I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation. Mathias Payer

Similar documents
String Oriented Programming Exploring Format String Attacks. Mathias Payer

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CSE 509: Computer Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

secubt Hacking the Hackers with User Space Virtualization

Lecture 4 September Required reading materials for this class

Buffer overflow prevention, and other attacks

Basic Buffer Overflows

CS 161 Computer Security

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

in memory: an evolution of attacks Mathias Payer Purdue University

Buffer Overflow Vulnerability

Runtime Defenses against Memory Corruption

20: Exploits and Containment

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

CMPSC 497 Buffer Overflow Vulnerabilities

Lecture 08 Control-flow Hijacking Defenses

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Return-orientated Programming

Architecture-level Security Vulnerabilities

ECS 153 Discussion Section. April 6, 2015

(Early) Memory Corruption Attacks

0x1A Great Papers in Computer Security

Software Security II: Memory Errors - Attacks & Defenses

Advanced Buffer Overflow

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Secure Programming I. Steven M. Bellovin September 28,

CSE 565 Computer Security Fall 2018

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Memory Corruption 101 From Primitives to Exploit

CSE 127 Computer Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Exercise 6: Buffer Overflow and return-into-libc Attacks

CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0

Architecture-level Security Vulnerabilities. Julian Stecklina

Exploits and gdb. Tutorial 5

Software Security: Buffer Overflow Attacks

CS 5460/6460 Operating Systems

18-600: Recitation #4 Exploits

Language Security. Lecture 40

Inline Reference Monitoring Techniques

Selected background on ARM registers, stack layout, and calling convention

Buffer Overflows Defending against arbitrary code insertion and execution

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

One-Slide Summary. Lecture Outline. Language Security

Biography. Background

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Advanced Buffer Overflow

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Writing Exploits. Nethemba s.r.o.

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Machine-Level Programming V: Unions and Memory layout

Integer overflows. Integer overflow types. Signed vs unsigned integers. Casting between different size integer types. Arithmetic wraparound

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Advanced Systems Security: Control-Flow Integrity

Buffer Overflow and Protection Technology. Department of Computer Science,

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Confinement (Running Untrusted Programs)

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CS527 Software Security

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge

CSE 127 Computer Security

Secure Systems Engineering

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Outline. Memory Exploit

The Geometry of Innocent Flesh on the Bone

Secure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations

Secure Coding Topics. CYSE 411/AIT681 Secure Software Engineering. Readings. Outline. This lecture: Topic #8. Secure Coding: Pointer Subterfuge

18-600: Recitation #4 Exploits (Attack Lab)

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Intro to x86 Binaries. From ASM to exploit

Practical Malware Analysis

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Code Injection Attacks Buffer Overflows

CSE 127 Computer Security

Software Security: Buffer Overflow Defenses

How to Sandbox IIS Automatically without 0 False Positive and Negative

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

From Over ow to Shell

Topics in Software Security Vulnerability

Buffer overflow background

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Bypassing Browser Memory Protections

Program Security and Vulnerabilities Class 2

Secure Software Development: Theory and Practice

CSE 127 Computer Security

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Transcription:

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net>

Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege level Every exploit has full user-privileges Local privilege escalation through auxiliary attacks Tight security-models limit privileges on both A per-application level and A per-user level Idea: each application only has access to the data owned by a specific user that is useful for the application 2

Fahrplan Introduction Protection through virtualization Attack Vectors Code Injection Return-oriented programming Format String Attacks Arithmetic Overflow Data Attacks x86_64 vs. i386 code Demo Conclusion 3

Introduction Software security is a challenging problem Both managed and unmanaged languages are prone to attacks Many different forms of attacks exist Low-level bugs are omni-present And high-level languages compile down to low-level code Hard to eliminate bugs They are hard to find and hard to fix 4

Introduction Programmers rely on too many assumptions That are not necessarily part of the semantics of the programming language, e.g., Memory layout (little vs. big endian) Type sizes (long is always 4 byte long) Variable placement (layout of structures) Goal of this talk: Understand attack vectors and constraints Know how to defend yourself against the attacks Different techniques and security measurements Security analysis Know your assumptions (e.g., language, compiler, architecture) 5

Fahrplan Introduction Protection through virtualization Attack Vectors Code Injection Return-oriented programming Format String Attacks Arithmetic Overflow Data Attacks x86_64 vs. i386 code Demo Conclusion 6

Protection through virtualization Like many other problems in CS security can be increased through an additional layer of indirection We propose a user-space virtualization system that secures all program code and authorizes all system calls kernel (privileged code) application code kernel (privileged code) application user space SFI and guards code 7

Protection through virtualization Security principles: All code is translated before it is executed. Additional guards are added to the translated code Catches control flow transfers to illegal locations (code injection) Catches illegal control flow transfers (arc attacks) Catches jumps into other instructions Catches switches between i386 and x86_64 All system calls are authorized by a policy Catches privilege escalation Catches data bugs that execute unintended system calls 8

Virtualization in a nutshell Translator Translates individual basic blocks Verifies code source / destination Checks branch targets and origins Original code 1 2 3 4 R Mapping table 1 1' 2 2' 3 3'... Indirect control flow transfers use a dynamic check to verify target and origin Code cache 1' 2' 3' RX See: Generating Low-Overhead Dynamic Binary Translators (Mathias Payer, youtube.com/watch?v=vixaqeahixs) 9

Static security guards Check code location Exported in module / object as code region Verify permissions of the page according to the module Check target of static control transfers Permission check (through GOT global offset table) for inter-module transfers Verify valid instructions from the beginning of a function to the target of the jump instruction 10

Dynamic security guards Dynamic checks for dynamic control transfers Return instructions, indirect calls, indirect jumps Verify that target is valid and translated Untranslated targets fall back into the static check Verify return instructions Validate stack and use a shadow stack 11

System call authorization System calls redirect to an authorization framework Policy based authorization For wide variety of system calls and parameter combinations Authorization functions For redirected system calls Reimplementations of system calls in user space Additional validation of dangerous system calls : mmap (overlapping regions); mprotect (make code executable); fork (new processes); clone (new threads) System calls are allowed, redirected to the authorization function, or the program is terminated with a security exception 12

Fahrplan Introduction Protection through virtualization Attack Vectors Code Injection Return-oriented programming Format String Attacks Arithmetic Overflow Data Attacks x86_64 vs. i386 code Demo Conclusion 13

Attack vectors Attacks redirect control flow New or alternate locations are reached Execution is different from unaltered run An attack exploits the fact that the programmer or the runtime system is unable to check the bounds of a buffer or to detect a type overflow or to detect an out-of-bounds access 14

Code injection Injects new executable code into the process image of a running process Into buffer on the stack Into heap-based data structures Redirects control flow to the injected code Overwriting the RIP (return instruction pointer) Overwriting function pointers, destructors, or data structures of the memory allocator 15

Code injection: stack-based Exploits a missing or incomplete bound check on stack-based buffers Exploit uses two steps: Buffer on the stack is filled with machine-code Stack grows downwards and (eventually) overwrites RIP with pointer back into the buffer Constraints Executable stack Missing/faulty bound check RIP must not be verified/checked See: Smashing the Stack for Fun & Profit (Aleph1, Phrack #49) 16

Code injection: stack-based int foobar(char* cmp) { // assert(strlen(cmp)) < MAX_LEN char tmp[max_len]; strcpy(tmp, cmp); return strcmp(tmp, "foobar"); } No bound checks when data is copied! 0xe0 0xf0 tmp saved base pointer return address 1 st argument: cmp* length of user input 0xe0 0xf0 exploit tmp & nop slide saved don't base care pointer return address 1 st argument: cmp* 0xff next stack frame next stack frame 17

