Systematic Methods for Memory Error Detection and ...Turn_on_God_Mode(); } + Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA 2014 * Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar,

Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks

Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua,

Prateek Saxena, Zhenkai Liang

Department of Computer Science National University of Singapore

Control Attacks are Getting Harder

2

Control Attacks are Getting Harder

3

Memory space

Code

Data

CFG

Control Attacks are Getting Harder • Code injection

4

Memory space

Code

Data

CFG

Control Attacks are Getting Harder • Code injection

5

Memory space

Code

Data Data w/ DEP

Data Execution Prevention

CFG

Control Attacks are Getting Harder • Code injection • Code reuse – return-to-libc – return-oriented programming (ROP)

6

Memory space

Code

Data Data w/ DEP

Data Execution Prevention

CFG

Control Attacks are Getting Harder • Code injection • Code reuse – return-to-libc – return-oriented programming (ROP)

7

Memory space

Code

Data Data w/ DEP

Data Execution Prevention Control Flow Integrity

CFG w/ CFI

A New Attack Class • Assume: conform to CFI & DEP

8

Memory space

Code

Data w/ DEP

CFG w/ CFI

A New Attack Class • Assume: conform to CFI & DEP • Attackers’ capability on arbitrary vul. programs?

9

Memory space

Code

Data w/ DEP

CFG

Nothing Turing-complete Specific computation

w/ CFI

Non-Control Data Attacks

10

• Corrupt/leak several bytes of security-critical data


11

• Corrupt/leak several bytes of security-critical data //set root privilege *

seteuid(0);

......

//set normal user privilege

seteuid(pw->pw_uid);

//execute user’s command

//offset depends on IE version +

safemode = *(DWORD *)

(jsobj + offset);

if(safemode & 0xB == 0) {

Turn_on_God_Mode();

}

+ Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA 2014

* Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX 2005.


12

• Special cases relying on particular data/functions – user id, safemode, private key, etc – interpreter – printf() (with “%n”), etc

//set root privilege *

seteuid(0);

......

//set normal user privilege

seteuid(pw->pw_uid);

//execute user’s command

//offset depends on IE version +

safemode = *(DWORD *)

(jsobj + offset);

if(safemode & 0xB == 0) {

Turn_on_God_Mode();

}

+ Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA 2014

* Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX 2005.

• Corrupt/leak several bytes of security-critical data

Nothing Turing-complete Specific computation

Contributions

13

• Non-control data attacks can be Turing-complete

Contributions

14


• Data-Oriented Programming (DOP) – build expressive non-control data attacks – independent of any specific data / functions

Contributions

15


• Data-Oriented Programming (DOP) – build expressive non-control data attacks – independent of any specific data / functions

• DOP builds attacks on real-world programs – bypass ASLR w/o address leakage – simulate a network bot – enable code injection

1 struct server{int *cur_max, total, typ;} *srv;

2 int quota = MAXCONN; int *size, *type;

3 char buf[MAXLEN];

4 size = &buf[8]; type = &buf[12]

5 ...

6 while (quota--) {

7 readData(sockfd, buf); // stack bof

8 if(*type == NONE ) break;

9 if(*type == STREAM)

10 *size = *(srv->cur_max);

11 else {

12 srv->typ = *type;

13 srv->total += *size;

14 } //...(following code skipped)...

15 }

Motivating Example

16

Vulnerable Program



3 char buf[MAXLEN];


5 ...

6 while (quota--) {





11 else {




15 }

Motivating Example

17

Vulnerable Program



3 char buf[MAXLEN];


5 ...

6 while (quota--) {





11 else {




15 }

Motivating Example

18

Vulnerable Program



3 char buf[MAXLEN];


5 ...

6 while (quota--) {





11 else {




15 }

Motivating Example

19

1 struct Obj {struct Obj *next; int prop;}

2

3 void updateList(struct Obj *list, int addend){

4 for(; list != NULL; list = list->next)

5 list->prop += addend;

6 }

Vulnerable Program

Malicious Computation



3 char buf[MAXLEN];


5 ...

6 while (quota--) {





11 else {




15 }

Motivating Example

20


2




6 }

Vulnerable Program


CFG w/ CFI

6

7

8

9

10 12

13 14



3 char buf[MAXLEN];


5 ...

6 while (quota--) {





11 else {




15 }

Motivating Example

21


2




6 }

Vulnerable Program


CFG w/ CFI

6

7

8

9

10 12

13 14



3 char buf[MAXLEN];


5 ...

6 while (quota--) {





11 else {




15 }

Motivating Example

22


2




6 }

Vulnerable Program


CFG w/ CFI

6

7

8

9

10 12

13 14



6 while (quota--) {

7 readData(sockfd, buf);




11 else {



14 }

15 }

Motivating Example (cont.)

23

? simulate vulnerable program

malicious computation



stack srv quota size type buf[]

cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


24

Memory space






cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


25

Memory space



next prop next prop

list addend

heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


26

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


27

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


28

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


29

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


30

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


31

Memory space

next prop next prop

list addend

cur_ max total typ



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


32

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


33

Memory space

next prop next prop

list addend

?

cur_ max total typ

simulate vulnerable program


heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


34

Memory space

next prop next prop

list addend

?

cur_ max total typ

simulate vulnerable program


heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


35

Memory space

next prop next prop

list addend



heap




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


36

Memory space

next prop next prop

list addend



heap

STREAM




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


37

Memory space

next prop next prop

list addend



heap

STREAM




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


38

Memory space

next prop next prop

list addend



heap

STREAM




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


39

Memory space

next prop next prop

list addend



heap

STREAM

cur_ max cur_ max total typ




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


40

Memory space

next prop next prop

list addend



heap

STREAM




cur_ max total typ

6 while (quota--) {





11 else {



14 }

15 }


41

Memory space

next prop next prop

list addend STREAM

9 simulate vulnerable program


heap

Data-Oriented Programming

A Generic Technique

42

• General construction – w/o dependency on specific data / functions

Data-Oriented Programming (DOP)

43


• Expressive attacks – towards Turing-complete computation


44


• Expressive attacks – towards Turing-complete computation

• Elements – data-oriented gadgets – gadget dispatchers


45

Data-Oriented Gadgets • x86 instruction sequence – show in normal execution (CFI)

46

CFG 6

7

8

9

10 12

13 14

Data-Oriented Gadgets • x86 instruction sequence – show in normal execution (CFI)

Addition: srv->total += *size;

1 mov (%esi), %ebx //load micro-op

2 mov (%edi), %eax //load micro-op

3 add %ebx, %eax //addition

4 mov %eax, (%edi) //store micro-op

47

CFG 6

7

8

9

10 12

13 14

Data-Oriented Gadgets • x86 instruction sequence – show in normal execution (CFI) – save results in memory – load micro-op --> semantics

micro-op --> store micro-op Addition: srv->total += *size;





48

CFG 6

7

8

9

10 12

13 14







49

CFG 6

7

8

9

10 12

13 14

Memory space







Load: *size = *(srv ->cur_max);



3 mov 0xb(%ebx), %eax //load

4 mov %eax, (%edx) //store micro-op 50

CFG 6

7

8

9

10 12

13 14

Memory space







Load: *size = *(srv ->cur_max);



3 mov 0xb(%ebx), %eax //load

4 mov %eax, (%edx) //store micro-op 51

CFG 6

7

8

9

10 12

13 14

Memory space

Gadget Dispatcher round1

round2

round3

roundN ……

corruptible by mem-err

52

loop selector

Gadget Dispatcher round1

round2

round3

roundN ……


53

loop selector

• Chain data-oriented gadgets “legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets

Gadget Dispatcher


round1

round2

round3

roundN ……


54

loop selector

1 2 3 4

Gadget Dispatcher


round1

round2

round3

roundN ……


55

loop selector

1 2 3

5 6

4

7

Gadget Dispatcher


round1

round2

round3

roundN ……


56

loop selector

1 2 3

5 6

4

7

1 2 3 4

Gadget Dispatcher


round1

round2

round3

roundN ……


57

loop selector

1 2 3

5 6

4

7

1 2 3 4

Gadget Dispatcher


round1

round2

round3

roundN ……


58

loop selector

6 while (quota--) {



9 if(*type == STREAM) *size = *(srv->cur_max);

10 else{ srv->typ = *type; srv->total += *size; }

14 }

// loop // selector

1 2 3

5 6

4

7

1 2 3 4

Turing-completeness • DOP emulates a minimal language MINDOP – MINDOP is Turing-complete

59

Semantics Statements In C

Data-Oriented Gadgets in DOP

arithmetic / logical a op b *p op *q assignment a = b *p = *q load a = *b *p = **q store *a = b **p = *q jump goto L vpc = &input conditional jump if (a) goto L vpc = &input if *p

p – &a; q – &b; op – any arithmetic / logical operation

Attack Construction

60

6 while (quota--) {





11 else {



14 } //...(code skipped)...

15 }

Attack Construction

• Gadget identification – statically identify load-semantics-store chain from LLVM IR

61

6 while (quota--) {





11 else {




15 }

Attack Construction


• Dispatcher identification – static identify loops with gadgets from LLVM IR

62

6 while (quota--) {





11 else {




15 }

Attack Construction


• Dispatcher identification – static identify loops with gadgets from LLVM IR

• Gadget stitching – select gadgets and dispatchers (manual) – check stitchability (manual) 63

6 while (quota--) {





11 else {




15 }

Evaluation

64

Evaluation – Feasibility 9 x86 programs with 9 vulnerabilities – Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, – Wireshark, sudo, musl libc, mcrypt

65


• x86 Gadgets – 7518 in total, 1273 reachable via selected CVEs – 8 programs can simulate all MINDOP operations

• x86 Dispatchers – 1443 in total, 110 reachable from selected CVEs

66


• x86 Gadgets – 7518 in total, 1273 reachable via selected CVEs – 8 programs can simulate all MINDOP operations

• x86 Dispatchers – 1443 in total, 110 reachable from selected CVEs

• 2 programs can build Turing-complete attack • 3 end-to-end attacks

67

Case Study: Bypassing Randomization • Previous methods – information leakage to network

• Defeat ASLR w/o address leakage to network?

68


• Defeat ASLR w/o address leakage to network? • Vulnerable ProFTPD – use OpenSSL for authentication – a dereference chain to the private key

69


• Defeat ASLR w/o address leakage to network? • Vulnerable ProFTPD – use OpenSSL for authentication – a dereference chain to the private key

Private Key

BN_ULONG * d2 BIGNUM * d1

struct rsa_st * rsa

EVP_PKEY*privatekey CERT_PKEY * key

struct cert_st * cert

@0x080dbc28 SSL_CTX * ssl_ctx

70

Case Study: Bypassing Randomization • Gadgets

Private Key


struct rsa_st * rsa




MOV ADD LOAD

*p = *q *X = *X + offset *Z = **Y

71

Case Study: Bypassing Randomization • Gadgets • Dispatcher

Private Key


struct rsa_st * rsa




MOV ADD LOAD

*p = *q *X = *X + offset *Z = **Y

while (1) {

user_request =

get_user_request();

dispatch(user_request);

}

func1() { memory_error; MOV;}

func2() { ADD; }

func3() { LOAD; }

72

Case Study: Bypassing Randomization

Private Key


struct rsa_st * rsa




MOV ADD MOV LOAD MOV

*X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z (cert)

73


Private Key


struct rsa_st * rsa






74

ssl_ctx

@0x080dbc28

cert


Private Key


struct rsa_st * rsa




75

d2

@0x080dbc28




Private Key


struct rsa_st * rsa




76

d2

@0x080dbc28

write(outsock, buf, strlen(buf));

buf




Private Key


struct rsa_st * rsa




77

d2

@0x080dbc28


buf




Private Key


struct rsa_st * rsa




78

d2

@0x080dbc28


buf



leak private key to network

dlopen() – Dynamic Linking Interface • Load the dynamic library into memory space – resolve symbols based on binary metadata – patch program due to relocation – like LoadLibrary() on Windows

79


• Dynamic loader can do arbitrary computation*

80 * R. Shapiro, S. Bratus, and S. W. Smith, ““Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata,” in WOOT 2013.

exec() sysexec ld.so bin

libc.so

RTLD_ START()

_start()

bin ld.so libc.so file access before run


• Dynamic loader can do arbitrary computation*

• The same to dlopen()

81 * R. Shapiro, S. Bratus, and S. W. Smith, ““Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata,” in WOOT 2013.

exec() sysexec ld.so bin

libc.so

RTLD_ START()

_start()

bin ld.so libc.so file access before run

• Attacks with dlopen

82

dlopen() { } head …… dynamic library list link_map

Case Study: Simulating A Network Bot

• Attacks with dlopen – send malicious payload

ProFTPD’s memory Malicious payload

83



• Attacks with dlopen – send malicious payload – corrupt link list & call dlopen


84





85


invalid input




86


invalid input no call to dlopen




87


• dlopen allows arbitrary computation – send malicious payload – corrupt link list & call dlopen

• DOP attack addresses the problems invalid input no call to dlopen



88



• DOP attack addresses the problems – construct payload in memory invalid input

no call to dlopen

(1) Payload prepare

MOV MOV



89



• DOP attack addresses the problems – construct payload in memory invalid input

no call to dlopen

(1) Payload prepare

MOV MOV

if (flag) { }



90



• DOP attack addresses the problems – construct payload in memory – force call to dlopen


(1) Payload prepare

MOV MOV

if (flag) { }



91

(2) Trigger MOV

STORE





(1) Payload prepare

MOV MOV

if (flag) { }



92

(2) Trigger MOV

STORE

> 700 requests





(1) Payload prepare

MOV MOV

Case Study: Altering Memory Permissions • Defenses based on memory permissions – DEP: non-writable code – CFI: non-writable jump tags

93


• dlopen(): relocation – change any page permission to writable – update page content – change the permission back

94



• DOP attacks – dlopen(code_addr, shellcode)

95



• DOP attacks – dlopen(code_addr, shellcode)

• Code injection is back! 96

Related Work

97

Techniques Turing Complete?

Preserve CFI?

Independent of specific

data / funcs?

Non-control Data Attacks (Chen et al. 2005) 9 COOP (Schuster et al. 2015) 9 9 FlowStitch (Hu et al. 2015) 9 Printf-Oriented Programming (Carlini et al. 2015) 9 9 Control Jujustu (Evans et al. 2015) 9 Data-Oriented Programming 9 9 9

Potential Defenses • Memory Safety – e.g., Cyclone (Jim et al. 2002), CCured (Necula et al. 2002) ,

SoftBounds+CETS (Nagarakatte et al. 2009, 2010)

– high performance overhead (> 100%)

• Data-flow Integrity – e.g, DFI (Castro et al. 2006) , kernel DFI (Song et al. 2016)

• Fined-grained randomization in data space – e.g., DSR (Bhatkar et al. 2008)

• Hardware & software fault isolation – e.g., HDFI (Song et al. 2016) , MPX

98

Potential Defenses • Memory Safety – e.g., Cyclone (Jim et al. 2002), CCured (Necula et al. 2002) ,

SoftBounds+CETS (Nagarakatte et al. 2009, 2010)

– high performance overhead (> 100%)

• Data-flow Integrity – e.g, DFI (Castro et al. 2006) , kernel DFI (Song et al. 2016)

• Fined-grained randomization in data space – e.g., DSR (Bhatkar et al. 2008)

• Hardware & software fault isolation – e.g., HDFI (Song et al. 2016) , MPX

99 No practical defenses yet !

Conclusion

100


Conclusion

101


• Data-Oriented Programming (DOP) – build expressive non-control data attacks – independent of specific data / functions

Conclusion

102


• Data-Oriented Programming (DOP) – build expressive non-control data attacks – independent of specific data / functions

• In real-world programs, DOP can build attacks – bypass ASLR w/o address leakage – simulate a network bot – enable code injection

Thanks!

Hong Hu [email protected]

http://www.comp.nus.edu.sg/~huhong

Non-control data attacks are available http://huhong-nus.github.io/advanced-DOP/

http://www.comp.nus.edu.sg/~huhong

http://huhong-nus.github.io/advanced-DOP/





Documents

Systematic Methods for Memory Error Detection and ...Turn_on_God_Mode(); } + Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA 2014 * Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar,