![Page 1: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/1.jpg)
Framing Signals—A Return to Portable
ShellcodeErik Bosman and Herbert Bos
Vrije Universiteit, Amsterdam
35th Security and Privacy
(May, 2014)
Best Student Paper Award
![Page 2: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/2.jpg)
A Seminar at Advanced Defense Lab 2
Outline
• Introduction
• Signal Delivery on UNIX Systems
• SROP
• Turing-Complete Interpreter
• Mitigation
2014/6/16
![Page 3: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/3.jpg)
A Seminar at Advanced Defense Lab 3
Introduction
2014/6/16
System Kernel Application
Kernel Space User Space
System Call,Interrupt
Signal
![Page 4: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/4.jpg)
A Seminar at Advanced Defense Lab 4
In This Paper…
• While each flavor handles signals in slightly different ways, the different implementations are all very similar.
• We show that the implementation can be used as an attack method in exploits and backdoors.
2014/6/16
![Page 5: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/5.jpg)
A Seminar at Advanced Defense Lab 5
Stack Smashing Attacks
• But…• W^X (OpenBSD)
• Exec Shield (Linux)
• DEP (Windows)
2014/6/16
Stack
Return Address
Shellcode
Buffer
![Page 6: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/6.jpg)
A Seminar at Advanced Defense Lab 6
Code Reuse Attacks
2014/6/16
Stack
Return Address
Buffer
Code
Return Address
Return Address
![Page 7: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/7.jpg)
A Seminar at Advanced Defense Lab 7
Ret-to-libc vs. ROP
Ret-to-libc ROP/JOP
Complexity Few function addresses Many gadgets
Code source Only functions in library Any executable segment
To defeat ASLR • Information leak • Information leak
• Non-randomized library
To change shellcode Easy Hard
2014/6/16
SROP
Few gadgets
As ROP
As ROP
Easy
![Page 8: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/8.jpg)
A Seminar at Advanced Defense Lab 8
Signal Delivery on Early UNIX Systems
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ipsp
Signal Frame
![Page 9: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/9.jpg)
A Seminar at Advanced Defense Lab 9
UNIX V6 Interrupt Routine
2014/6/16
![Page 10: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/10.jpg)
A Seminar at Advanced Defense Lab 10
sigreturn System call (4.3BSD)
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ip
sp
Invoke sigreturn
![Page 11: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/11.jpg)
A Seminar at Advanced Defense Lab 11
A Signal Frame in Linux x86-64
2014/6/16
![Page 12: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/12.jpg)
A Seminar at Advanced Defense Lab 12
SROP
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ip
sp
Invoke sigreturn
![Page 13: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/13.jpg)
A Seminar at Advanced Defense Lab 132014/6/16
![Page 14: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/14.jpg)
A Seminar at Advanced Defense Lab 14
A example of sigreturn chain in SROP
2014/6/16
Stack
Ret: sigreturn
rip: syscallrax: sys_yyy num
Other register:Syscall arguments
Ret: sigreturn
rip: syscallrax: sys_xxx num
Other register:Syscall arguments
Code
mov sigreturn, %raxsyscallret
ip
rax
sigreturnsys_xxxsp
ip
sys_yyy
sp
sp
sp ip
sp
![Page 15: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/15.jpg)
A Seminar at Advanced Defense Lab 15
SROP Pre-conditions
• The attacker should have control over the instruction pointer.
• The stack pointer should be located on attacker controlled data and NULL bytes must be allowed.
• The attacker knows the address of a piece of data controlled by the attacker.
• The attacker knows the location of code calling sigreturn, or syscall.
2014/6/16
![Page 16: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/16.jpg)
A Seminar at Advanced Defense Lab 16
Finding a sigreturn Gadget
2014/6/16
![Page 17: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/17.jpg)
A Seminar at Advanced Defense Lab 17
Linux x86-64 vsyscall page
2014/6/16
![Page 18: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/18.jpg)
A Seminar at Advanced Defense Lab 18
A Linux x86-64 SROP Exploit
2014/6/16
![Page 19: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/19.jpg)
A Seminar at Advanced Defense Lab 19
SROP as a Backdoor
2014/6/16
![Page 20: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/20.jpg)
A Seminar at Advanced Defense Lab 20
A SROP syscall proxy on iOS
2014/6/16
![Page 21: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/21.jpg)
A Seminar at Advanced Defense Lab 21
Turing-Complete Interpreter
2014/6/16
![Page 22: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/22.jpg)
A Seminar at Advanced Defense Lab 22
Mitigation
• Signal Frame Canaries
2014/6/16
![Page 23: Framing Signals— A Return to Portable Shellcode](https://reader035.vdocument.in/reader035/viewer/2022062222/56815759550346895dc50447/html5/thumbnails/23.jpg)
A Seminar at Advanced Defense Lab 23
Q & A
2014/6/16