Code injection: heap-based Exploits a missing or incomplete bound check on heap-based buffers Very similar to stack-based overflows Exploit uses two steps: Buffer on the heap is filled with machine-code Function pointer, vtable-entry, (GLIBC) destructor, or memory management data-structure altered to redirect control flow Constraints Executable heap Missing/faulty bound check Successful redirection of the control flow 18

Code injection: heap-based typedef struct { char buf[max_len]; int (*cmp)(char*,char*); } vstruct; int is_foobar_heap(vstruct* s, char* cmp) { strcpy(s->buf, cmp); return s->cmp(s->buf, "foobar"); } No bound checks when data is copied! 0xb0 0xbf buf cmp* length of user input 0xb0 0xbf exploit & buf nop slide cmp* 19

Code injection: a tool writers perspect. The BT would stop the program when the control flow transfer is detected Before the shellcode is even translated Two exceptions would be triggered Code is (about to be) executed in a non-executable area Function call to an unexported/unknown symbol (heap-based) RIP mismatch (stack-based) Use BT to analyze exploits/shellcode Catch new exploits and security holes Use debugging info in application to fix bugs Use BT to audit your own software / test your exploits 20

Return-oriented programming Exploit already existing code sequences Prepare the stack so that tails of library functions are executed one after another Stack-based overflow is used to prepare multiple stack invocation frames Control flow redirected to tails of library functions Tails can be used to execute arbitrary code Constraints Missing bound check for the initial stack-based overflow RIP must not be checked See: Return-Oriented Programming (Shacham, Black Hat'08) 21

Return-oriented programming int foobar(char* cmp) { // assert(strlen(cmp)) < MAX_LEN char tmp[max_len]; strcpy(tmp, cmp); return strcmp(tmp, "foobar"); } No bound checks when data is copied! 0xe0 0xf0 0xff tmp saved base pointer return address 1 st argument: cmp* next stack frame length of user input 0xe0 0xf0 don't tmp care saved don't base care pointer points return to address &system() ebp 1 st argument: after system cmp* call 1 st argument to system() next stack frame 0xff 22

ROP: a tool writers perspective The BT would stop the program when the control flow transfer is detected Before the function tail or libc function is translated The execve system call would be stopped as well Real attacks would chain multiple libc calls Can be used to inject code into the address space in a legal manner (use mprotect to update permissions) 23

Format string attack Exploit the parsing possibilities of the printf-family If a user-controlled string is passed to a printf function A combination of %x and %n in strings that are passed to printf unfiltered result in random memory reads and random memory writes Careful preparation of the input is needed The format string must be allowed to contain %n and, e.g., %x to write to memory Random writes can be used to redirect the control flow by overwriting, e.g., the RIP, destructors, or the vtable 24

Format string attack printf examples: printf("val: %d, ptr: %p, str: %s\n", a, &a, str); // value: 12, ptr: 0x7fffffffe27c, str: foobar Interesting printf features %NN$x use the NN-th parameter (out of order access) %MMx print the parameter using MM bytes %NN$MMx print the NN-th parameter using MM bytes %hn write the amount of printed characters to the given parameter %KK$hn write the amount of chars to KK-th parameter General idea: Combine these features for random writes to memory 25

Format string attack void foo(char* cmp) { } char text[1024]; strcpy(text, cmp); printf(text); // correct: printf("%s", text); Use references to our string to retrieve pointers \x7c\xd3\xff\xff\x7e\xd3\xff\xff%12$2043x.%12$hn%11$32102x%11$hn Writes 0x0804 to 0xffffd37e and 0x856a to 0xffffd37c First 8 bytes of the string contain 2 pointers to half words %12$2043x prints 2043 bytes (increases the # of printed bytes) %12$hn writes a half word with the # of printed bytes to the first address %11$32102x writes 32102 more bytes %11$hn writes the second half word to memory This redirects the return instruction pointer to our special function 26

Format string: a tool writers perspect. BT stops the program when the control flow is redirected Change of RIP to new function System call guard checks arguments of system calls Policy violations are detected and the program is stopped Random writes to memory only detectable with full memory tracking 27

