Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Similar documents
Outline. Memory Exploit

The Geometry of Innocent Flesh on the Bone

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Defenses

Return-orientated Programming

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Software Security: Buffer Overflow Attacks

CSE 127 Computer Security

CSE 127 Computer Security

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Software Security: Buffer Overflow Defenses and Miscellaneous

Vulnerability Analysis I:

CS 161 Computer Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Return-Oriented Rootkits

Smashing the Buffer. Miroslav Štampar

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Exercise 6: Buffer Overflow and return-into-libc Attacks

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CS Exploiting Memory. Vitaly Shmatikov

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Inject malicious code Call any library functions Modify the original code

Architecture-level Security Vulnerabilities

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Selected background on ARM registers, stack layout, and calling convention

CS 161 Computer Security

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Practical Malware Analysis

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Architecture-level Security Vulnerabilities. Julian Stecklina

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

String Oriented Programming Exploring Format String Attacks. Mathias Payer

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Advanced Buffer Overflow

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Is stack overflow still a problem?

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Defeating Return-Oriented Rootkits with Return-less Kernels

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Software Security II: Memory Errors - Attacks & Defenses

Advanced Buffer Overflow

Università Ca Foscari Venezia

Lecture 08 Control-flow Hijacking Defenses

Lecture 10 Code Reuse

Exploits and gdb. Tutorial 5

Return oriented programming

20: Exploits and Containment

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

(Continue) Cryptography + (Back to) Software Security

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Heaps of Heap-based Memory Attacks

Writing Exploits. Nethemba s.r.o.

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Q: Exploit Hardening Made Easy

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Abstraction Recovery for Scalable Static Binary Analysis

Buffer overflow background

Defense against Code-injection, and Code-reuse Attack

Bypassing Browser Memory Protections

Intro to x86 Binaries. From ASM to exploit

Secure Systems Engineering

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CS642: Computer Security

INTRODUCTION TO EXPLOIT DEVELOPMENT

Just-in-Time Code Reuse

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

CSE 127 Computer Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

CMPSC 497 Buffer Overflow Vulnerabilities

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Outline. Format string attack layout. Null pointer dereference

Jump-Oriented Programming: A New Class of Code-Reuse Attack

Biography. Background

SoK: Eternal War in Memory

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Outline. Heap meta-data. Non-control data overwrite

Full control of EIP no longer yields immediate arbitrary code execution

CS 161 Computer Security

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Transcription:

CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th, 2012

Outline 1 Background 2 Return Oriented Programming 3 Heap Spray 4 Summary

Outline 1 Background 2 Return Oriented Programming 3 Heap Spray 4 Summary

Memory Exploit For a successful memory exploits, it usually involves: 1 Put malicious code at a predictable location in memory, usually masquerading as data 2 Trick vulnerable program into passing control to it Overwrite saved EIP, such as return address, function pointers, GOT tables, etc, with the values pointing to attackers malicious payload

A Basic Exploit Credit: [Mitchell Adair, Buffer Overflows 101]

W X / DEP DEP Marks regions of memory as writeable or executable, not both Prevents attacker from writting a payload to memory, then directly executing it Example: Microsoft s DEP (Data Execution Prevention) This blocks (almost) all code injection exploits Hardware support AMD NX bit, Intel XD bit (in post-2004 CPUs) Makes memory page non-executable Widely deployed Windows (since XP SP2), Linux (via PaX patches), OpenBSD, OS X (since 10.5)

W X / DEP Credit: [Mitchell Adair, Buffer Overflows 101]

What Does W X Not Prevent? Can still corrupt stack... (there is no buffer overflow prevention)... or function pointers or critical data on the heap As long as saved EIP points into existing code, W X protection will not block control transfer Return-into-libc exploits Overwrite saved EIP with the address of any library routine, arrange memory to look like arguments Does not look like a huge threat Attacker cannot execute arbitrary code... especially if system() is not available Credit: [Part of the following ROP slides are compiled from http://www.cs.utexas.edu/ shmat/courses/cs380s/ by Prof. Vitaly Shmatikov

Return-into-libc Overwritten saved EIP need not point to the beginning of a library routine Any existing instruction in the code image is fine Will execute the sequence starting from this instruction What if instruction sequence contains RET?

