Embed Size (px)
Citation preview
DanBoneh
ControlHijacking
ControlHijacking:Defenses
DanBoneh
Recap:controlhijackingattacksStacksmashing:overwritereturnaddressorfunctionpointer
Heapspraying:reliablyexploitaheapoverflow
Useafterfree:attackerwritestofreedcontrolstructure,whichthengetsusedbyvictimprogram
Integeroverflows
Formatstringvulnerabilities
⋮
DanBoneh
Themistake:mixingdataandcontrol• Anancientdesignflaw:
– enablesanyonetoinjectcontrolsignals
• 1971:AT&Tlearnsnevertomixcontrolanddata
DanBoneh
ControlhijackingattacksTheproblem:mixingdatawithcontrolflowinmemory
localvariables SFP ret
addr arguments
stackframedataoverwritesreturnaddress
LaterwewillseethatmixingdataandcodeisalsothereasonforXSS:acommonwebvulnerability
DanBoneh
Preventinghijackingattacks1. Fixbugs:
– Auditsoftware• Automatedtools:Coverity,Prefast/Prefix.
– Rewritesoftwareinatypesafelanguange (Java,ML)• Difficultforexisting(legacy)code…
2. Platformdefenses:preventattackcodeexecution
3. Addruntimecode todetectoverflowsexploits– Haltprocesswhenoverflowexploitdetected– StackGuard,CFI,LibSafe,…
Transform:
CompleteBreach
Denialofservice
DanBoneh
ControlHijacking
PlatformDefenses
DanBoneh
Markingmemoryasnon-execute(DEP)
Preventattackcodeexecutionbymarkingstackandheapasnon-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott– NXbitineveryPageTableEntry(PTE)
• Deployment:– Linux(viaPaX project);OpenBSD– Windows:sinceXPSP2(DEP)
• VisualStudio:/NXCompat[:NO]
• Limitations:– Someappsneedexecutableheap(e.g.JITs).– Canbeeasilybypassed usingReturnOrientedProgramming(ROP)
DanBoneh
Examples:DEPcontrolsinWindows
DEPterminatingaprogram
DanBoneh
Attack:ReturnOrientedProgramming(ROP)
Controlhijackingwithoutinjectingcode:
argsret-addr
sfp
local buf
stack
exec()printf()
“/bin/sh”
libc.so
DanBoneh
ROP:inmoredetailTorun/bin/sh wemustdirectstdin andstdout tothesocket:
dup2(s,0) //mapstdin tosocketdup2(s,1) //mapstdout tosocketexecve("/bin/sh", 0, 0);
Gadgets invictimcode: dup2(s,1)ret
dup2(s,0)ret
execve("/bin/sh") ret
Stack(setbyattacker): overflow-str 0x4084000x4085000x408300
Stackpointermovesuponpop
ret-addr
DanBoneh
ROP:inevenmoredetaildup2(s,0) implementedasasequenceofgadgetsinvictimcode:
Stack(byattacker):
poprdiret
overflow-str 0x408100s0x40820000x408300330x408400
poprsiret
popraxret
syscallret
0x408100 0x408200 0x408300 0x408400
ret-addr (rdi⟵ s) (rsi⟵ 0) (rax⟵ 33)syscall #33
5fc3
5ec3
DanBoneh
Whattodo?? Randomization• ASLR:(AddressSpaceLayoutRandomization)
– Mapsharedlibrariestorandlocationinprocessmemory⇒ Attackercannotjumpdirectlytoexecfunction
– Deployment:(/DynamicBase)• Windows 7: 8bitsofrandomnessforDLLs
– alignedto64Kpageina16MBregion⇒ 256choices• Windows8: 24bitsofrandomnesson64-bitprocessors
• Otherrandomizationmethods:– Sys-callrandomization:randomizesys-callid’s– InstructionSetRandomization(ISR)
DanBoneh
ASLRExampleBooting twice loads libraries into different locations:
Note:everythinginprocessmemorymustberandomizedstack, heap, sharedlibs, baseimage
• Win8ForceASLR:ensuresallloadedmodulesuseASLR
DanBoneh
Averydifferentidea:kBouncer
Observation:abnormalexecutionsequence• ret returnstoanaddressthatdoesnotfollowacall
Idea:beforeasyscall,checkthateverypriorretisnotabnormal• How:useIntel’sLastBranchRecording(LBR)
poprdiret
poprsiret
popraxret
syscallret
kernel
kBouncer
DanBoneh
Averydifferentidea:kBouncer
Inte’s LastBranchRecording(LBR):• store16lastexecutedbranchesinasetofon-chipregisters(MSR)• readusingrdmsr instructionfromprivilegedmode
kBouncer:beforeenteringkernel,verifythatlast16retsarenormal• Requiresnoapp.codechanges,andminimaloverhead• Limitations:attackercanensure16callspriortosyscall arevalid
poprdiret
poprsiret
popraxret
syscallret
kernel
kBouncer
DanBoneh
ControlHijackingDefenses
Hardeningtheexecutable
DanBoneh
Runtimechecking:StackGuard• Manyrun-timecheckingtechniques…
– weonlydiscussmethodsrelevanttooverflowprotection
• Solution1:StackGuard– Runtimetestsforstackintegrity.– Embed“canaries”instackframesandverifytheirintegritypriortofunctionreturn.
strretsfplocaltopof
stackcanarystrretlocal canaryFrame1Frame2
sfp
DanBoneh
CanaryTypes• Randomcanary:
– Randomstringchosenatprogramstartup.– Insertcanarystringintoeverystackframe.– Verifycanarybeforereturningfromfunction.
• Exitprogramifcanarychanged.TurnspotentialexploitintoDoS.– Tocorrupt,attackermustlearncurrentrandomstring.
• Terminatorcanary: Canary={0,newline,linefeed,EOF}
– Stringfunctionswillnotcopybeyondterminator.– Attackercannotusestringfunctionstocorruptstack.
DanBoneh
StackGuard(Cont.)• StackGuard implementedasaGCCpatch
– Programmustberecompiled
• Minimalperformanceeffects:8%forApache
• Note:Canariesdonotprovidefullprotection– Somestacksmashingattacksleavecanariesunchanged
• Heapprotection:PointGuard– Protectsfunctionpointersandsetjmp buffersbyencryptingthem:
e.g.XORwithrandomcookie– Lesseffective,morenoticeableperformanceeffects
DanBoneh
StackGuard enhancements:ProPolice• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrangestacklayouttopreventptr overflow.
argsretaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
Protectspointerargs andlocalpointersfromabufferoverflow
DanBoneh
MSVisualStudio/GS[since2003]Compiler/GSoption:
– CombinationofProPolice andRandomcanary.– Ifcookiemismatch,defaultbehavioristocall_exit(3)
Functionprolog:subesp,8//allocate8bytesforcookiemov eax,DWORDPTR___security_cookiexor eax,esp //xor cookiewithcurrentespmov DWORDPTR[esp+8],eax //saveinstack
Functionepilog:mov ecx,DWORDPTR[esp+8]xor ecx,espcall@__security_check_cookie@4addesp,8
Enhanced/GSinVisualStudio2010:– /GSprotectionaddedtoallfunctions,unlesscanbeprovenunnecessary
DanBoneh
/GSstackframeargs
retaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
exceptionhandlers
Canaryprotectsret-addr andexceptionhandlerframe
DanBoneh
Evading/GSwithexceptionhandlers• Whenexceptionisthrown,dispatcherwalksupexceptionlist
untilhandlerisfound(elseusedefaulthandler)
highmemnext handlernext handlernext handler
0xffffffff
buf
SEHframeSEHframe
Afteroverflow:handlerpointstoattacker’scodeexceptiontriggered⇒ controlhijack
ptr toattackcode
Mainpoint:exceptionistriggeredbeforecanaryischecked
next
DanBoneh
Defenses:SAFESEHandSEHOP• /SAFESEH:linkerflag
– Linkerproducesabinarywithatableofsafeexceptionhandlers– Systemwillnotjumptoexceptionhandlernotonlist
• /SEHOP:platformdefense(sincewinvistaSP1)– Observation:SEHattackstypicallycorruptthe“next”entryinSEHlist.– SEHOP:addadummyrecordattopofSEHlist– Whenexceptionoccurs,dispatcherwalksuplistandverifiesdummy
recordisthere.Ifnot,terminatesprocess.
DanBoneh
Summary:Canariesarenotfullproof• Canariesareanimportantdefensetool,butdonotpreventall
controlhijackingattacks:
– Heap-basedattacksstillpossible
– Integeroverflowattacksstillpossible
– /GSbyitselfdoesnotpreventExceptionHandlingattacks(alsoneedSAFESEHandSEHOP)
DanBoneh
Evenworse:canaryextractionA commondesignforcrashrecovery:• Whenprocesscrashes,restartautomatically(foravailability)• Oftencanaryisunchanged(reason:relaunchusingfork)
Danger:• canaryextraction
bytebybyteretaddrCANARYlocal
buffer⋯
retaddrCANARYlocal
buffer⋯
retaddrCANARYlocal
buffer⋯retaddrCANARYlocal
buffer⋯
A
B
C
CA
crash
crash
Nocrash
Nocrash
DanBoneh
Similarly:extractASLRrandomnessA commondesignforcrashrecovery:• Whenprocesscrashes,restartautomatically(foravailability)• Oftencanaryisunchanged(reason:relaunchusingfork)
Danger:Extractret-addr tode-randomizestacklocationExtractstackfunctionpointerstode-randomizeheap
retaddrCANARYlocal
buffer⋯
retaddrCANARYlocal
buffer⋯
retaddrCANARYlocal
buffer⋯retaddrCANARYlocal
buffer⋯
A
B
C
CA
crash
crash
Nocrash
Nocrash
DanBoneh
Whatifcan’trecompile:Libsafe• Solution2:Libsafe (AvayaLabs)
– Dynamicallyloadedlibrary(noneedtorecompileapp.)
– Interceptscallstostrcpy (dest,src)• Validatessufficientspaceincurrentstackframe:
|frame-pointer– dest|>strlen(src)
• Ifso,doesstrcpy. Otherwise,terminatesapplication
destret-addrsfptopof
stacksrc buf ret-addrsfp
Libsafe strcpy main
DanBoneh
HowrobustisLibsafe?
strcpy()canoverwriteapointerbetweenbuf andsfp.
destret-addrsfphigh
memorysrc buf ret-addrsfp
Libsafe strcpy main
lowmemory
DanBoneh
Moremethods…Ø StackShield
§ Atfunctionprologue,copyreturnaddressRET andSFP to“safe”location(beginningofdatasegment)
§ Uponreturn,checkthatRET andSFP isequaltocopy.§ Implementedasassemblerfileprocessor(GCC)
Ø ControlFlowIntegrity (CFI)§ Acombinationofstaticanddynamicchecking
§ Staticallydetermineprogramcontrolflow§ Dynamicallyenforcecontrolflowintegrity
DanBoneh
Controlflowintegrity(CFI)[ABEL’05,…]UltimateGoal: ensurecontrolflowsasspecifiedbycode’sflowgraph
LotsofacademicresearchonCFIsystems:• CCFIR(2013), kBouncer (2013),FECFI(2014),CSCFI(2015),…andmanyattacks…
void HandshakeHandler(Session *s, char *pkt) {...s->hdlr(s, pkt)
}Compiletime:buildlistofpossiblecalltargets
Runtime:beforecall,checkvalidityofs->hdlr
DanBoneh
ControlFlowGuard(CFG)(Windows10)
Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid
functionentrypointsinexecutable
ensurestargetistheentrypointofafunction
DanBoneh
ControlFlowGuard(CFG)(Windows10)
Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid
functionentrypointsinexecutable
ensurestargetistheentrypointofafunction
• Doesnotpreventattackerfromcausingajumptoavalidwrong function
• Hardtobuildaccuratecontrolflowgraphstatically
DanBoneh
AnexamplevoidHandshakeHandler(Session*s,char*pkt){
s->hdlr =&LoginHandler;...BufferoverflowinSessionstruct...
}
voidLoginHandler(Session*s,char*pkt){boolauth =CheckCredentials(pkt);s->dhandler =&DataHandler;
}
voidDataHandler(Session*s,char*pkt);
Attackercontrolshandler
StaticCFI:attackercancallDataHandler tobypassauthentication
DanBoneh
CryptographicControlFlowIntegrity(CCFI)Threatmodel: attackercanread/writeanywhere inmemory,
programshouldnotdeviatefromitscontrolflowgraph
CCFIapproach:Everytimeajumpaddressiswritten/copiedanywhereinmemory:compute64-bitAES-MACandappendtoaddress
Onheap: tag=AES(k,(jump-address,0ll source-address))onstack: tag=AES(k,(jump-address,1ll stack-frame))
Beforefollowingaddress,verifyMACandcrashifinvalid
Wheretostorekeyk?Inxmm registers(notmemory)
DanBoneh
BacktotheexamplevoidHandshakeHandler(Session*s,char*pkt){
s->hdlr =&LoginHandler;...BufferoverflowinSessionstruct...
}
voidLoginHandler(Session*s,char*pkt){boolauth =CheckCredentials(pkt);s->dhandler =&DataHandler;
}
voidDataHandler(Session*s,char*pkt);
Attackercontrolshandler
CCFI:AttackercannotcreateavalidMACforDataHandler address
DanBoneh
Referencesonheapspraying[1] HeapFeng Shui inJavascript,
byA.Sotirov,Blackhat Europe2007
[2] EngineeringHeapOverflowExploitswithJavaScriptM.Daniel,J.Honoroff,andC.Miller,WooT 2008
[3] Nozzle:ADefenseAgainstHeap-sprayingCode InjectionAttacks,byP.Ratanaworabhan,B.Livshits,andB.Zorn
[4] InterpreterExploitation:PointerinferenceandJiT spraying,byDionBlazakis
DanBoneh
THEEND