Arithmetic overflow Exploit overflows in data types Sometimes the bounds are checked before an arithmetic operation Data types are of a specific length, arithmetic operations can cause overflows or underflows Dangerous (unchecked) values passed to functions Constraints Lax or implicit type conversions Sign errors, rounding errors, type overflows, and wrong pointer arithmetic 28

Arithmetic overflow /* found in: OpenSSH 3.3 */ nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp*sizeof(char*)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(null); } Seems correct on first look But pass 0x40000000 as len parameter sizeof(int)=4 0x40'00'00'00*4 = 0x1'00'00'00'00 = 0x00'00'00'00 xmalloc() suceeds Following loop overwrites (large) parts of memory 29

Arith. ovfl: a tool writers perspective Often used to overwrite memory and prepare secondary attack Or can be used to inject code (similar to buffer overflow) BT detects the control flow transfer to illegal code System call authorization protects from system call only attacks Food for thought: Use BT to analyze EFLAGS 30

Data attack Exploits a missing or faulty bound check Writes data to an user-controlled address Almost as much fun as format-string exploits Results in a random write to memory Position and value often only partially checked Use, e.g., integer overflow or combine with other attack void foo(int pos, int value, int* data) { } data[pos] = value; 31

Data attack: a tool writers perspective void foo(int pos, int value, int* data) { data[pos] = value; } movl 0x8(%ebp),%eax ; pos shll $0x2,%eax ; pos * 4 addl 0x10(%ebp),%eax ; data + pos*4 movl 0xc(%ebp),%edx ; value movl %edx,(%eax) Random (4b) write to memory Relative to position of data array (static?) Constraint: pos and value are user controlled Hard to detect, BT stops illegal control flow transfers or illegal system calls ; data[pos]=val. 32

Mixing x86_64 and i386 code Modern kernels support both x86_64 and i386 code in parallel Code can even be mixed in one program System call authorization tools and static verifiers work on the assumption that only one form of machine code is used System calls have different numbers in 32bit and 64bit mode Checkers can be tricked to allow dangerous system calls Only a dynamic runtime security system that is 64bit aware can guard against these threats See: Bypassing syscall filtering technologies (Chris Evans) 33

Mixing code: a tool writers perspective System calls mixup even worse for seccomp-based sandboxes Seccomp allows exit, read, write, sigreturn Mixe-up allows stat or chmod BT detects long jump that switches between i386 and x86_64 mode Syscall tables switched accordingly 34

Demos This is what you've been waiting for Which exploit do you want to see? Heap-based code injection Return-oriented programming Format string attack Please vote! 35

Code injection: heap-based (DEMO) Open file, read data from file and execute is_foobar_heap Compare function is overwritten depending on file input The BT would stop the program when the control flow transfer to the heap is detected Before the shellcode is even translated Two exceptions would be triggered Code is (about to be) executed in an non-executable area Function call to an unexported/unknown symbol Without security enabled BT translates and disassembles exploit code See exploit dump 36

Return-oriented programming (DEMO) Simple stack-based overflow used to prepare a single stack frame Call to system with /bin/sh as parameter Original program fails after return from system The BT would abort the program when the change of the RIP is detected The RIP now points to a non-exported symbol The execve system call would be stopped as well BT without security translates and executes execve Log shows last entry with a system call 37

Format string attack (DEMO) Attack combines two half-word writes Only RIP overwritten Real exploit would overwrite multiple words to prepare second stage of attack The BT would abort the program when the change of the RIP is detected The RIP now points to a non-exported symbol The execve system call would be stopped as well BT without security translates and executes execve Log shows last entry with a system call 38

Conclusion User-space BT contains security problems Security violations detected and program terminated User-space, fine-grained, per-process, per-user model of security Virtualization used to analyze threats Analyze malicious payload Observe control transfers and locations of break-ins fastbt supports the full ia32 ISA; x86_64 almost complete; no kernel modification necessary All forms of system calls checked and authorized Source & demos: http://nebelwelt.net/fastbt 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback