Embed Size (px)
Citation preview
Lecture08– Control-flowHijackingDefenses
StephenCheckowayUniversityofIllinoisatChicago
CS487– Fall2017SlidesadaptedfromMiller,Bailey,andBrumley
ControlFlowHijack:Alwayscontrol+computation
computation +control
shellcode (aka payload) padding &buf
2
• codeinjection• return-to-libc• Heapmetadataoverwrite• return-orientedprogramming• ...
Sameprinciple,differentmechanism
ControlFlowHijacks
…happenwhenanattackergainscontroloftheinstructionpointer.
Twocommonhijackmethods:• bufferoverflows• formatstringattacks
3
ControlFlowHijackDefenses
Bugsaretherootcauseofhijacks!• Findbugswithanalysistools• Proveprogramcorrectness
MitigationTechniques:• Canaries• DataExecutionPrevention/NoeXecute• AddressSpaceLayoutRandomization
4
CANARY/STACKCOOKIES
http://en.wikipedia.org/wiki/File:Domestic_Canary_-_Serinus_canaria.jpg5
…argvargc
return addrcaller’sebp
buf(64 bytes)argv[1]buf
“A”x68.“\xEF\xBE\xAD\xDE”#include<string.h>int main(int argc, char **argv) {
char buf[64];strcpy(buf, argv[1]);
}
Dump of assembler code for function main:0x080483e4 <+0>: push %ebp0x080483e5 <+1>: mov %esp,%ebp0x080483e7 <+3>: sub $72,%esp0x080483ea <+6>: mov 12(%ebp),%eax0x080483ed <+9>: mov 4(%eax),%eax0x080483f0 <+12>: mov %eax,4(%esp)0x080483f4 <+16>: lea -64(%ebp),%eax0x080483f7 <+19>: mov %eax,(%esp)0x080483fa <+22>: call 0x8048300 <strcpy@plt>0x080483ff <+27>: leave 0x08048400 <+28>: ret
6
%ebp
%esp6
…argvargc
return addrcaller’sebp
buf(64 bytes)
argv[1]buf
0xDEADBEEF
AAAA
AAAA
…(6
4into
tal)
“A”x68.“\xEF\xBE\xAD\xDE”#include<string.h>int main(int argc, char **argv) {
char buf[64];strcpy(buf, argv[1]);
}
Dump of assembler code for function main:0x080483e4 <+0>: push %ebp0x080483e5 <+1>: mov %esp,%ebp0x080483e7 <+3>: sub $72,%esp0x080483ea <+6>: mov 12(%ebp),%eax0x080483ed <+9>: mov 4(%eax),%eax0x080483f0 <+12>: mov %eax,4(%esp)0x080483f4 <+16>: lea -64(%ebp),%eax0x080483f7 <+19>: mov %eax,(%esp)0x080483fa <+22>: call 0x8048300 <strcpy@plt>0x080483ff <+27>: leave 0x08048400 <+28>: ret
7
%ebp
%esp
corruptedoverwrittenoverwritten
7
StackGuardIdea:
• prologueintroducesacanaryword betweenreturnaddr andlocals
• epiloguecheckscanarybeforefunctionreturns
WrongCanary=>Overflow
[Cowenetal.1998]
…arg 2arg 1
return addrcaller’sebpcallee-saveCANARY
locals
%ebp
%esp8
return addrcaller’sebpCANARY
buf(64 bytes)
gcc Stack-SmashingProtector(ProPolice)Dump of assembler code for function main:
0x08048440 <+0>: push %ebp0x08048441 <+1>: mov %esp,%ebp0x08048443 <+3>: sub $76,%esp0x08048446 <+6>: mov %gs:20,%eax0x0804844c <+12>: mov %eax,-4(%ebp)0x0804844f <+15>: xor %eax,%eax0x08048451 <+17>: mov 12(%ebp),%eax0x08048454 <+20>: mov 4(%eax),%eax0x08048457 <+23>: mov %eax,4(%esp)0x0804845b <+27>: lea -68(%ebp),%eax0x0804845e <+30>: mov %eax,(%esp)0x08048461 <+33>: call 0x8048350 <strcpy@plt>0x08048466 <+38>: mov -4(%ebp),%edx0x08048469 <+41>: xor %gs:20,%edx0x08048470 <+48>: je 0x8048477 <main+55>0x08048472 <+50>: call 0x8048340 <__stack_chk_fail@plt>0x08048477 <+55>: leave 0x08048478 <+56>: ret
Compiledwithv4.6.1:gcc -fstack-protector -O1 …
9
CanaryshouldbeHARD toForge
• TerminatorCanary– 4bytes:0,CR,LF,-1(low->high)– terminatestrcpy(),gets(),…
• RandomCanary– 4randombyteschosenatloadtime– storedinaguardedpage– needgoodrandomness
10
Ideasfordefeatingstackcanaries?
• Usetargetedwrite,e.g.,formatstring• Overwritedatapointerfirst• Overwritefunctionpointerloadedandusedfromhigherupthestack
• memcpy bufferoverflowwithfixedcanary• Canaryleak
return addrcaller’sebpCANARY
buf(64 bytes)
Bypass:DataPointerSubterfugeOverwriteadatapointerfirst…
int *ptr;char buf[64];memcpy(buf, user1);*ptr = user2;
return addrcaller’sebpCANARY
ptr
buf(64 bytes)
12
Overwritefunctionpointerhigherup
• Overflowbuffertooverwritefunonthestack• Tricky!Compilercanloadfunintoaregisterbeforestrcpy (thiscanhappenwithoptimization)
• Worksbetterwithstructs withfunctionpointers(e.g.,OpenSSL)orC++classes
void contrived(const char *user, void (*fun)(char *)) {char buf[64];strcpy(buf, user);fun(buf);
}
funuser
return addrcaller’sebpCANARY
buf(64 bytes)
memcpy/memmove withfixedcanary
• Fixedcanaryvalueslike000d0aff (0,CR,NL,-1)aredesignedtoterminatestringoperationslikestrcpy andgets
• However,theyaretrivialtobypasswithmemcpy vulnerabilities
CanaryleakI:twovulnerabilities
• Exploitonevulnerabilitytoreadthevalueofthecanary• Exploitasecondtoperformabufferoverflowonthestack,overwritingthecanarywiththecorrectvalue
CanaryleakII:pre-forkservers
• Someserversforkworkerprocessestohandleconnections• Inthemainserverprocess– Establishlisteningsocket– Forkalltheworkers;ifanydie,forkanewone
• Intheworkerprocess(inaloop)– Acceptaconnectiononthelisteningsocket– Processrequest
CanaryleakII:pre-forkservers
• Thisdesigninteractspoorlywithstackcanaries• Sinceeachworkerisforkedfromthemainprocess,itinitiallyhasexactlythesamememorylayoutandcontents,includingstackcanaryvalues!
• Attackercanoftenlearnthecanaryabyteatatimebyoverflowingjustasinglebyteofthecanary,tryingvalues00throughff untilitdoesn’tcrash;thenmoveontothenextbyte
Whatis“Canary”?Wikipedia:“thehistoricpracticeofusingcanariesincoalmines,sincetheywouldbeaffectedbytoxicgasesearlierthantheminers,thusprovidingabiologicalwarningsystem.”
18
DATAEXECUTIONPREVENTION(DEP)/NOEXECUTE (NX)/EXECUTEDISABLED(XD)/EXECUTENEVER(XN)
19
Howtodefeatexploits?
computation +control
shellcode padding &buf
CanaryDEP
20
Memorypermissions
• Set(orclear)abitinapagetableentrytopreventcodefrombeingexecuted
• Enforcedbyhardware:Tryingtofetchaninstructionfromapagemarkedasnon-executablecausesaprocessorfault
DataExecutionPrevention
Markstackasnon-executableusingNXbit
shellcode padding &buf
(stillaDenial-of-Serviceattack!)
CRASH
23
W^X
Eachmemorypageisexclusively either
writableor executable.
shellcode padding &buf
(stillaDenial-of-Serviceattack!)
CRASH
24
Actuallyaprettyoldidea
• MIPSR2000(from1986)hasper-pagereadable,writable,executablebits
• Intel80386(from1985)doesnot.Mappedpagesarealwaysreadableandexecutable
• Intel80286(from1982)introduced16-bit“protectedmode”wherecode,data,andstacksegmentscanbeseparated
• The386hasa32-bit“protectedmode”butmostOSessetcode,data,andstacksegmentstobetheentirevirtualaddressspace
PhysicalAddressExtension
• Inteladdedanextensiontoincreasethesizeofallowablephysicalmemorybeyond4GB
• PAEchangedthepagetableformat,addedathirdleveloftranslation,andaddedtheexecutedisablebit(buttheOShastoenablebothPAEandNXsupport)
• x86-64usesthePAEformatandthussupportsNX
ADDRESSSPACELAYOUTRANDOMIZATION(ASLR)
27
addr ofbuf(0xffffd5d8)
caller’sebpbuf
Shellco
de
0xffffe3f8
0xffffe428
0xffffd5d8
addr ofbuf(0xffffd5d8)
caller’sebpbuf
buf[0]
buf[63]
Shellco
de
0xffffd5d8
AddressSpaceLayout
Randomization
0xffffd618
Oops…28
ASLR
Traditionalexploitsneedpreciseaddresses– stack-basedoverflows: locationofshellcode– return-to-libc: libraryaddresses(we’lltalkaboutthisnexttime)
• Problem:program’smemorylayoutisfixed– stack,heap,librariesetc.
• Solution:randomizeaddressesofeachregion!
29
Imagesource:http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
Runningcat Twice
• Run1
• Run2
31
Bitsofrandomness(32-bitx86)
• DependsontheOS,butroughly– Programcodeanddata:0bits(fixedaddresses)– Heap:13bits(2^13possiblestartlocations)– Stack:19bits(2^19possiblestartlocations)– Libraries:8bits(2^8possiblestartlocations)
• Withposition-independentexecutables(PIE)– Programcodeanddata:8bits– Othersthesame
• 64-bithasmuchmorerandomness
SupportforASLRaddedovertime
• InitiallybythePaX teamforLinux• AllmajorOSessupportitforapplications• KernelASLRnowsupportedbymajorOSes
IsDEP+ASLRapanacea?
• Notreally• Nexttime:DEPbypassviacodereuseattacks• HowcanwebypassASLR?
Imagesource:http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
BypassingASLR
• OlderLinuxwouldletlocalattackersreadthestackstartaddressfrom/proc/<pid>/stat
• Non-PIEbinarieshavefixedcodeanddataaddresses• Eachregionhasarandomoffset,butfixedlayout=>learningasingleaddressinaregiongiveseveryaddressintheregion
• Serversthatre-spawn(evenwithnewrandomization)canbebruteforcedwhennumberofbitsofrandomnessislow
