dynamic integrity measurement and attestation: towards defense against return-oriented programming...
TRANSCRIPT
RuhR-University Bochum System Security Lab
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy
Ruhr-University Bochum, Germany
ACM STC 2009 – 4th Annual Workshop on Scalable Trusted ComputingChicago, Illinois, USA – November 13, 2009
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 2
RuhR-University Bochum
Marcel Winandy
System Security Lab
Introduction
● Return-Oriented Programming (ROP) Attacks– Generalization of “return-into-libc” attacks
– Change program behavior without code injection
– Instead, use existing code● NX bit does'nt help!
● Discovered for Intel CISC (CCS 2007), and generalized to RISC architecture (CCS 2008)
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 3
RuhR-University Bochum
Marcel Winandy
System Security Lab
ROP Attack
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 4
RuhR-University Bochum
Marcel Winandy
System Security Lab
How does ROP work?
● Assumption: attacker controls the stack● Stack is overwritten with return addresses
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 5
RuhR-University Bochum
Marcel Winandy
System Security Lab
Properties of ROP
● Points to the middle of functions● Typically small instruction sequences (gadgets)● Creates unintended instructions sequences● Example:
b8 13 00 00 00 mov $0x13,%eaxe9 c3 f8 ff ff jmp 3aae9
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 6
RuhR-University Bochum
Marcel Winandy
System Security Lab
Properties of ROP
● Points in the middle of functions● Typically small instruction sequences (gadgets)● Creates unintended instructions sequences● Example:
b8 13 00 00 00 mov $0x13,%eaxe9 c3 f8 ff ff jmp 3aae9
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 7
RuhR-University Bochum
Marcel Winandy
System Security Lab
Properties of ROP
● Points in the middle of functions● Typically small instruction sequences (gadgets)● Creates unintended instructions sequences● Example:
b8 13 00 00 00 mov $0x13,%eaxe9 c3 f8 ff ff jmp 3aae9
00 00 add %al,(%eax)00 e9 add %ch,%clc3 ret
Code is interpreted differently!
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 8
RuhR-University Bochum
Marcel Winandy
System Security Lab
Our Proposal
● DynIMA: Dynamic Integrity Measurement and Attestion
– Bridge gap between load-time attestation and runtime integrity monitoring
– Support for wide-range of programs (e.g., no source code available)
– Our focus: detection of ROP attacks
● Main idea: include runtime checks via code instrumentation before loading programs
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 9
RuhR-University Bochum
Marcel Winandy
System Security Lab
DynIMA Architecture
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 10
RuhR-University Bochum
Marcel Winandy
System Security Lab
Tracking Instrumentation
● We examine two approaches– Taint Tracking
– Dynamic Tracing
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 11
RuhR-University Bochum
Marcel Winandy
System Security Lab
Taint Tracking
● Dynamic taint analysis marks untrusted data as tainted and tracks its propagation
● Terminates program if tainted data is misused(e.g. as a pointer)
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 12
RuhR-University Bochum
Marcel Winandy
System Security Lab
Using Taint Tracking to Detect ROP
● Idea: count instructions between two rets and raise alert if less or equal 5 instructions
– Observation: ROP gadgets are small (2 – 5)
– We were able to detect ROP attacks
– But: does this work in general?● False positives / false negatives
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 13
RuhR-University Bochum
Marcel Winandy
System Security Lab
Dynamic Tracing
● Instrument code on-the-fly● Tracing code exists only if probes are activated
– Seems to be more flexible and faster
● DTrace (available on OpenSolaris, Mac OS X)– Code instrumentation and probe points
configured via D programming language
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 14
RuhR-University Bochum
Marcel Winandy
System Security Lab
Using DTrace
● Idea: Detect whether functions are called from beginning or in the middle
● D program:
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 15
RuhR-University Bochum
Marcel Winandy
System Security Lab
Using DTrace
● Idea: Detect whether functions are called from beginning or in the middle
● D program:
● However: can only detect intended returns
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 16
RuhR-University Bochum
Marcel Winandy
System Security Lab
Some Recent Results
● The underlying instrumentation tool of taint analysis is faster and more powerful than DTrace: PIN
● We now use PIN directly:– On function call: memorize valid ret address
– Check every instruction if it is a ret
– Compare current ret if valid address (in list)
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 17
RuhR-University Bochum
Marcel Winandy
System Security Lab
Performance of Detection with PIN
● First results:
gzip: w/o Pin: 16,49s with ROP-Detect: 24,51sbzip2: w/o Pin: 157,72s with ROP-Detect: 173,43sbunzip2: w/o Pin: 63,19s with ROP-Detect: 73,98ssha1sum: w/o Pin: 3,18s with ROP-Detect: 6,77s
● Overhead of ROP-Detect instrumentation:
gzip: 48,64%bzip2: 9,96%bunzip2: 17,08 %sha1sum: 112,89 %
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 18
RuhR-University Bochum
Marcel Winandy
System Security Lab
Conclusion
● Return-Oriented Programming attacks can change runtime program behavior without code injection
● Good solution would be:
– Do your coding right (no buffer overflows, etc.)
– CPU modification to protect return address stack
– However, not to be expected on PCs soon
● Dynamic instrumentation might help to detect ROP attacks
● Future work:
– Analyze ROP detection capability
– Improve performance
2009-11-13DynIMA: Towards Defense Against Return-Oriented Programming 19
RuhR-University Bochum
Marcel Winandy
System Security Lab
Questions?
Marcel WinandyRuhr-University Bochum