Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Dachshund DiggingforandSecuringAgainst(Non-)Blinded
ConstantsinJITCode
NDSSSymposium2017
GiorgiMaisuradze,MichaelBackes,Chris;anRossowCISPA,SaarlandUniversity,Germany
Overview
• CodereuseaGacks
• CodereusewithJITcode
• Constant(non-)blindinginbrowsers
• Defendingnonblindedcases
2
Na;veCode
JavaScript
28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Revisi1ng Code Reuse
Code Reuse A7acks
• Iden;fygadgets/func;ons• Puttheiraddressesonthestack• Usereturninstruc;onstoexecutethem
STACK
SavedRIPSavedRBP
Buffer[256]
args...·········
.text@4048000
libc@f7e0a000
·········
&G1SavedRBP
&cmd&G2
“/bin/bash”
············
intsystem(char*)
poprdi;ret
4GiorgiMaisuradze,NDSSSymposium201728-Feb-17
Code Reuse Defenses
STACK
SavedRIPSavedRBP
Buffer[256]
arg0arg1······
&G1SavedRBP
&cmd&G2
“/bin/bash”
.text@7093000
libc@ff78a000
·········
············
intsystem(char*)
poprdi;ret??????
??????
• Iden;fygadgets/func;ons• Puttheiraddressesonthestack• Usereturninstruc;onstoexecutethem
Defense:• Randomizememorysegments(ASLR)• Randomizecodepages
528-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Code Injec1on A7acks
• Useconstantvaluestocreatecontrolledgadgets
• JITSpraying[WOOT’10]
• SpraycodepageswithNOP-sledfollowedbyashellcode
m=0x90909090; moveax,0x90909090mov[rbp+0x20],eaxJIT
x=0x3c909090^0x3c909090^...0x3c909090;
moveax,0x3c909090xoreax,0x3c909090...xoreax,0x3c909090
JIT
nop,nop,nop,cmpal,0x35nop,nop,nop,cmpal,0x35...nop,nop,nop,cmpal,0x35
628-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Browser Defenses
• ConstantBlinding(Edge,Chrome)• RandomizeimmediatevaluesbyXORingthemwitharandomkey• AddXORinstruc;ontorestoreoriginalvalue• Blindlargeconstants(>2B)
• Weaknesses• Smallconstantsremain[NDSS’15]• Displacementfields[Usenix’16]
moveax,0x3c909090 moveax,0x2511663fxoreax,0x1981f6afCB
728-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Constant Blinding Completeness
Dachshund
Controller
JSFuzzer JITInspector
C=0x123456 C=0x123456
928-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
FN=function(){vara=-1;a^=0x123456;};
eval(“vara=-1;a^=0x123456;”)
OPT
JIT...movrax,0xff..ffxorrax,0x123456...
FOUND0x123456
at0x1A17FE06085
Found Constants
JavaScriptStatementsContainingNonblindedConstants:• Chrome:
• Argumentstobuilt-infunc;ons,ternaryoperators,returnstatements,bitwiseopera;ons,...
• Edge:• ArgumentstoMathlibraryfunc;ons,casesinswitchstatement,arrayindexes,globalvariableaccesses,...
v1=v2^0x12345678;
switch(j){case0x12345678:m++;}
functionfn(){returnMath.trunc(0x12345678);}
1028-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
arr[i]=0x12345678;
v1=b?0x12345678:0x9abcdef0;
return0x12345678;
functionfn(){console.log(0x12345678);}
global=0x12345678;
Origins of Constants
Chrome:• Nonblindedvaluesarecomingfromtheop;mizingcompiler:• condi;onal?:,switch,arithme;c,arrayindexing,globals,...
Edge:• Immediatevaluecaching(bothinbaselineandop;mizer)• Nonblindedvaluesarestoredinaspareregister
m=i^0x12345678;movrax,[rbp+0x20]xorrax,0x12345678
switch(j){case0x12345678:m++;}
movrdx,[rbp+0x20]cmpedx,0x12345678jnzXXX
OPT
OPT
functionfn(){returnMath.trunc(0x12345678);}
movrsi,0x12345678...movr9,rsicallr12OPT
JIT
1128-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Genera1ng Gadgets
RequiredgadgetsforseqngparametersforVirtualProtect:• GoogleChrome50:
• Createthefunc;onfn• Triggerop;mizingcompiler(>1000calls)
• MicrosorEdge25:• Createfunc;onsr8,r9andracdx• Triggerbaselinecompila;onforeachofthem(>50calls)
popr8;ret4158c3popr9;ret4159c3poprcx;ret59c3poprdx;ret5ac3poprax;ret58c3
functionfn(){glob[0]=0xc35841;glob[1]=0xc35941;glob[2]=-0x3ca7a5a7;}
mov[rbx+0x1b],0x00c35841mov[rbx+0x23],0x00c35941mov[rbx+0x2b],0xc3585a59
functionr8(){Math.trunc(0xc35841);}functionr9(){Math.trunc(0xc35941);}functionracdx(){Math.trunc(-0x3ca7a5a7);}
movrsi,0x00c35841movrsi,0x00c35941movrsi,0xc3585a59
1228-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Blinding the Constants
Rewri1ng JavaScript
• Replaceallintegerconstantswithglobalobjects
• Replaceanyotherliteraltypethatcanbeinterpretedasanumber
14
functionfn(){vari=0x1234;}
window._c1234=parseInt(“0x1234”)functionfn(){vari=window._c1234;}
functionfn(){i=“1234”&567;}
functionfn(){i=(“1234”).toString()&567;}
28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Rewri1ng JavaScript
Browser
JavaScriptrewriterisimplementedasaproxyservicebetweenthebrowserandawebserver• RewriteJavaScriptinallpossibleplaces• Hookdynamicfunc;onstorewritenewcodeatrun;me• RewriteJSindynamicallyaddedDOMnodes
Server
JSRewriterProxy
eval(“/*JS*/”)Function(“/*JS*/”)setInterval(“/*JS*/”)...
Hook
<scriptsrc=“lib.js”/>
<script>/*JS*/</script>
<imgonclick=“/*JS*/”/> Rewrite
e.appendChild(...)e.innerHTML=...
Mon
itor
1528-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Evalua1on
Rewri;nggotridofallintegerconstantsfoundbyDachshund 145
101
6351
0
20
40
60
80
100
120
140
160
AngularJS Jquery
REWRITETIM
E(M
S)
Rewri/ngTime
Uncompressed Minified
2649524245
2082018528
0
5000
10000
15000
20000
25000
30000
Chrome Edge
AVER
AGEOCT
ANESCORE
Run/me
Original Proxy
-23% -24%
1628-Feb-17 GiorgiMaisuradze,NDSSSymposium2017
Summary
• JITenginesarevulnerabletocodeinjec;onaGacks
• Modernbrowsersdonotsufficientlydefendagainstthem
• Rewri;ngJavaScriptcangetridofcodeinjec;onviaimmediate
values
Thankyou!28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017 17
28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017 18