Return-into-libc Overwritten saved EIP need not point to the beginning of a library routine Any existing instruction in the code image is fine Will execute the sequence starting from this instruction What if instruction sequence contains RET? Execution will be transferred... to where? Read the word pointed to by stack pointer (ESP) Guess what? Its value is under attacker s control! (why?)

Return-into-libc Overwritten saved EIP need not point to the beginning of a library routine Any existing instruction in the code image is fine Will execute the sequence starting from this instruction What if instruction sequence contains RET? Execution will be transferred... to where? Read the word pointed to by stack pointer (ESP) Guess what? Its value is under attacker s control! (why?) Use it as the new value for EIP Now control is transferred to an address of attacker s choice! Increment ESP to point to the next word on the stack

Chaining RETs for Fun and Profit Can chain together sequences ending in RET Krahmer, x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005) What is this good for?

Chaining RETs for Fun and Profit Can chain together sequences ending in RET Krahmer, x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005) What is this good for? Answer [Shacham]:everything Return-oriented Programming Turing-complete language Build gadgets for load-store, arithmetic, logic, control flow, system calls Attack can perform arbitrary computation using no injected code at all!

Outline 1 Background 2 Return Oriented Programming 3 Heap Spray 4 Summary

Return Oriented Programming (ROP) ROP Leverages 1 The fact that the "ret" instruction will pass control flow to an arbitrary memory address pointed to by ESP 2 Small snippets of code that end in a "ret" instruction - called gadgets. Gadgets Gadgets can be built up consecutively on the stack, executing small groups of instructions before returning control flow to the next gadget Gadgets are found in executable sections of libraries or the program itself, therefore avoiding execution directly on the stack

Return Oriented Programming Credit: [Exploit Hardening Made Easy, USENIX Security 2011]

Ordinary Programming Instruction pointer (EIP) determines which instruction to fetch and execute Once processor has executed the instruction, it automatically increments EIP to next instruction Control flow by changing value of EIP

Return-Oriented Programming Stack pointer (ESP) determines which instruction sequence to fetch and execute Processor doesn t automatically increment ESP But the RET at end of each instruction sequence does

No-ops No-op instruction does nothing but advance EIP Return-oriented equivalent Point to return instruction Advances ESP Useful in a NOP sled ()

Immediate Constants Instructions can encode constants Return-oriented equivalent Store on the stack Pop into register to use

Control Flow Ordinary programming (Conditionally) set EIP to new value Return-oriented equivalent (Conditionally) set ESP to new value

Gadgets: Multi-instruction Sequences Sometimes more than one instruction sequence needed to encode logical unit Example: load from memory into register Load address of source word into EAX Load memory at (EAX) into EBX

Gadget

Unintended Instructions Unintended Instructions movl $0x00000001, -44(%ebp) test $0x00000007, %edi setnzb -61(%ebp) c7 45 d4 01 00 00 00 f7 c7 07 00 00 00 0f 95 45 c3 } } } Actual code from ecb_crypt() add %dh, %bh movl $0x0F000000, (%edi) xchg %ebp, %eax inc %ebp ret slide 13

Gadget design Gadgets are built from found code sequences. Gadgets are intermediate organizational unit and perform well-defined operations, such as: load-store operations arithmetic & logic operations control flow invoking system calls The set of gadgets is Turing complete, so return-oriented programming could construct arbitrary computations.

Loading a Constant to Register

Loading From Memory

Storing To Memory

Arithmetic And Logic Simple add into %eax

Return-Oriented Shellcode An application of return-oriented shellcode. The shellcode invokes the execve system call to run a shell. Steps in creating ROP Shellcode 1 Setting the system call index in %eax; 2 Setting the path of the program to run in %ebx. 3 Setting the argument vector argv in %ecx. 4 Setting the environment vector envp in %edx.

x86 Architecture Helps Register-memory (M2R, R2M) machine Plentiful opportunities for accessing memory Register-starved Multiple sequences likely to operate on same register Instructions are variable-length, unaligned More instruction sequences exist in libc Instruction types not issued by compiler may be available Unstructured call/ret ABI Any sequence ending in a return is useful

SPARC: the Un-x86 Load-store RISC machine Only a few special instructions access memory Register-rich 128 registers; 32 available to any given function All instructions 32 bits long; alignment enforced No unintended instructions Highly structured calling convention Register windows Stack frames have specific format When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC (CCS 2008)

More ROP Harvard architecture: code separate from data code injection is impossible, but ROP works fine Z80 CPU Sequoia AVC Advantage voting machines Some ARM CPUs iphone No returns = no problems (Lame) defense against ROP: eliminate sequences with RET and/or look for violations of LIFO call-return order Use update-load-branch sequences in lieu of returns + a trampoline sequence to chain them together Read Return-oriented programming without returns (CCS 2010)

Other Issues with W X / DEP Some applications require executable stack Example: Lisp interpreters Some applications are not linked with /NXcompat DEP disabled (e.g., popular browsers) JVM makes all its memory RWX readable, writable, executable (why?) Spray attack code over memory containing Java objects (how?), pass control to them Return into a memory mapping routine, make page containing attack code writeable

Outline 1 Background 2 Return Oriented Programming 3 Heap Spray 4 Summary

Heap-spraying Attacks Besides W X / DEP, we have ASLR. How to defeat ASLR?

Heap-spraying Attacks Besides W X / DEP, we have ASLR. How to defeat ASLR? Heap spraying is a new technique used in exploits to facilitate arbitrary code execution. Targeted at browsers, document viewers, etc. Current attacks include IE, Adobe Reader, and Flash Effective in any application the allows JavaScript http://en.wikipedia.org/wiki/heap_spraying

Heap-spraying Attacks History Heap sprays have been used occasionally in exploits since at least 2001 Widespread use in exploits for web browsers in the summer of 2005 (Internet Explorer). Simple enough to understand Quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. JavaScript VBScript ActionScript

Revealing Heap Spraying (1) 30 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (1) 31 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (1) Owned! 32 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (2) Drive-By Heap Spraying (2) Program Heap ok PC ok <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "> </IFRAME> </HTML> 1 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (2) Drive-By Heap Spraying (2) Program Heap ok ok bad PC Creates the malicious object <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "> </IFRAME> </HTML> 2 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (2) Drive-By Heap Spraying (2) Program Heap ok ok bad PC Creates the malicious object <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); Triggers the jump </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "> </IFRAME> </HTML> 3 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (2) Drive-By Heap Spraying (2) ASLR prevents the Program Heap attack ok ok bad PC Creates the malicious object <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); Triggers the jump </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "> </IFRAME> </HTML> 4 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (2) Drive-By Heap Spraying (2) ASLR prevents the Program Heap attack bad ok ok PC Creates the malicious object <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); Triggers the jump </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "> </IFRAME> </HTML> 5 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (3) Program Heap ok ok <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; Allocate 1000s of while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } spraycontainer = new Array(); for (i=0; i<1000; i++) { spraycontainer[i] = fullblock + shellcode; } </SCRIPT> 39 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Revealing Heap Spraying (3) Program Heap ok bad bad bad ok bad bad bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; Allocate 1000s of while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } spraycontainer = new Array(); for (i=0; i<1000; i++) { spraycontainer[i] = fullblock + shellcode; } </SCRIPT> 40 In courtesy of Ratanaworabhan et al [Nozzle] for this example

Heap-spraying Attacks How? 1 Attacker must have existing vulnerability (i.e., overwrite a function pointer) 2 Attacker allocates many copies of malicious code as JavaScript strings 3 When attacker subverts control flow, jump is likely to land in malicious code

Outline 1 Background 2 Return Oriented Programming 3 Heap Spray 4 Summary

Summary Code injection is not necessary for arbitrary exploitation. Defenses that distinguish good code from bad code are hard and also useless. Return-oriented programming (ROP) likely possible on every architecture, not just x86. ROP shell code can be automatically generated (Q [USENIX Security 2011]) from application binary code There are many ways to write robust shell code besides ROP

References [CCS07]H. Shacham The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) [CCS08] Buchanan et al.: When good instructions go bad: Generalizing return-oriented programming to RISC [USENIX Securiy09] Hund et al. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms [ACSAC09] Surgically Returning to Randomized Lib(c) [USENIX Securiy11] Q: Exploit Hardening Made Easy [USENIX Securiy09] Nozzle: A Defense Against Heap-spraying Code Injection Attacks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback