Control Flow Hijack Defenses Canaries, DEP, and ASLR

  • View
    23

  • Download
    1

Embed Size (px)

DESCRIPTION

Control Flow Hijack Defenses Canaries, DEP, and ASLR. David Brumley Carnegie Mellon University. Control Flow Hijack: Always control + computation. computation + control. code injection return-to- libc Heap metadata overwrite return-oriented programming. - PowerPoint PPT Presentation

Text of Control Flow Hijack Defenses Canaries, DEP, and ASLR

Control Flow Hijack DefensesCanaries, DEP, and ASLRDavid BrumleyCarnegie Mellon University1Control Flow Hijack: Always control + computationcomputation + control

shellcode (aka payload)padding&buf2code injectionreturn-to-libcHeap metadata overwritereturn-oriented programming...

Same principle,different mechanismControl Flow Hijacks happen when an attacker gains control ofthe instruction pointer.

Two common hijack methods:buffer overflowsformat string attacks

33Control Flow Hijack DefensesBugs are the root cause of hijacks!Find bugs with analysis toolsProve program correctness Mitigation Techniques:CanariesData Execution Prevention/No eXecuteAddress Space Layout Randomization4Proposed Defense ScorecardAspectDefensePerformanceSmaller impact is betterDeploymentCan everyone easily use it?CompatibilityDoesnt break librariesSafety GuaranteeCompletely secure to easy to bypass5* http://blogs.technet.com/b/srd/archive/2009/03/16/gs-cookie-protection-effectiveness-and-limitations.aspxCanary / Stack Cookies

http://en.wikipedia.org/wiki/File:Domestic_Canary_-_Serinus_canaria.jpg66argvargcreturn addrcallers ebpbuf(64 bytes)argv[1]bufAx68 . \xEF\xBE\xAD\xDE#includeint main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]);}

Dump of assembler code for function main: 0x080483e4 :push %ebp 0x080483e5 :mov %esp,%ebp 0x080483e7 :sub $72,%esp 0x080483ea :mov 12(%ebp),%eax 0x080483ed :mov 4(%eax),%eax 0x080483f0 :mov %eax,4(%esp) 0x080483f4 :lea -64(%ebp),%eax 0x080483f7 :mov %eax,(%esp) 0x080483fa :call 0x8048300 0x080483ff :leave 0x08048400 :ret 7%ebp%esp77argvargcreturn addrcallers ebpbuf(64 bytes)argv[1]buf0xDEADBEEFAAAAAAAA (64 in total)Ax68 . \xEF\xBE\xAD\xDE#includeint main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]);}

Dump of assembler code for function main: 0x080483e4 :push %ebp 0x080483e5 :mov %esp,%ebp 0x080483e7 :sub $72,%esp 0x080483ea :mov 12(%ebp),%eax 0x080483ed :mov 4(%eax),%eax 0x080483f0 :mov %eax,4(%esp) 0x080483f4 :lea -64(%ebp),%eax 0x080483f7 :mov %eax,(%esp) 0x080483fa :call 0x8048300 0x080483ff :leave 0x08048400 :ret 8%ebp%espcorruptedoverwrittenoverwritten88StackGuardIdea:prologue introduces a canary word between return addr and localsepilogue checks canary before function returns

Wrong Canary => Overflow[Cowen etal. 1998]arg 2arg 1return addrcallers ebpcallee-saveCANARYlocals%ebp%esp9return addrcallers ebpCANARYbuf(64 bytes)gcc Stack-Smashing Protector (ProPolice)Dump of assembler code for function main: 0x08048440 :push %ebp 0x08048441 :mov %esp,%ebp 0x08048443 :sub $76,%esp 0x08048446 :mov %gs:20,%eax 0x0804844c :mov %eax,-4(%ebp) 0x0804844f :xor %eax,%eax 0x08048451 :mov 12(%ebp),%eax 0x08048454 :mov 4(%eax),%eax 0x08048457 :mov %eax,4(%esp) 0x0804845b :lea -68(%ebp),%eax 0x0804845e :mov %eax,(%esp) 0x08048461 :call 0x8048350 0x08048466 :mov -4(%ebp),%edx 0x08048469 :xor %gs:20,%edx 0x08048470 :je 0x8048477 0x08048472 :call 0x8048340 0x08048477 :leave 0x08048478 :ret

10Compiled with v4.6.1:gcc -fstack-protector -O1 1010Canary should be HARD to ForgeTerminator Canary4 bytes: 0,CR,LF,-1 (low->high)terminate strcpy(), gets(),

Random Canary4 random bytes chosen at load timestored in a guarded pageneed good randomness1111Canary ScorecardAspectCanaryPerformanceseveral instructions per functiontime: a few percent on averagesize: can optimize away in safe functions (but see MS08-067 *)Deploymentrecompile suffices; no code changeCompatibilityperfectinvisible to outsideSafety Guaranteenot really12* http://blogs.technet.com/b/srd/archive/2009/03/16/gs-cookie-protection-effectiveness-and-limitations.aspxBypass: Data Pointer SubterfugeOverwrite a data pointer first

int *ptr; char buf[64]; memcpy(buf, user1); *ptr = user2;return addrcallers ebpCANARYptrbuf(64 bytes)13Canary WeaknessCheck does not happen until epiloguefunc ptr subterfugeC++ vtable hijackexception handler hijack

Code Examples:http://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx ProPoliceputs arraysabove otherswhen possibleSafeSEHSEHOPPointGuardstruct is fixed;& what about heap?VS 2003: /GS1414What is Canary?Wikipedia: the historic practice of using canaries in coal mines, since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system.

1515Data Execution Prevention (DEP) / No eXecute (NX)16How to defeat exploits?computation + control

shellcodepadding&bufCanaryDEP17Data Execution PreventionMark stack asnon-executableusing NX bitshellcodepadding&buf(still a Denial-of-Service attack!)CRASH1818W ^ XEach memory page isexclusively eitherwritable or executable.shellcodepadding&buf(still a Denial-of-Service attack!)CRASH19DEP ScorecardAspectData Execution PreventionPerformancewith hardware support: no impactotherwise: reported to be