Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
DanBoneh
ControlHijacking
BasicControlHijackingAttacks
DanBoneh
Controlhijackingattacks• Attacker’sgoal:
– Takeovertargetmachine(e.g.webserver)• Executearbitrarycodeontargetbyhijackingapplicationcontrolflow
• Examples.– Bufferoverflowattacks– Integeroverflowattacks– Formatstringvulnerabilities
DanBoneh
Example1: bufferoverflows• ExtremelycommonbuginC/C++programs.
– Firstmajorexploit:1988InternetWorm.fingerd.
Source:web.nvd.nist.gov
DanBoneh
Whatisneeded• UnderstandingCfunctions,thestack,andtheheap.• Knowhowsystemcallsaremade• Theexec()systemcall
• AttackerneedstoknowwhichCPUandOSusedonthetargetmachine:
– Ourexamplesareforx86runningLinuxorWindows– DetailsvaryslightlybetweenCPUsandOSs:
• Littleendianvs.bigendian(x86 vs. Motorola)• StackFramestructure(Unixvs.Windows)
DanBoneh
Linuxprocessmemorylayout
unused 0x08048000
runtimeheap
sharedlibraries
userstack
0x40000000
0xC0000000
%esp
brk
Loadedfromexec
0
DanBoneh
exceptionhandlers
StackFrame
arguments
returnaddressstackframepointer
localvariables
SP
StackGrowth
high
lowcallee savedregisters
DanBoneh
Whatarebufferoverflows?void func(char *str) {
char buf[128];
strcpy(buf, str);do-something(buf);
}
Supposeawebservercontainsafunction:
Whenfunc()iscalledstacklookslike:
argument:strreturnaddress
stackframepointer
charbuf[128]
SP
DanBoneh
Whatarebufferoverflows?void func(char *str) {
char buf[128];
strcpy(buf, str);do-something(buf);
}
Whatif*str is136byteslong?Afterstrcpy:
argument:strreturnaddress
stackframepointer
charbuf[128]
SP
*str Problem:nolengthcheckinginstrcpy()
DanBoneh
charbuf[128]
returnaddress
BasicstackexploitSuppose*str issuchthat
afterstrcpy stacklookslike:
ProgramP:exec(“/bin/sh”)
Whenfunc() exits,theusergetsshell!Note:attackcodePrunsinstack.
(exact shell code by Aleph One)
ProgramP
low
high
DanBoneh
TheNOPslideProblem:howdoesattacker
determineret-address?
Solution:NOPslide• Guessapproximatestackstate
whenfunc() iscalled
• InsertmanyNOPsbeforeprogramP:nop ,xor eax,eax ,inc ax
charbuf[128]
returnaddress
NOPSlide
ProgramP
low
high
DanBoneh
Detailsandexamples• Somecomplications:
– ProgramPshouldnotcontainthe‘\0’character.– Overflowshouldnotcrashprogrambeforefunc()exists.
• (in)Famousremote stacksmashingoverflows:– OverflowinWindowsanimatedcursors(ANI).LoadAniIcon()– PastoverflowinSymantecvirusdetection
test.GetPrivateProfileString "file", [long string]
DanBoneh
Manyunsafelibc functionsstrcpy (char*dest,const char*src)strcat (char*dest,const char*src)gets (char*s)scanf (const char*format,…)andmanymore.
• “Safe”libc versionsstrncpy(),strncat()aremisleading– e.g.strncpy()mayleavestringunterminated.
• WindowsCruntime(CRT):– strcpy_s (*dest,DestSize,*src):ensurespropertermination
DanBoneh
Bufferoverflowopportunities• Exceptionhandlers:(WindowsSEHattacks)
– Overwritetheaddressofanexceptionhandlerinstackframe.
• Functionpointers:(e.g.PHP4.0.2,MSMediaPlayer Bitmaps)
– Overflowingbuf willoverridefunctionpointer.
• Longjmp buffers:longjmp(pos)(e.g.Perl5.003)– Overflowingbuf nexttoposoverridesvalueofpos.
