse. 23 23

Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? 24 24

Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) 24 24

Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) Are code pages interconnected enough? 24 24

Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) Tested on 7 Applications: Are code pages interconnected enough? 24 24

Experiment Design For each application: Open Application with Blank Document Save Save Snapshot Save Snapshot Save of Snapshot Save of Snapshot Program Save Program Memory of Snapshot Save Program Memory of Program Memory of Snapshots Program Memory of Program Memory of Program Memory Memory Use only one initial code pointer to kick-off memory mapping, repeat for all possible initializations Build Native x86 Version of JIT-ROP Map Memory Find API Calls Find Gadgets Compile 25 25

Experimental Results Map Memory On average, 300 pages of code harvested. Find API Calls 500 Pages harvested from a single initial code pointer upper quartile 300 Find Gadgets median Run Time 100 lower quartile 26 26

Experimental Results Map Memory Find API Calls Using the LoadLibrary() and GetProcAddress() APIs, the generated ROP payload can lookup any other APIs needed. Find 9 to 12 on average, but only one needed. Find Gadgets 15 10 upper quartile median 5 Run Time GetProcAddress() ASCII UNICODE LoadLibrary() similar results for all applications 27 27

Experimental Results Map Memory 150 100 We only consider xchg eax,esp for a stack pivot, this could be improved. upper quartile median Find API Calls Find Gadgets Run Time 50 jump pivot mvreg arith load store arithld arithsto lower quartile Usually find one or more of each gadget type. Also tested against gadget elimination, e.g. ORP [Pappas et al., IEEE S&P 2012], which had little benefit. Some gadgets vanished, while new gadgets appeared. again, similar results for all applications 28 28

Seconds to Exploit Experimental Results Map Memory 22.5 End-to-end live exploitation experiments with different environments and vulnerabilities. Find API Calls 15 7.5 CVE 2012 1876 string size overwrite string size overwrite format string disclosure Find Gadgets 7 8 7 V8 8 10 8 10 Run Time Varies, but viable for real-world exploitation. 29 29

Live Demo CVE- 2013-2551 on 8 10 Credits Vulnerability Discovery: Metasploit Module for Win7/IE8: Nicolas Joly Juan Vazquez 30

Conclusion 31 31

Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure 31 31

Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical 31 31

Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical Towards More Comprehensive Mitigations control-flow integrity [Abadi et al., CCS 2005] 31 31

Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical Towards More Comprehensive Mitigations Need for Practical Solutions control-flow integrity [Abadi et al., CCS 2005] work towards efficient fine-grained CFI/DFI 31 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback