memory exploits & defenses - computer sciencefabian/courses/cs600.624/slides/...•terminator...
TRANSCRIPT
![Page 1: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/1.jpg)
Memory Exploits & Defenses
Presenter: Kevin Snow
![Page 2: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/2.jpg)
What is the threat?
How do we defend ourselves?
![Page 3: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/3.jpg)
What is the threat?
Stack Smashing
Return-to-libc
Format String Error
Heap Overflow
![Page 4: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/4.jpg)
Generic Stack Frame
Caller
Callee
![Page 5: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/5.jpg)
Stack Smashing
Goal:Point return address to our buffer,which contains executable code
![Page 6: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/6.jpg)
Stack Smashing
void f(char *p){ char x[128]; strcpy(x, p);}
Our Stack Generic Stack
![Page 7: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/7.jpg)
return-to-libc
Goal:Point return address to an existing
library function
![Page 8: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/8.jpg)
return-to-libc
f(){g(&foo);
}
g(char *x){char y [SZ];scanf(y);
}
Linked libraries often have useful strings lying around
![Page 9: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/9.jpg)
Format String Errors
Goal: Take advantage of printf() family offunctions
Good:printf(“%d”, num);Bad:printf(“%d”);
Good:printf(“%s”, myString);Bad:printf(myString);
![Page 10: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/10.jpg)
Format String Errors
Goal:Craft a special string that can write
arbitrary values to arbitraryaddresses
![Page 11: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/11.jpg)
Format String Errors
f(){
int x; int y;
char s[128];
scanf(s);
printf(s);
}
![Page 12: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/12.jpg)
Heap Overflow
Goal:Overwrite function pointers on heap
to point to injected code
![Page 13: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/13.jpg)
Heap Overflow
C++ objects are allocated on the heap Addresses of these object’s functions
stored on the heap (vfptr’s) Overflow heap variable and overwrite
these vfptr’s When function is invoked, our code is
executed instead
![Page 14: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/14.jpg)
How do we defend ourselves?
Canary
Library Wrapper
Shadow Stack
W⊕X Pages
![Page 15: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/15.jpg)
Canary
•Place “Canary” before return address
• terminator (0x00, 0x0a, 0x0d)
• random
•Check validity of Canary beforereturning
![Page 16: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/16.jpg)
Canary (2)
This is a great solution, right? Wrong! What about format string attacks?
![Page 17: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/17.jpg)
Library Wrappers (libsafe)
Replace know vulnerable function callswith ‘safe’ versions
‘Safe’ versions ensure nothing is writtenpast the current stack frame
![Page 18: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/18.jpg)
Library Wrappers (libsafe)
If we can not get past the stack frame,we can’t exploit anything?
Many problems:• User written input loops not protected• We can still corrupt local variables• We can still do a heap overflow
![Page 19: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/19.jpg)
Shadow Stacks
•Keeps extra copy of return address inseparate memory space
•Only allows a return if addressmatches up
![Page 20: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/20.jpg)
Shadow Stacks (2)
So, this is the foolproof solution?
• Limitations: Does not protect other data
• Local variables
• Heap overflow overwrites function pointers
![Page 21: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/21.jpg)
W⊕X Pages
•Idea: if memory is writable, it shouldnot be executable
•Does not allow stack to be executed
• Try to thwart Stack-smashing
![Page 22: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/22.jpg)
W⊕X Pages
Game over, we can not execute injectedcode
Wait! We can return-to-libc instead
![Page 23: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/23.jpg)
Defense Conclusions
No defense protects against all memoryexploits
We need a defense-in-breadth approach
![Page 24: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/24.jpg)
Two Countermeasures
Instruction Set Randomization
Address Space Randomization
![Page 25: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/25.jpg)
Countering Code-Injection Attacks WithInstruction-Set Randomization
Gaurav S. Kc et. Al.10th ACM International Conference on Computer
and Communications Security (CCS)
Intrusion detection: Randomized instruction setemulation to disrupt binary code injection attacks
Elena Gabriela Barrantes et. Al.10th ACM International Conference on Computer
and Communications Security (CCS)
![Page 26: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/26.jpg)
Instruction Set Randomization
Observation: attackers need to know theinstruction set
Idea: Obfuscate the instruction set
![Page 27: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/27.jpg)
How do we obfuscate?
Encode the machine code of anexecutable
Decode instructions before sending toprocessor
![Page 28: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/28.jpg)
Encoding Process
• XOR a key withinstructions
• Worst case for attacker:2^32 guesses
32-bit Key 32-bit Key 32-bit Key
Code⊕ ⊕ ⊕
Barrantes et. al. Proposed a one time pad to the code
![Page 29: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/29.jpg)
Decoding Process
Decoding is performed when instructions are fetchedfrom memory
Encoding Key
Encoded Instruction StreamProcessor⊕
XOR
![Page 30: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/30.jpg)
Practical Considerations
Shared libraries Kc et al. implemented in hardware
(ideally) Barrantes et al. implemented in emulator Performance may suffer
![Page 31: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/31.jpg)
ISR Thwarts an Attack
X86 Apache Web ServerISR Protected
0-day exploitshellcode[] ="\x31\xdb" // xorl"\x8d\x43\x17"// leal"\xcd\x80" // int... //...
Encoded:"\x31\xdb" // xorl"\x8d\x43\x17"// leal"\xcd\x80" // int... //...Decoded:“\x23\x54” //invalid“\xa3\x2f\x9e” //invalid“\x65\xc1 //invalid
Attacker
Crash!
![Page 32: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/32.jpg)
ISR Conclusions
The good: completely eliminates executinginjected code, seemingly
The bad: do not always have to inject code
![Page 33: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/33.jpg)
Wheres the FEEB?On the Effectiveness of
Instruction Set RandomizationN. Sovarel, D. Evans, and N. Paul
USENIX Security, 2005
![Page 34: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/34.jpg)
On the Effectiveness of ISR
ISR designed to prevent successful codeinjection
But, Sovarel et al. demonstrate attacksthat CAN inject code successfully
![Page 35: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/35.jpg)
Assumptions
Address of vulnerable buffer is known Same randomization key used for each
forked process Encoding vulnerable to known ciphertext-
plaintext attack• XOR encoding satisfies this assumption
X86 instruction set is used
![Page 36: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/36.jpg)
Attack Methodology
Goal:Distinguish between correct and
incorrect guesses
![Page 37: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/37.jpg)
Attack Methodology
X86 Apache Web ServerISR Protected
EncodedGuess: \x01 //ret?
Decoded:“\x23\x54” //invalid
Attacker
\x02 //ret?\x03 //ret?\x04 //ret?\x05 //ret?
\xc5 //invalid (crash)\xef //invalid (crash)\x7a //invalid (crash)\xc3 //valid(observable behavior)
![Page 38: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/38.jpg)
ISR Attacks
Return attack
Jump attack
Extended attack
![Page 39: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/39.jpg)
Return Attack
Inject a 1-byte near return instruction
Incorrect guess causes a crash Correct guess causes observable behaviour
• For example, some output will be returned
![Page 40: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/40.jpg)
Return Attack (2)
Top of stack…
…Return address
…Bottom of stack
Local Buffer
Top of stack…
…Address of buffer
Original return addressBottom of stack
Local BufferNear return (0xc3)
Normal Stack Layout Stack Layout After Attack
![Page 41: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/41.jpg)
Several Hurdles to Jump
The stack has been corrupted
What about false positives?
![Page 42: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/42.jpg)
False Positives
Apparent correct behavior in severalcircumstances:
• It was actually correct (1/256)• Another opcode produced the same behavior;
'near return and pop' instruction (1/256)• It decoded to a harmless opcode (NOP, etc),
and some other instruction produced the samebehavior
![Page 43: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/43.jpg)
Reducing False Positives (2)
…
…Address of buffer
…
Near return (0xc3)
(1) Apparently correct
Use a harmless instruction to eliminate false positives
(Previously guessed)
…
…Address of buffer
…
Harmless instr. (0x90)
(2) Double check
Near return (0xc3)
![Page 44: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/44.jpg)
Reducing False Positives (3)
Near return / near return and pop very similar
…
0x00Address of buffer
…
Guessed ret instr.
(1) Apparently Correct
0x00
…
0xFFAddress of buffer
…
Guessed ret instr.
(2) Double Check
0xFF
![Page 45: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/45.jpg)
Return Attack Conclusions
Strength: only need to guess a 1-byteinstruction at a time
Weakness: stack corruption makes itdifficult to use reliably
![Page 46: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/46.jpg)
Jump Attack
![Page 47: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/47.jpg)
Jump Attack
Inject a 2-byte short jump instruction
Correct guess causes an infinite loop
Incorrect guess causes crash
![Page 48: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/48.jpg)
Jump Attack (2)
Top of stack…
…Return address
…Bottom of stack
Local Buffer
Top of stack…
…Address of buffer
…Bottom of stack
Local Buffer
Offset (0xfe)Short jump (0xeb)
Normal Stack Layout Stack Layout After Attack
![Page 49: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/49.jpg)
False Positives
Again, apparent correct behavior will be exhibited inseveral circumstances:
• It was actually correct• An incorrectly decoded instruction produced an
infinite loop; there are 16 near conditional jumps• It decoded to a harmless instruction (NOP, etc), and
some other instruction produced an infinite loop
![Page 50: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/50.jpg)
False Positives (2)
(1) Apparently Correct
Change high bit in the 3rd byte toeliminate false positives
…
0x00Address of buffer
…
Short jumpOffset (0xfe)
…
0xFFAddress of buffer
…
Short jumpOffset (0xfe)
(2) Double Check
![Page 51: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/51.jpg)
Jump Attack Conclusions
Strength:• Use not restricted to special circumstances
Weaknesses:• 2-byte instruction must be guessed• Infinite loops created
![Page 52: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/52.jpg)
Extended Attack
![Page 53: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/53.jpg)
Extended Attack
Near jmp jumps to original return address
0xcd…
offsetoffsetoffset
Address of buffer
0xcd
offsetNear jump (0xe9)
Stack Layout After Attack
…Short jump (0xeb)
offset
{Jump Attack
![Page 54: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/54.jpg)
Extended Attack Conclusions
Strengths:• Not restricted to special circumstances• Only creates a few infinite loops
Weaknesses:• Initially 2-byte instructions must be guessed
![Page 55: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/55.jpg)
MicroVM
Consider an ISR aware worm Proposed ‘MicroVM’ is only 100 bytes
long• Use to execute small chunks of the worm at
a time
![Page 56: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/56.jpg)
Results
• Is 6 minutes and 8,636 attempts reasonable?
2919.4958.3625.01023894096947.31007.9029.3300351024627.4958.3136.918904512365.61009.1586.48636100283.6988.28226.3724032207.9998.111052.142084138.3983.861991.639832
Time (s)SuccessRate (%)
InfiniteLoops
Attemptsper byte
AttemptsKeyBytes
![Page 57: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/57.jpg)
Practical Considerations
The attacks make many assumptions• Address of buffer is known• Key is not re-randomized• Encoding vulnerable to known plaintext-
ciphertext attack Attacks are x86 instruction set dependent
![Page 58: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/58.jpg)
Wheres the FEEB? Conclusions
ISR can easily fix the assumptions• In fact, Sovarel et. al. had to change the RISE
implementation to conform Take this paper as a lesson in safe
implementation
”if you’re going to implement ISR, make sure every process gets a fresh key!”“When I have tried to exploit buffer overflows, anoop sled has always been needed”
![Page 59: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/59.jpg)
ISR Conclusions
The good – Effectively eliminates codeinjection, if implemented correctly
The bad – Implemented in hardware oran emulator
The ugly – Still, does nothing to protectagainst return-to-libc
![Page 60: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/60.jpg)
We still need a more general approach!
![Page 61: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/61.jpg)
Address Space Randomization
![Page 62: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/62.jpg)
Address Space Randomization
Observation: Attacker needs to knowcertain addresses in memory
Idea: Obfuscate memory addresses
![Page 63: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/63.jpg)
PaX ASLR
PageEXec Address Space LayoutRandomization brought to us by the PaXTeam
Popular open-source ASR implementation• Hardened Debian• Hardened Gentoo• Grsecurity kernel enhancements
Randomizes: stack, heap, libraries
![Page 64: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/64.jpg)
PaX - Randomization
delta_mmap
2^16 2^16 2^24
32-bit architecture process address space
Image Source: http://www.csc.ncsu.edu/faculty/junxu/software/aslp/
![Page 65: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/65.jpg)
On the Effectiveness ofAddress-Space Randomization
Means: return-to-libc, lack of entropy inPaX ASLR randomization
Goal: Guess library offset and computelocation of system()
![Page 66: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/66.jpg)
The Exploit
Note:
•Library offset is limited to 216 possibilities
• PaX ASLR does not rerandomize on fork()
• Relative addresses inside libraries are notrandomized
![Page 67: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/67.jpg)
The Exploit - Setup
Apache web server on a 32-bitarchitecture
PaX ASLR for randomization
Separated attack machine from victimwith a 100 Mbps network
![Page 68: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/68.jpg)
The Exploit - Guessing Addresses
Send probes using return-to-libc attack
Unsuccessful guess crashes
Successful guess produces observablebehavior
TIME: usleep()
![Page 69: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/69.jpg)
Attack Methodology
X86 Apache Web ServerASR Protected
Offset?0x00000001
Result:Crash!
Attacker
0x000000020x000000030x00000004
Crash!Crash!Sleep 16 seconds
![Page 70: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/70.jpg)
Probing for the offset
Top of stack…
…64 byte buffer
…Bottom of stack
…
Top of stack…
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
…Bottom of stack
Arg (0x01010101)
Usleep() addr.Ret (0xDEADBEEF)
Normal Stack Layout Stack Layout After Attack
ArgumentsReturn address
![Page 71: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/71.jpg)
Return-to-libc Attack
……
…64 byte buffer
…Bottom of stack
…
Ret (0xDEADBEEF)System() addr.
AAAAAAAAAAAAAAAAA‘/bin/sh’
…Bottom of stack
Ret() addr.
Ret() addr.Ret() addr.
Normal Stack Layout Stack Layout After Attack
ArgumentsReturn address
Buffer addr. Buffer addr.Top of stack Top of stack
![Page 72: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/72.jpg)
ASR Conclusions
The good: attempts to hinder all types ofmemory exploits (defense-in-breadth)
The bad: low entropy leaves it vulnerable
![Page 73: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/73.jpg)
We can still do better!
![Page 74: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/74.jpg)
A better approach to ASR?
64-bit architecture• Can increase randomness from 2^16 to 2^40
Randomization Frequency Granularity
• Permute stack variables• Permute code & library functions• Permute static data
Combine with other approaches
![Page 75: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/75.jpg)
Questions?
![Page 76: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/76.jpg)
Wheres the FEEB?On the Effectiveness of
Instruction Set RandomizationN. Sovarel, D. Evans, and N. Paul
USENIX Security, 2005
References
![Page 77: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/77.jpg)
On the Effectiveness of AddressSpace Randomization
H. Schacham, M. Page, B. Pfaff, E.Goh, N. Modadugu, D. Boneh
ACM CCS 04
References
![Page 78: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/78.jpg)
Countering Code-Injection Attacks WithInstruction-Set Randomization
Gaurav S. Kc et. Al.10th ACM International Conference on Computer
and Communications Security (CCS)
Intrusion detection: Randomized instruction setemulation to disrupt binary code injection attacks
Elena Gabriela Barrantes et. Al.10th ACM International Conference on Computer
and Communications Security (CCS)
References
![Page 79: Memory Exploits & Defenses - Computer Sciencefabian/courses/CS600.624/slides/...•terminator (0x00, 0x0a, 0x0d) •random •Check validity of Canary before returning Canary (2) This](https://reader036.vdocument.in/reader036/viewer/2022063012/5fc9d6310487c725ec11fa39/html5/thumbnails/79.jpg)
References
Thanks to Lucas Ballard for lending some of hisslides for this presentation.
Images on slide 64 are from the Address Space
Layout Permutation project by Jun Xu at North
Carolina State Univ.