DanBoneh

ControlHijacking

BasicControlHijackingAttacks

DanBoneh

Controlhijackingattacks• Attacker’sgoal:

– Takeovertargetmachine(e.g.webserver)• Executearbitrarycodeontargetbyhijackingapplicationcontrolflow

• Examples.– Bufferoverflowattacks– Integeroverflowattacks– Formatstringvulnerabilities

DanBoneh

Example1: bufferoverflows• ExtremelycommonbuginC/C++programs.

– Firstmajorexploit:1988InternetWorm.fingerd.

Source:web.nvd.nist.gov

DanBoneh

Whatisneeded• UnderstandingCfunctions,thestack,andtheheap.• Knowhowsystemcallsaremade• Theexec()systemcall

• AttackerneedstoknowwhichCPUandOSusedonthetargetmachine:

– Ourexamplesareforx86runningLinuxorWindows– DetailsvaryslightlybetweenCPUsandOSs:

• Littleendianvs.bigendian(x86 vs. Motorola)• StackFramestructure(Unixvs.Windows)

DanBoneh

Linuxprocessmemorylayout

unused 0x08048000

runtimeheap

sharedlibraries

userstack

0x40000000

0xC0000000

%esp

brk

Loadedfromexec

0

DanBoneh

exceptionhandlers

StackFrame

arguments

returnaddressstackframepointer

localvariables

SP

StackGrowth

high

lowcallee savedregisters

DanBoneh

Whatarebufferoverflows?void func(char *str) {

char buf[128];

strcpy(buf, str);do-something(buf);

}

Supposeawebservercontainsafunction:

Whenfunc()iscalledstacklookslike:

argument:strreturnaddress

stackframepointer

charbuf[128]

SP

DanBoneh

Whatarebufferoverflows?void func(char *str) {

char buf[128];

strcpy(buf, str);do-something(buf);

}

Whatif*str is136byteslong?Afterstrcpy:

argument:strreturnaddress

stackframepointer

charbuf[128]

SP

*str Problem:nolengthcheckinginstrcpy()

DanBoneh

charbuf[128]

returnaddress

BasicstackexploitSuppose*str issuchthat

afterstrcpy stacklookslike:

ProgramP:exec(“/bin/sh”)

Whenfunc() exits,theusergetsshell!Note:attackcodePrunsinstack.

(exact shell code by Aleph One)

ProgramP

low

high

DanBoneh

TheNOPslideProblem:howdoesattacker

determineret-address?

Solution:NOPslide• Guessapproximatestackstate

whenfunc() iscalled

• InsertmanyNOPsbeforeprogramP:nop ,xor eax,eax ,inc ax

charbuf[128]

returnaddress

NOPSlide

ProgramP

low

high

DanBoneh

Detailsandexamples• Somecomplications:

– ProgramPshouldnotcontainthe‘\0’character.– Overflowshouldnotcrashprogrambeforefunc()exists.

• (in)Famousremote stacksmashingoverflows:– OverflowinWindowsanimatedcursors(ANI).LoadAniIcon()– PastoverflowinSymantecvirusdetection

test.GetPrivateProfileString "file", [long string]

DanBoneh

Manyunsafelibc functionsstrcpy (char*dest,const char*src)strcat (char*dest,const char*src)gets (char*s)scanf (const char*format,…)andmanymore.

• “Safe”libc versionsstrncpy(),strncat()aremisleading– e.g.strncpy()mayleavestringunterminated.

• WindowsCruntime(CRT):– strcpy_s (*dest,DestSize,*src):ensurespropertermination

DanBoneh

Bufferoverflowopportunities• Exceptionhandlers:(WindowsSEHattacks)

– Overwritetheaddressofanexceptionhandlerinstackframe.

• Functionpointers:(e.g.PHP4.0.2,MSMediaPlayer Bitmaps)

– Overflowingbuf willoverridefunctionpointer.

• Longjmp buffers:longjmp(pos)(e.g.Perl5.003)– Overflowingbuf nexttoposoverridesvalueofpos.

Heapor

stackbuf[128] FuncPtr

DanBoneh

Corruptingmethodpointers• Compilergeneratedfunctionpointers(e.g.C++code)

• Afteroverflowofbuf :

ptr

data

ObjectT

FP1FP2FP3

vtable

method#1method#2method#3

ptrbuf[256] data

objectT

vtable

NOPslide

shellcode

DanBoneh

Findingbufferoverflows• Tofindoverflow:

– Runwebserveronlocalmachine– Issuemalformedrequests(endingwith“$$$$$”)

• Manyautomatedtoolsexist(calledfuzzers – nextweek)– Ifwebservercrashes,

searchcoredumpfor“$$$$$”tofindoverflowlocation

• Constructexploit(noteasygivenlatestdefenses)

DanBoneh

ControlHijacking

MoreControlHijackingAttacks

DanBoneh

MoreHijackingOpportunities

• Integeroverflows:(e.g. MS DirectX MIDI Lib)

• Doublefree:doublefreespaceonheap– Cancausememorymgr towritedatatospecificlocation– Examples:CVSserver

• Use after free: using memory after it is freed

• Format string vulnerabilities

DanBoneh

IntegerOverflows(seePhrack 60)Problem:whathappenswhenint exceedsmaxvalue?

int m;(32bits)shorts;(16bits)charc;(8bits)

c=0x80+0x80=128+128 ⇒ c=0

s=0xff80+0x80 ⇒ s=0

m=0xffffff80+0x80 ⇒ m=0

Canthisbeexploited?

DanBoneh

Anexamplevoidfunc(char*buf1,*buf2,unsignedint len1,len2){

char temp[256];if (len1 + len2 > 256) {return -1} // length checkmemcpy(temp, buf1, len1); // cat buffersmemcpy(temp+len1, buf2, len2);do-something(temp); // do stuff

}

Whatiflen1=0x80,len2=0xffffff80?⇒ len1+len2=0

Secondmemcpy()willoverflowheap!!

DanBoneh

0

20

40

60

80

100

120

140

1996 1998 2000 2002 2004 2006Source:NVD/CVE

Integeroverflowexploitstats

DanBoneh

Formatstringbugs

DanBoneh

Formatstringproblemint func(char *user) {fprintf( stderr, user);

}

Problem:whatif*user = “%s%s%s%s%s%s%s” ??– Mostlikelyprogramwillcrash:DoS.– Ifnot,programwillprintmemorycontents.Privacy?– Fullexploitusinguser=“%n”

Correctform: fprintf( stdout, “%s”, user);

DanBoneh

VulnerablefunctionsAnyfunctionusingaformatstring.

Printing:printf,fprintf,sprintf,…vprintf,vfprintf,vsprintf,…

Logging:syslog,err,warn

DanBoneh

Exploit• Dumpingarbitrarymemory:

– Walkupstackuntildesiredpointerisfound.

– printf(“%08x.%08x.%08x.%08x|%s|”)

• Writingtoarbitrarymemory:

– printf(“hello%n”,&temp)-- writes‘6’intotemp.

– printf(“%08x.%08x.%08x.%08x.%n”)

DanBoneh

ControlHijacking

PlatformDefenses

DanBoneh

Preventinghijackingattacks1. Fixbugs:

– Auditsoftware• Automatedtools:Coverity,Prefast/Prefix.

– Rewritesoftwareinatypesafelanguange (Java,ML)• Difficultforexisting(legacy)code…

2. Concedeoverflow,butpreventcodeexecution

3. Addruntimecode todetectoverflowsexploits– Haltprocesswhenoverflowexploitdetected– StackGuard,LibSafe,…

DanBoneh

Markingmemoryasnon-execute(DEP)

Preventattackcodeexecutionbymarkingstackandheapasnon-executable

• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott– NXbitineveryPageTableEntry(PTE)

• Deployment:– Linux(viaPaX project);OpenBSD– Windows:sinceXPSP2(DEP)

• VisualStudio:/NXCompat[:NO]

• Limitations:– Someappsneedexecutableheap(e.g.JITs).– Doesnotdefendagainst̀ ReturnOrientedProgramming’exploits

DanBoneh

Examples:DEPcontrolsinWindows

DEPterminatingaprogram

DanBoneh

Attack:ReturnOrientedProgramming(ROP)

• Controlhijackingwithoutexecutingcode

argsret-addr

sfp

local buf

stack

exec()printf()

“/bin/sh”

libc.so

DanBoneh

Response:randomization• ASLR:(AddressSpaceLayoutRandomization)

– Mapsharedlibrariestorandlocationinprocessmemory⇒ Attackercannotjumpdirectlytoexecfunction

– Deployment:(/DynamicBase)• Windows 7: 8bitsofrandomnessforDLLs

– alignedto64Kpageina16MBregion⇒ 256choices• Windows8: 24bitsofrandomnesson64-bitprocessors

• Otherrandomizationmethods:– Sys-callrandomization:randomizesys-callid’s– InstructionSetRandomization(ISR)

DanBoneh

ASLRExampleBooting twice loads libraries into different locations:

Note:everythinginprocessmemorymustberandomizedstack, heap, sharedlibs, baseimage

• Win8ForceASLR:ensuresallloadedmodulesuseASLR

DanBoneh

Moreattacks:JiT sprayingIdea: 1.ForceJavascript JiT tofillheap with

executableshellcode

2.thenpointSFPanywhereinsprayarea

heap

vtable

NOPslide shellcodeexecuteenabledexecuteenabled

executeenabled executeenabled

DanBoneh

ControlHijackingDefenses

Hardeningtheexecutable

DanBoneh

Runtimechecking:StackGuard• Manyrun-timecheckingtechniques…

– weonlydiscussmethodsrelevanttooverflowprotection

• Solution1:StackGuard– Runtimetestsforstackintegrity.– Embed“canaries”instackframesandverifytheirintegritypriortofunctionreturn.

strretsfplocaltopof

stackcanarystrretlocal canaryFrame1Frame2

sfp

DanBoneh

CanaryTypes• Randomcanary:

– Randomstringchosenatprogramstartup.– Insertcanarystringintoeverystackframe.– Verifycanarybeforereturningfromfunction.

• Exitprogramifcanarychanged.TurnspotentialexploitintoDoS.– Tocorrupt,attackermustlearncurrentrandomstring.

• Terminatorcanary: Canary={0,newline,linefeed,EOF}

– Stringfunctionswillnotcopybeyondterminator.– Attackercannotusestringfunctionstocorruptstack.

DanBoneh

StackGuard(Cont.)• StackGuard implementedasaGCCpatch

– Programmustberecompiled

• Minimalperformanceeffects:8%forApache

• Note:Canariesdonotprovidefullprotection– Somestacksmashingattacksleavecanariesunchanged

• Heapprotection:PointGuard– Protectsfunctionpointersandsetjmp buffersbyencryptingthem:

e.g.XORwithrandomcookie– Lesseffective,morenoticeableperformanceeffects

DanBoneh

StackGuard enhancements:ProPolice• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)

– Rearrangestacklayouttopreventptr overflow.

argsretaddrSFP

CANARYlocalstringbuffers

localnon-buffervariablesStackGrowth pointers,butnoarrays

StringGrowth

copyofpointerargs

Protectspointerargs andlocalpointersfromabufferoverflow

DanBoneh

MSVisualStudio/GS[since2003]Compiler/GSoption:

– CombinationofProPolice andRandomcanary.– Ifcookiemismatch,defaultbehavioristocall_exit(3)

Functionprolog:subesp,8//allocate8bytesforcookiemov eax,DWORDPTR___security_cookiexor eax,esp //xor cookiewithcurrentespmov DWORDPTR[esp+8],eax //saveinstack

Functionepilog:mov ecx,DWORDPTR[esp+8]xor ecx,espcall@__security_check_cookie@4addesp,8

Enhanced/GSinVisualStudio2010:– /GSprotectionaddedtoallfunctions,unlesscanbeprovenunnecessary

DanBoneh

/GSstackframeargs

retaddrSFP

CANARYlocalstringbuffers

localnon-buffervariablesStackGrowth pointers,butnoarrays

StringGrowth

copyofpointerargs

exceptionhandlers

Canaryprotectsret-addr andexceptionhandlerframe

DanBoneh

Evading/GSwithexceptionhandlers• Whenexceptionisthrown,dispatcherwalksupexceptionlist

untilhandlerisfound(elseusedefaulthandler)

highmemnext handlernext handlernext handler

0xffffffff

buf

SEHframeSEHframe

Afteroverflow:handlerpointstoattacker’scodeexceptiontriggered⇒ controlhijack

ptr toattackcode

Mainpoint:exceptionistriggeredbeforecanaryischecked

next

DanBoneh

Defenses:SAFESEHandSEHOP• /SAFESEH:linkerflag

– Linkerproducesabinarywithatableofsafeexceptionhandlers– Systemwillnotjumptoexceptionhandlernotonlist

• /SEHOP:platformdefense(sincewinvistaSP1)– Observation:SEHattackstypicallycorruptthe“next”entryinSEHlist.– SEHOP:addadummyrecordattopofSEHlist– Whenexceptionoccurs,dispatcherwalksuplistandverifiesdummy

recordisthere.Ifnot,terminatesprocess.

DanBoneh

Summary:Canariesarenotfullproof• Canariesareanimportantdefensetool,butdonotpreventall

controlhijackingattacks:

– Heap-basedattacksstillpossible

– Integeroverflowattacksstillpossible

– /GSbyitselfdoesnotpreventExceptionHandlingattacks(alsoneedSAFESEHandSEHOP)

DanBoneh

Whatifcan’trecompile:Libsafe• Solution2:Libsafe (AvayaLabs)

– Dynamicallyloadedlibrary(noneedtorecompileapp.)