Heapor
stackbuf[128] FuncPtr
DanBoneh
Corruptingmethodpointers• Compilergeneratedfunctionpointers(e.g.C++code)
• Afteroverflowofbuf :
ptr
data
ObjectT
FP1FP2FP3
vtable
method#1method#2method#3
ptrbuf[256] data
objectT
vtable
NOPslide
shellcode
DanBoneh
Findingbufferoverflows• Tofindoverflow:
– Runwebserveronlocalmachine– Issuemalformedrequests(endingwith“$$$$$”)
• Manyautomatedtoolsexist(calledfuzzers – nextweek)– Ifwebservercrashes,
searchcoredumpfor“$$$$$”tofindoverflowlocation
• Constructexploit(noteasygivenlatestdefenses)
DanBoneh
ControlHijacking
MoreControlHijackingAttacks
DanBoneh
MoreHijackingOpportunities
• Integeroverflows:(e.g. MS DirectX MIDI Lib)
• Doublefree:doublefreespaceonheap– Cancausememorymgr towritedatatospecificlocation– Examples:CVSserver
• Use after free: using memory after it is freed
• Format string vulnerabilities
DanBoneh
IntegerOverflows(seePhrack 60)Problem:whathappenswhenint exceedsmaxvalue?
int m;(32bits)shorts;(16bits)charc;(8bits)
c=0x80+0x80=128+128 ⇒ c=0
s=0xff80+0x80 ⇒ s=0
m=0xffffff80+0x80 ⇒ m=0
Canthisbeexploited?
DanBoneh
Anexamplevoidfunc(char*buf1,*buf2,unsignedint len1,len2){
char temp[256];if (len1 + len2 > 256) {return -1} // length checkmemcpy(temp, buf1, len1); // cat buffersmemcpy(temp+len1, buf2, len2);do-something(temp); // do stuff
}
Whatiflen1=0x80,len2=0xffffff80?⇒ len1+len2=0
Secondmemcpy()willoverflowheap!!
DanBoneh
0
20
40
60
80
100
120
140
1996 1998 2000 2002 2004 2006Source:NVD/CVE
Integeroverflowexploitstats
DanBoneh
Formatstringbugs
DanBoneh
Formatstringproblemint func(char *user) {fprintf( stderr, user);
}
Problem:whatif*user = “%s%s%s%s%s%s%s” ??– Mostlikelyprogramwillcrash:DoS.– Ifnot,programwillprintmemorycontents.Privacy?– Fullexploitusinguser=“%n”
Correctform: fprintf( stdout, “%s”, user);
DanBoneh
VulnerablefunctionsAnyfunctionusingaformatstring.
Printing:printf,fprintf,sprintf,…vprintf,vfprintf,vsprintf,…
Logging:syslog,err,warn
DanBoneh
Exploit• Dumpingarbitrarymemory:
– Walkupstackuntildesiredpointerisfound.
– printf(“%08x.%08x.%08x.%08x|%s|”)
• Writingtoarbitrarymemory:
– printf(“hello%n”,&temp)-- writes‘6’intotemp.
– printf(“%08x.%08x.%08x.%08x.%n”)
DanBoneh
ControlHijacking
PlatformDefenses
DanBoneh
Preventinghijackingattacks1. Fixbugs:
– Auditsoftware• Automatedtools:Coverity,Prefast/Prefix.
– Rewritesoftwareinatypesafelanguange (Java,ML)• Difficultforexisting(legacy)code…
2. Concedeoverflow,butpreventcodeexecution
3. Addruntimecode todetectoverflowsexploits– Haltprocesswhenoverflowexploitdetected– StackGuard,LibSafe,…
DanBoneh
Markingmemoryasnon-execute(DEP)
Preventattackcodeexecutionbymarkingstackandheapasnon-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott– NXbitineveryPageTableEntry(PTE)
• Deployment:– Linux(viaPaX project);OpenBSD– Windows:sinceXPSP2(DEP)
• VisualStudio:/NXCompat[:NO]
• Limitations:– Someappsneedexecutableheap(e.g.JITs).– Doesnotdefendagainst̀ ReturnOrientedProgramming’exploits
DanBoneh
Examples:DEPcontrolsinWindows
DEPterminatingaprogram
DanBoneh
Attack:ReturnOrientedProgramming(ROP)
• Controlhijackingwithoutexecutingcode
argsret-addr
sfp
local buf
stack
exec()printf()
“/bin/sh”
libc.so
DanBoneh
Response:randomization• ASLR:(AddressSpaceLayoutRandomization)
– Mapsharedlibrariestorandlocationinprocessmemory⇒ Attackercannotjumpdirectlytoexecfunction
– Deployment:(/DynamicBase)• Windows 7: 8bitsofrandomnessforDLLs
– alignedto64Kpageina16MBregion⇒ 256choices• Windows8: 24bitsofrandomnesson64-bitprocessors
• Otherrandomizationmethods:– Sys-callrandomization:randomizesys-callid’s– InstructionSetRandomization(ISR)
DanBoneh
ASLRExampleBooting twice loads libraries into different locations:
Note:everythinginprocessmemorymustberandomizedstack, heap, sharedlibs, baseimage
• Win8ForceASLR:ensuresallloadedmodulesuseASLR
DanBoneh
Moreattacks:JiT sprayingIdea: 1.ForceJavascript JiT tofillheap with
executableshellcode
2.thenpointSFPanywhereinsprayarea
heap
vtable
NOPslide shellcodeexecuteenabledexecuteenabled
executeenabled executeenabled
DanBoneh
ControlHijackingDefenses
Hardeningtheexecutable
DanBoneh
Runtimechecking:StackGuard• Manyrun-timecheckingtechniques…
– weonlydiscussmethodsrelevanttooverflowprotection
• Solution1:StackGuard– Runtimetestsforstackintegrity.– Embed“canaries”instackframesandverifytheirintegritypriortofunctionreturn.
strretsfplocaltopof
stackcanarystrretlocal canaryFrame1Frame2
sfp
DanBoneh
CanaryTypes• Randomcanary:
– Randomstringchosenatprogramstartup.– Insertcanarystringintoeverystackframe.– Verifycanarybeforereturningfromfunction.
• Exitprogramifcanarychanged.TurnspotentialexploitintoDoS.– Tocorrupt,attackermustlearncurrentrandomstring.
• Terminatorcanary: Canary={0,newline,linefeed,EOF}
– Stringfunctionswillnotcopybeyondterminator.– Attackercannotusestringfunctionstocorruptstack.
DanBoneh
StackGuard(Cont.)• StackGuard implementedasaGCCpatch
– Programmustberecompiled
• Minimalperformanceeffects:8%forApache
• Note:Canariesdonotprovidefullprotection– Somestacksmashingattacksleavecanariesunchanged
• Heapprotection:PointGuard– Protectsfunctionpointersandsetjmp buffersbyencryptingthem:
e.g.XORwithrandomcookie– Lesseffective,morenoticeableperformanceeffects
DanBoneh
StackGuard enhancements:ProPolice• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrangestacklayouttopreventptr overflow.
argsretaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
Protectspointerargs andlocalpointersfromabufferoverflow
DanBoneh
MSVisualStudio/GS[since2003]Compiler/GSoption:
– CombinationofProPolice andRandomcanary.– Ifcookiemismatch,defaultbehavioristocall_exit(3)
Functionprolog:subesp,8//allocate8bytesforcookiemov eax,DWORDPTR___security_cookiexor eax,esp //xor cookiewithcurrentespmov DWORDPTR[esp+8],eax //saveinstack
Functionepilog:mov ecx,DWORDPTR[esp+8]xor ecx,espcall@__security_check_cookie@4addesp,8
Enhanced/GSinVisualStudio2010:– /GSprotectionaddedtoallfunctions,unlesscanbeprovenunnecessary
DanBoneh
/GSstackframeargs
retaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
exceptionhandlers
Canaryprotectsret-addr andexceptionhandlerframe
DanBoneh
Evading/GSwithexceptionhandlers• Whenexceptionisthrown,dispatcherwalksupexceptionlist
untilhandlerisfound(elseusedefaulthandler)
highmemnext handlernext handlernext handler
0xffffffff
buf
SEHframeSEHframe
Afteroverflow:handlerpointstoattacker’scodeexceptiontriggered⇒ controlhijack
ptr toattackcode
Mainpoint:exceptionistriggeredbeforecanaryischecked
next
DanBoneh
Defenses:SAFESEHandSEHOP• /SAFESEH:linkerflag
– Linkerproducesabinarywithatableofsafeexceptionhandlers– Systemwillnotjumptoexceptionhandlernotonlist
• /SEHOP:platformdefense(sincewinvistaSP1)– Observation:SEHattackstypicallycorruptthe“next”entryinSEHlist.– SEHOP:addadummyrecordattopofSEHlist– Whenexceptionoccurs,dispatcherwalksuplistandverifiesdummy
recordisthere.Ifnot,terminatesprocess.
DanBoneh
Summary:Canariesarenotfullproof• Canariesareanimportantdefensetool,butdonotpreventall
controlhijackingattacks:
– Heap-basedattacksstillpossible
– Integeroverflowattacksstillpossible
– /GSbyitselfdoesnotpreventExceptionHandlingattacks(alsoneedSAFESEHandSEHOP)
DanBoneh
Whatifcan’trecompile:Libsafe• Solution2:Libsafe (AvayaLabs)
– Dynamicallyloadedlibrary(noneedtorecompileapp.)
– Interceptscallstostrcpy (dest,src)• Validatessufficientspaceincurrentstackframe:
|frame-pointer– dest|>strlen(src)
• Ifso,doesstrcpy. Otherwise,terminatesapplication
destret-addrsfptopof
stacksrc buf ret-addrsfp
Libsafe strcpy main
DanBoneh
HowrobustisLibsafe?
strcpy()canoverwriteapointerbetweenbuf andsfp.
destret-addrsfphigh
memorysrc buf ret-addrsfp
Libsafe strcpy main
lowmemory
DanBoneh
Moremethods…Ø StackShield
§ Atfunctionprologue,copyreturnaddressRET andSFP to“safe”location(beginningofdatasegment)
§ Uponreturn,checkthatRET andSFP isequaltocopy.§ Implementedasassemblerfileprocessor(GCC)
Ø ControlFlowIntegrity (CFI)§ Acombinationofstaticanddynamicchecking
§ Staticallydetermineprogramcontrolflow§ Dynamicallyenforcecontrolflowintegrity
DanBoneh
ControlFlowGuard(CFG)(Windows10)
Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid
functionentrypointsinexecutable
ensurestargetistheentrypointofafunction
DanBoneh
ControlFlowGuard(CFG)(Windows10)
Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid
functionentrypointsinexecutable
ensurestargetistheentrypointofafunction
• Doesnotpreventattackerfromcausingajumptoavalidwrong function
DanBoneh
ControlHijacking
AdvancedHijackingAttacks
DanBoneh
HeapSprayAttacks
Areliablemethodforexploitingheapoverflows
DanBoneh
Heap-basedcontrolhijacking• Compilergeneratedfunctionpointers(e.g.C++code)
• Supposevtable isontheheapnexttoastringobject:
ptr
data
ObjectT
FP1FP2FP3
vtable
method#1method#2method#3
ptrbuf[256] data
objectT
vtable
DanBoneh
Heap-basedcontrolhijacking• Compilergeneratedfunctionpointers(e.g.C++code)
• Afteroverflowofbuf wehave:
ptr
data
ObjectT
FP1FP2FP3vtable
method#1method#2method#3
ptrbuf[256] data
objectT
vtable
shellcode
DanBoneh
Areliableexploit?<SCRIPTlanguage="text/javascript">shellcode =unescape("%u4343%u4343%...");overflow-string =unescape(“%u2332%u4276%...”);
cause-overflow(overflow-string);//overflowbuf[]</SCRIPT>
Problem: attackerdoesnotknowwherebrowserplacesshellcode ontheheap
ptrbuf[256] datashellcodevtable
???
DanBoneh
HeapSpraying[SkyLined 2004]Idea: 1.useJavascript tosprayheap
withshellcode (andNOPslides)
2.thenpointvtable ptr anywhereinsprayarea
heap
vtable
NOPslide shellcode
heapsprayarea
DanBoneh
Javascript heapsprayingvar nop = unescape(“%u9090%u9090”)while (nop.length < 0x100000) nop += nop
var shellcode = unescape("%u4343%u4343%...");
var x = new Array ()for (i=0; i<1000; i++) {
x[i] = nop + shellcode;}
• Pointingfunc-ptr almostanywhereinheapwillcauseshellcode toexecute.
DanBoneh
Vulnerablebufferplacement• Placingvulnerablebuf[256] nexttoobjectO:
– BysequenceofJavascriptallocationsandfreesmakeheaplookasfollows:
– Allocatevuln.bufferinJavascriptandcauseoverflow
– SuccessfullyusedagainstaSafariPCREoverflow[DHM’08]
objectO
freeblocks
heap
DanBoneh
Manyheapsprayexploits
• Improvements:HeapFeng Shui [S’07]
– ReliableheapexploitsonIEwithoutspraying– GivesattackerfullcontrolofIEheapfromJavascript
[RLZ’08]
DanBoneh
(partial) Defenses• Protectheapfunctionpointers(e.g.PointGuard)
• Betterbrowserarchitecture:– StoreJavaScriptstringsinaseparateheapfrombrowserheap
• OpenBSD heapoverflowprotection:
• Nozzle[RLZ’08]:detectspraysbyprevalenceofcodeonheap
non-writablepages
preventscross-pageoverflows
DanBoneh
Referencesonheapspraying[1] HeapFeng Shui inJavascript,
byA.Sotirov,Blackhat Europe2007
[2] EngineeringHeapOverflowExploitswithJavaScriptM.Daniel,J.Honoroff,andC.Miller,WooT 2008
[3] Nozzle:ADefenseAgainstHeap-sprayingCode InjectionAttacks,byP.Ratanaworabhan,B.Livshits,andB.Zorn
[4] InterpreterExploitation:PointerinferenceandJiT spraying,byDionBlazakis
DanBoneh
EndofSegment