rop is still dangerous: breaking modern defenses nicholas carlini et. al university of california,...
TRANSCRIPT
ROP is Still Dangerous: Breaking Modern Defenses
Nicholas Carlini et. alUniversity of California, Berkeley
USENIX Security 2014Presenter: Yue Li
Part of the slides from N. Carlini
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
Background
Code injection ● Usually exploited in a buffer overrun vulnerability.
● Inject malicious code● Overwrites return address of
a function.● Return address -> malicious
code
Background
Code injection Data Execution Prevention (DEP) ● Security feature in modern
OS● Ensures writable pages in
memory are not executable● Stack is no longer
executable● Code cannot be injected
Background
Code injection Data Execution Prevention (DEP)
Return Oriented Programming (ROP)
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
ROP Attacks
Gadgets !
ROP Attacks
● Perform malicious computation by only controlling the execution flow
● Each gadget performs small computation● Gadget chaining is achieved by influencing
indirect jumps● Need to write appropriate values over the
stack
ROP Attacks
1. eax stores 4a3041202. ebs stores 000324003. eax stores [4a304120] (OV)4. eax stores (OV + 00032400)5. ecx stores 4a3041206. [4a304120] stores (OV +
00032400)
ROP AttacksDefend ROP
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
Attack Primitives
Three building blocks are useful in attacking ROP defenses
1. Call-Preceded ROP2. Evasion Attack3. History Flushing
Call-Preceded ROPCall-Preceded Policy: Normally, every ret will return to an instruction that immediately follows a call
Call-Preceded ROP● The call-preceded policy limit the
choices of gadgets● Only 6% of gadgets are call-
preceded● People believe the call-preceded
policy significantly increases the difficulty of mounting a ROP.
● However, the authors argue it is possible to mount ROP with this policy
● Allow more complex gadgets.● 70KB of binary code
Evasion Attacks
Classification-based defense● Monitoring the runtime behavior of a process● Classify segments of execution as either “gadget” or
“non-gadget”● Length-based classifier (instructions separated by
indirect instructions● Long sequences of short gadgets -> ROP attack
Evasion Attacks
To break classification-based defense
● Using gadgets that look like benign execution● An evasion attack is one that will be classified by the
defense as normal. ● Actually evasion attack allows the attacker to mount a
ROP
History flushing
History inspection defense
● Inspect program at different points throughout its execution
● Limited amount of history● due to performance consideration, usually the
inspection is invoked in certain points (issue a system call)
History flushing
To break History inspection defense
● Fool the defense by hiding ROP attack● Perform ROP when not being watched● Insert effective no-op instructions, stop making progress
when being watched
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
Attack Goal and Threat Model
Attack Goal:● Issue a single syscall● mprotect (Linux) or virtualprotect (windows), making a
page in memory both executable and writable
Threat Model:● Attacker has a known exploit to control the instruction
pointer in the future● Typically it is a stack overflow
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
kBouncer
kBouncer: a scheme that uses indirect branch tracing to detect ROP attacks● Uses the Last Branch Record (LBR) to inspect the last 16 indirect
branches each● Run when a system call is invoked● Low overhead● Check 2 properties
o Call-preceded?o Are 8 most recent gadget-like? (<20 instructions before an indirect
branch)
kBouncerDetected !
kBouncer
History Hiding Attack● Uses history flushing to clear evidence of ROP● 3 steps
o Initial exploitation: normal ROP attack (may not be call-preceded) until a syscall is about to be invoked
o Hide the history: flush the historyo Restore registers and issue the system call
kBouncer
Flush the history● Consists of a short flushing gadget
and a long termination gadget
● Short flushing gadget - satisfy call-proceded requirement
● Repeat short flushing gadget 16 times
● Termination gadget - at least 20 instructions (non-gadget)
kBouncer - Flush History
kBouncer
Restore registers ● Can be achieved with a few gadgets that pop register
values off the stack● Other ways
o Jump Oriented Programming (JOP)o Call Oriented Programming (COP)o etc
kBouncer
What happens if kBouncer keeps the whole execution history? - can still be broken
● Initial phase will use only call-preceded gadget● No flushing gadget is needed● Break up short gadget chains with long termination gadget● 70KB of program will have enough call-preceded calls to finish such a ROP
attack
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
ROPecker
ROPecker is a defense that builds on ideas found in kBouncerWith a few differences● Inspect more frequently● Only a few pages are marked executable at one time● Will be invoked each time a page not in executable set is executed● Syscalls● It looks both history and future to detect attack● Future emulation will stop when there is not a short sequence of instruction
leading to an indirect jumpROPecker: A generic and practical approach for defending against rop attacks. Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H Deng. NDSS, 2014.
ROPecker
Repeated History Hiding Attack● repeatedly invokes the history hiding primitives● 3 phases
o Loading phase: load useful pages into executable seto Attack phase: invokes gadgets on these pageso Flushing phase: mounts the history hiding attack using only gadgets
from these pages
● May need to execute the 3 phases multiple time to achieve the goal
ROPecker
ROPecker
Attack ROPecker is more complicated
● Carefully pick tasks during each step● Flushing and Termination gadgets clober register states● Pick independent operations for each step● Pick pages that contain more gadgets
ROPecker
Evasion Attack
● Let ROPecker inspect at any time● Insert a termination gadget in between every ten useful
gadgets.● Threshold is 11 (past and future)
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
Evaluation● A tool is built to find attacks on real-world exploits● The tool help find gadgets● Enumerate all potential call-preceded gadgets
Evaluation
Modify Real-world Exploits to bypass kBouncer● 4 real-world exploits are modified
o MPlayer Lite r33063 Stack-based buffer overflow, exploited by overwriting SEH pointer
o Adobe Reader 9.3.4o Adobe Flash 11.3.300o Internet Explorer 8
● Half a day to cloak the attacks
Evaluation
Use exploitable version of hteditor source to bypass ROPecker
● Evasion attack● Repeated history hiding attack● execv is issued eventually
Outline
BackgroundROP AttacksAttack PrimitivesAttack Goal and Threat ModelkBouncerROPeckerEvaluationRelated Work and Conclusion
Related Work
● [Goktas, S&P14] discussed the existence of call-preceded ROP and use it to break many existing CFI defenses
● [Davi, Usenix14] and [Goktas, Usenix14] both independently and concurrently discovered
very similar attacks on kBouncer & ROPecker
Conclusion
This paper has presented:● 3 building blocks for ROP attacks● Break state-of-art defenses - kBouncer and ROPecker● Implication
o Do not rely on limited historyo Call-preceded ROP is possibleo Difficult to classify “gadget” and “non-gadget”o Focus on fundamental difference between normal
and ROP execution