– Interceptscallstostrcpy (dest,src)• Validatessufficientspaceincurrentstackframe:

|frame-pointer– dest|>strlen(src)

• Ifso,doesstrcpy. Otherwise,terminatesapplication

destret-addrsfptopof

stacksrc buf ret-addrsfp

Libsafe strcpy main

DanBoneh

HowrobustisLibsafe?

strcpy()canoverwriteapointerbetweenbuf andsfp.

destret-addrsfphigh

memorysrc buf ret-addrsfp

Libsafe strcpy main

lowmemory

DanBoneh

Moremethods…Ø StackShield

§ Atfunctionprologue,copyreturnaddressRET andSFP to“safe”location(beginningofdatasegment)

§ Uponreturn,checkthatRET andSFP isequaltocopy.§ Implementedasassemblerfileprocessor(GCC)

Ø ControlFlowIntegrity (CFI)§ Acombinationofstaticanddynamicchecking

§ Staticallydetermineprogramcontrolflow§ Dynamicallyenforcecontrolflowintegrity

DanBoneh

ControlFlowGuard(CFG)(Windows10)

Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid

functionentrypointsinexecutable

ensurestargetistheentrypointofafunction

DanBoneh

ControlFlowGuard(CFG)(Windows10)

Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid

functionentrypointsinexecutable

ensurestargetistheentrypointofafunction

• Doesnotpreventattackerfromcausingajumptoavalidwrong function

DanBoneh

ControlHijacking

AdvancedHijackingAttacks

DanBoneh

HeapSprayAttacks

Areliablemethodforexploitingheapoverflows

DanBoneh

Heap-basedcontrolhijacking• Compilergeneratedfunctionpointers(e.g.C++code)

• Supposevtable isontheheapnexttoastringobject:

ptr

data

ObjectT

FP1FP2FP3

vtable

method#1method#2method#3

ptrbuf[256] data

objectT

vtable

DanBoneh

Heap-basedcontrolhijacking• Compilergeneratedfunctionpointers(e.g.C++code)

• Afteroverflowofbuf wehave:

ptr

data

ObjectT

FP1FP2FP3vtable

method#1method#2method#3

ptrbuf[256] data

objectT

vtable

shellcode

DanBoneh

Areliableexploit?<SCRIPTlanguage="text/javascript">shellcode =unescape("%u4343%u4343%...");overflow-string =unescape(“%u2332%u4276%...”);

cause-overflow(overflow-string);//overflowbuf[]</SCRIPT>

Problem: attackerdoesnotknowwherebrowserplacesshellcode ontheheap

ptrbuf[256] datashellcodevtable

???

DanBoneh

HeapSpraying[SkyLined 2004]Idea: 1.useJavascript tosprayheap

withshellcode (andNOPslides)

2.thenpointvtable ptr anywhereinsprayarea

heap

vtable

NOPslide shellcode

heapsprayarea

DanBoneh

Javascript heapsprayingvar nop = unescape(“%u9090%u9090”)while (nop.length < 0x100000) nop += nop

var shellcode = unescape("%u4343%u4343%...");

var x = new Array ()for (i=0; i<1000; i++) {

x[i] = nop + shellcode;}

• Pointingfunc-ptr almostanywhereinheapwillcauseshellcode toexecute.

DanBoneh

Vulnerablebufferplacement• Placingvulnerablebuf[256] nexttoobjectO:

– BysequenceofJavascriptallocationsandfreesmakeheaplookasfollows:

– Allocatevuln.bufferinJavascriptandcauseoverflow

– SuccessfullyusedagainstaSafariPCREoverflow[DHM’08]

objectO

freeblocks

heap

DanBoneh

Manyheapsprayexploits

• Improvements:HeapFeng Shui [S’07]

– ReliableheapexploitsonIEwithoutspraying– GivesattackerfullcontrolofIEheapfromJavascript

[RLZ’08]

DanBoneh

(partial) Defenses• Protectheapfunctionpointers(e.g.PointGuard)

• Betterbrowserarchitecture:– StoreJavaScriptstringsinaseparateheapfrombrowserheap

• OpenBSD heapoverflowprotection:

• Nozzle[RLZ’08]:detectspraysbyprevalenceofcodeonheap

non-writablepages

preventscross-pageoverflows

DanBoneh

Referencesonheapspraying[1] HeapFeng Shui inJavascript,

byA.Sotirov,Blackhat Europe2007

[2] EngineeringHeapOverflowExploitswithJavaScriptM.Daniel,J.Honoroff,andC.Miller,WooT 2008

[3] Nozzle:ADefenseAgainstHeap-sprayingCode InjectionAttacks,byP.Ratanaworabhan,B.Livshits,andB.Zorn

[4] InterpreterExploitation:PointerinferenceandJiT spraying,byDionBlazakis

DanBoneh

EndofSegment