Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Similar documents
Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Control-Flow Integrity

CMPSC 497 Execution Integrity

Inject malicious code Call any library functions Modify the original code

Return-orientated Programming

Software Security: Buffer Overflow Defenses

CS 161 Computer Security

Software Security: Buffer Overflow Attacks

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Advanced Systems Security: Program Diversity

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Software Security: Buffer Overflow Attacks (continued)

Software Security II: Memory Errors - Attacks & Defenses

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Vulnerability Analysis I:

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CMPSC 497 Buffer Overflow Vulnerabilities

CS 161 Computer Security

Outline. Memory Exploit

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Software Security: Buffer Overflow Defenses and Miscellaneous

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

The Geometry of Innocent Flesh on the Bone

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 127 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

On Compilers, Memory Errors and Control-Flow Integrity

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Advanced Systems Security: Ordinary Operating Systems

Remix: On-demand Live Randomization

Inline Reference Monitoring Techniques

Lecture 10 Code Reuse

CSE 509: Computer Security

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Biography. Background

CSE 127 Computer Security

CSE 127 Computer Security

Midterm 1 Review. Memory Safety & Web Attacks

Abstraction Recovery for Scalable Static Binary Analysis

Return-Oriented Rootkits

Exploit Mitigation - PIE

Lecture 08 Control-flow Hijacking Defenses

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University

From Over ow to Shell

CSE Computer Security

CMPSC 497: Midterm Review

Selected background on ARM registers, stack layout, and calling convention

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Defeating Return-Oriented Rootkits with Return-less Kernels

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

SoK: Eternal War in Memory

Advanced Buffer Overflow

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

CSE 127 Computer Security

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Outline. Heap meta-data. Non-control data overwrite

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

18-600: Recitation #4 Exploits

20: Exploits and Containment

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Outline. Format string attack layout. Null pointer dereference

Memory Safety (cont d) Software Security

CODE reuse attacks (CRAs) emerged as a powerful attack, HCIC: Hardware-assisted Control-flow Integrity Checking

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Smashing the Buffer. Miroslav Štampar

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Advanced Buffer Overflow

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

CSE Spring Assignment 3: Return-oriented Programming

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

0x1A Great Papers in Computer Security

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Control Flow Integrity

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Q: Exploit Hardening Made Easy

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

CSE Computer Security (Fall 2006)

Secure Software Development: Theory and Practice

Exploits and gdb. Tutorial 5

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1

Anatomy of Control-Flow Exploits 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region 2

Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, Second -- attacker uses control of program flow to launch attacks E.g., Code injection Adversary injects malcode into victim E.g., onto stack or into other data region How is code injection done? 2

Code Injection 3

Code Injection Advantage 3

Code Injection Advantage Adversary can install any code they want 3

Code Injection Advantage Adversary can install any code they want What code do adversaries want? 3

Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses 3

Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) 3

Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both 3

Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both 3

Code Injection Advantage Adversary can install any code they want What code do adversaries want? Defenses NX bit - set memory as non-executable (stack) W (xor) X - set memory as either writeable or executable, but not both What can adversary do to circumvent these defenses and still execute useful code (for them)? 3

Return-to-libc Attacks 4

Return-to-libc Attacks Method 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses Remove unwanted library functions 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses Remove unwanted library functions How to overcome this defense??? 4

Return-to-libc Attacks Method Overwrite target of indirect call/jmp target to a library routine (e.g., system) Return address, function pointer, Advantage Get useful function without code injection Defenses Remove unwanted library functions How to overcome this defense??? Topic of today s lecture 4

Return-Oriented Programming Arbitrary exploitation without code injection or whole-function reuse (return-to-libc) 5

Return-Oriented Programming 6

ROP Thesis 7

Return-to-libc 8

ROP vs return-to-libc 9

ROP Attacks 10

Machine Instructions 11

ROP Execution 12

Building ROP Functionality 13

Building ROP Functionality 14

Building ROP Functionality 15

Creating Programs 16

Finding Gadgets 17

ROP Conclusions 18

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret Registers %eax = %ebx = G1 5 jmp G2 0x8048000 jump G3... Memory 0x8048000 = Return Address buf

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret Registers %eax = %ebx = G1 5 jmp G2 0x8048000 jump G3... Memory 0x8048000 = Return Address buf

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret Registers %eax = %ebx = G1 5 jmp G2 0x8048000 jump G3... Memory 0x8048000 = Return Address buf

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax = %ebx = 5... Memory 0x8048000 =

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax = %ebx = 5... Memory 0x8048000 =

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax = %ebx = 5 0x8048000... Memory 0x8048000 =

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x8048000 jump G3 Return Address buf Registers %eax = %ebx = 5 0x8048000... Memory 0x8048000 =

ROP Example Use ESP as program counter E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax ret pop %ebx ret movl %eax, (%ebx) ret G1 5 jmp G2 0x8048000 jump G3 Return Address buf... Registers Memory %eax = 5 0x8048000 = 5 %ebx = 0x8048000

Advanced Defenses 20

Advanced Defenses Control-flow attack defenses operate at two stages 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses 20

Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses Q. Is subverting control-flow the only goal of an attacker? 20

Control-Flow Integrity 21

Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences 21

Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph 21

Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, returns,... 21

Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, returns,... Challenges Building accurate model Efficient enforcement 21

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 22

Our Mechanism F A F B call fp return 23

Our Mechanism F A F B call fp return CFG excerpt A call B 1 A call+1 B ret 23

Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp return CFG excerpt A call B 1 A call+1 B ret 23

Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp nop IMM 2 if(**esp!= nop IMM 2 ) halt return CFG excerpt NB: Need to ensure bit patterns for nops appear nowhere else in code memory A call A call+1 23 B 1 B ret

More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } call fp F C 24

More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } if(*fp!= nop IMM 1 ) halt call fp nop IMM 1 F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 24

Imprecise Return Information F A Q: What if F B can return to many functions? CFG excerpt A call+1 D call+1 B ret call F B F B succ(b ret ) = {A call+1, D call+1 } F D return call F B 25

Imprecise Return Information F A Q: What if F B can return to many functions? CFG excerpt A call+1 D call+1 B ret call F B nop IMM 2 F B succ(b ret ) = {A call+1, D call+1 } F D if(**esp!= nop IMM 2 ) halt return call F B nop IMM 2 25

Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can return to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B ret call+1 succ(b ret ) = {A call+1, D call+1 } F D if(**esp!= nop IMM 2 ) halt return call F B nop IMM 2 25

Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can return to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B ret call+1 succ(b ret ) = {A call+1, D call+1 } F D call F B nop IMM 2 if(**esp!= nop IMM 2 ) halt return CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). 25

No Zig-Zag Imprecision CFG excerpt A call B 1 E call C 1 26

No Zig-Zag Imprecision CFG excerpt A call B 1 E call C 1 26

No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 E call C 1 26

No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 Solution II: Duplicate code to remove zig-zags CFG excerpt A call B 1 C 1 C 1A E call E call C 1E 26

More Challenges 27

More Challenges Returns used as jumps E.g., signal handling 27

More Challenges Returns used as jumps E.g., signal handling Exceptions 27

More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries 27

More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly 27

More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 27

Alternatives to CFI? 28

Alternatives to CFI? What are the fundamental enablers of ROP attacks? CFI: violate control flow Adversary can choose gadgets 28

Alternatives to CFI? What are the fundamental enablers of ROP attacks? CFI: violate control flow Adversary can choose gadgets Can we prevent adversaries from choosing useful gadgets? In general, adversaries can create/ obtain the same binary as is run by the victim But, that need not be the case 28

Apply Crypto to Code? 29

Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? 29

Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? Given a secret key and a program address space, encrypt the address space such that the probability that an adversary can locate a particular instruction (start of gadget) is sufficiently low and the program still runs correctly and efficiently 29

Apply Crypto to Code? Can we randomize the program s execution in such a way that an adversary cannot select gadgets? Given a secret key and a program address space, encrypt the address space such that the probability that an adversary can locate a particular instruction (start of gadget) is sufficiently low and the program still runs correctly and efficiently Called address space randomization 29

Prevent Injection on Stack Stack Heap 30

Prevent Injection on Stack One idea applied in practice Stack Heap 30

Prevent Injection on Stack One idea applied in practice Suppose an adversary wants to inject code onto the stack Write onto the stack (buffer overflow) Jump to that malcode (return address) Stack Heap 30

Prevent Injection on Stack One idea applied in practice Suppose an adversary wants to inject code onto the stack Write onto the stack (buffer overflow) Jump to that malcode (return address) Randomize the base address of the stack on each execution Prevents adversary from predicting malicious return address Stack Heap 30

Prevent Injection on Stack One idea applied in practice Suppose an adversary wants to inject code onto the stack Write onto the stack (buffer overflow) Jump to that malcode (return address) Randomize the base address of the stack on each execution Prevents adversary from predicting malicious return address Can we apply this idea more generally???? Stack Heap 30

ASLR Stack Heap Data Text 31

ASLR For control-flow attacks, attacker needs absolute addresses Stack Heap Data Text 31

ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Stack Heap Data Text 31

ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,...????????? Stack Heap Data??? Text 31

ASLR Implementations 32

ASLR Implementations Linux 32

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) 32

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes 32

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used 32

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Only few programs in Linux use PIE 32

ASLR Implementations Linux Introduced in Linux 2.6.12 (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Only few programs in Linux use PIE Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] 32

ASLR Implementations 33

ASLR Implementations Windows 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study Good randomization for stack base 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study Good randomization for stack base Insufficient randomization for some - e.g., heap and image 33

ASLR Implementations Windows Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible From Vista study Good randomization for stack base Insufficient randomization for some - e.g., heap and image Lesson: bad crypto use will lead to vulnerabilities - again 33

ASLR Limitations 34

ASLR Limitations Attacks may leak randomization information 34

ASLR Limitations Attacks may leak randomization information Disclosure attacks 34

ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) 34

ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout 34

ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities 34

ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities So, what can we do? 34

ASLR Limitations Attacks may leak randomization information Disclosure attacks Use vulnerability to read an unauthorized program memory (extract code or randomizing state) ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities So, what can we do? How do we avoid leaking the key? 34

Conclusion Defense against control-flow and data attacks is an ongoing arms race Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers However, they have implementation limitations Active area of research 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback