I rop interesting rop gadgets-v1.0

SOURCE Boston 2015

• Xiaoning Li (Intel Labs) • Nicholas Carlini (Intel Labs)

iROP: Interesting ROP Gadgets Setting One's Spear Against His Own Shield

About Us: Xiaoning

• Security Researcher and Architect at Intel Labs: DeepSafe, VMFUNC/VE, SGX from Intel Labs • Focused on analyzing/detecting/preventing zero-

day/malware with existing/new processor features

• Bypassed PatchGuard (dissected PatchGuard decoder)

• Presented at CARO 2013, ShmooCon 2014, Black Hat Asia 2014, Black Hat 2014, HackMiami 2014, ToorCon 2014, Threads 2014, CanSecWest 2015

Agenda

Background of Return-Oriented Programming

Branch Transfer Instructions

ROP Defense and Bypass

Valid Gadgets

More Gadgets From WOW64

Return-into-lib(c) and Return-Oriented Programming have been hot topics for many

years and well researched by many excellent researchers.

ROP frequently used in APTs

For example, APSA13-02 PDF zero day

Reported by FireEye in February 2013

Best Client-Side Bug: CVE-2013-0641

Sophisticated ROP only, without shellcode

First public in-the-wild exploit of Adobe Sandbox

Bypassing

ROP Exploits in APTs

Malicious PDF

Acro32 Trigger 1nd

Vul StackPivoting D.T 2 Threads IPC StackPivoting L2P.T L2P.T L2P.T Acro32

Bro

ke

r

Re

ad

er

Sa

nd

bo

xe

d

Re

ad

er

Open PDF file Heap OverflowRun ROP

Stackpivoting

Create and Load

D.T Library

1:Show Error

2: Create L2P.TIPC to trigger 2nd

vul , then quit

Heap OverflowRun ROP via

Stackpivoting Load L2P.T

Create Visaform Turkey.pdf

Create new

sandboxed

process to open

new pdf

New Process

shows Visaform

Turkey.pdf

Create Langbar.dll

And load it

Trigger Point and StackPivoting ROP Gadget

CVE-2013-0640 CVE-2013-0641

APSA13-02 ROP Gadgets

ROP (Return-Oriented Programming) is one way to

reuse oriented code

RET is only one way to reuse code

There are others ways to reuse code JOP (Jump-Oriented Programming)

COP (Call-Oriented Programming)

Reuse-Oriented Programming

Agenda




Valid Gadgets

More Gadgets from WOW64

There are many types of branch transfer instructions

Return Near Return

Far Return

Jump Conditional Jump

Near/Short/Far Jump

Direct/Indirect Jump

Call Near/Far Call

Direct/Indirect Call

Interrupt Return


Near Return A return to a calling procedure within the current code

segment (Intrasegment Return )

Far Return A return to a calling procedure located in a different segment

than the current code segment (Intersegment Return )

Inter-privilege-level far return

A far return to a different privilege level than that of the

currently executing program or procedure

Return

Conditional Jump

Jump: Conditional Jump

Near Jump A jump to an instruction within the current code segment

(Intrasegment Jump)

Short Jump: A near jump where the jump range is limited

to -128 to +127 from the current EIP value

Far Jump A jump to an instruction located in a different segment than

the current code segment but at the same privilege level

(Intersegment Jump)

Jump

Near Call A call to a procedure in the current code segment

(Intrasegment Call)

Far Call A call to a procedure located in a different segment than the

current code segment (Intersegment Call)

Inter-privilege-level Far Call A far call to a procedure in a segment at a different privilege

level than that of the currently executing program or

procedure

Call

IRET

Interrupt Return

Agenda




Valid Gadgets



Winner of the first BlueHat Prize

Uses Last-Branch Recording (LBR)

Call-Preceded Gadgets policy

Long sequence of short gadget

KBouncer

Source: Transparent ROP Exploit Mitigation Using Indirect Branch Tracing

IA32_DEBUGCTL MSR

LBR_SELECT MSR

Last Branch Record Control

MSR_LASTBRANCH_TOS

MSR_LASTBRANCH_X_FROM_IP

MSR_LASTBRANCH_X_TO_IP

For example: Silvermont

MSR_LASTBRANCH_0_FROM_IP (MSR 40H)

MSR_LASTBRANCH_0_TO_IP (MSR 60H)

Haswell

MSR_LASTBRANCH_0_FROM_IP (MSR 680H)

MSR_LASTBRANCH_0_TO_IP (MSR 6C0H)

Last Branch Record Data

Bypass: LBR History Flush

Source:http://nicholas.carlini.com/papers/2014_usenix_ropattacks.pdf

LBR History Flush with COP

VirtualProtect Ret with Eax=0x540e22F2

0x543258D4 0x543258D4 0x543258D4 0x543258D4

… 0x543258D4

VirtualProtect VirtualProtect VirtualProtect VirtualProtect

Use IRET instead of Ret

IRET is recorded only if far branch is enabled (as 0)

If IRET in LBR Flush LBR with multiple IRETs

If IRET not in LBR Use IRET gadgets

LBR History Flush with IRET

LBR History Flush With Call-Preceded Gadget

VirtualProtect Ret with AL=0

0x5419CAAA 0x5419CAAA 0x5419CAAA

… 0x5419CAAA

VirtualProtect …

0x540E22E9 0x540E22E9 0x540E22E9

Ret Misprediction

Indirect Call/JMP Misprediction

Branch Misprediction Approach

Use IRET gadgets

Ind Call -> Gadget->Ret-> … ->Ind Call -> Gadget-

>Ret

Use JOP gadgets

Use mixed COP/JOP/ROP gadgets Ind Call -> Gadget->Ret->Ind JMP

Ind Call -> Ind JMP -> gadgets->Ret

Ret Misprediction Bypass

Ind Call -> Ind JMP -> gadgets->Ret

For example, Gadget1: copy 4 bytes from ECX to

parameter 1

Ret Misprediction Bypass

Preload target address to avoid misprediction

1) Call/JMP -> Function/Code Block

2) Cal/JMP -> Gadgets in Intended Code

Indirect Call/JMP Misprediction Bypass

Control Flow Guard

Source: http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf

Source:http://www.powerofcommunity.net/poc2014/mj0011.pdf

Source:https://www.blackhat.com/us-15/briefings.html#Zhang

Control Flow Branch Label

Bypass Unintended CFILabel-preceded gadgets

Valid Gadgets

Hardware Control Flow Integrity

Source: https://www.tk.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/hardware-assisted-cfi.pdf

Use shadow stack to track return operation

Bypass Refer to “Ret Misprediction Bypass”

Shadow Stack

Source: http://www.cs.berkeley.edu/~daw/papers/shadow-asiaccs15.pdf

Agenda




Valid Gadgets


ROP requires control of the stack When attacker doesn’t, can pivot ESP to point to controlled memory

Unintended instructions often have stackpivoting gadgets

IRET in 64-bit Pops off of the stack EIP, CS, EFLAG, ESP, SS Can not be stopped because semantics of IRET require moving stack pointer

IRET can be used to deliver stackpivoting in 64-bit

StackPivoting

Valid Gadgets: StackPivoting

Valid Gadgets From JIT Engine

Agenda




Valid Gadgets


Windows 32-bit on Windows 64-bit

A subsystem on all 64-bit versions of Windows

capable of running 32-bit applications

Focus on the differences between 32-bit and 64-bit

Windows, such as data structure

Components Wow64.dll

Wow64win.dll

Wow64cpu.dll

WOW64

Wow64.dll The core interface to the Windows NT kernel that translates

between 32-bit and 64-bit calls, including pointer and call-

stack manipulations

Wow64win.dll Provides the appropriate entry points for 32-bit applications

Wow64cpu.dll Switches the processor between 32-bit and 64-bit modes

WOW64 Components

Logical Addr to Linear Addr

Segment Selectors

Segment Descriptor

Code Segment 33 for 64-bit code The L bit is 1 to indicate 64-bit code

Code Segment 23 for 32-bit code The L bit is 0 to indicate compatibility mode

DS: Data Segment

SS: Stack Segment

Additional data segments

ES, FS, GS

64-bit Windows Code Segments

Far JMP is used to transfer from 32-bit code to 64-bit

code

Hooked 32-bit NTDLL code

FS:[0C0h]

X86SwitchTo64BitMode

Switch From 32-bit to 64-bit

Far JMP or IRETQ is used to transfer from 64-bit code

to 32-bit code

Far JMP

IRETQ

Switch From 64-bit to 32-bit

64-bit and 32-bit CS share same address space

Same code binary can be decoded as different

instructions per CPU mode

For example, ntdll!NtTerminateThread

Valid Code Gadget

Compatibility Mode 64-bit Mode

64-bit DLLs are available during 32-bit code running

The processor, when in 32-bit mode, can execute

instructions compiled for 64-bit mode Lots of unintended instructions.

Unintended 32-bit Valid Gadget

ModLoad: 00000000`76d90000 00000000`76f38000 C:\Windows\SYSTEM32\ntdll.dll

ModLoad: 00000000`747c0000 00000000`747ff000 C:\Windows\SYSTEM32\wow64.dll

ModLoad: 00000000`74760000 00000000`747bc000 C:\Windows\SYSTEM32\wow64win.dll

ModLoad: 00000000`74750000 00000000`74758000 C:\Windows\SYSTEM32\wow64cpu.dll

Intended RtlpWow64SetContextOnAmd64 in 64-bit

WOW64CPU.DLL

RtlpWow64SetContextOnAmd64 proc near

mov edx, [r8]

mov byte ptr [r9], 0

mov r9d, 10001h

mov eax, edx

and eax, r9d

cmp eax, r9d

jnz short loc_78B62010

mov eax, [r8+0B4h]

mov [rcx+0B4h], eax

mov eax, [r8+0B8h]

mov dword ptr [rcx+0BCh], 23h

mov [rcx+0B8h], eax

mov eax, [r8+0C0h]

and eax, 3F0DD5h

or eax, 202h

mov [rcx+0C0h], eax

mov eax, [r8+0C4h]

mov [rcx+0C4h], eax

mov eax, [r8+0C8h]

mov [rcx+0C8h], eax

loc_78B62010:

mov r9d, 10002h

mov eax, edx

and eax, r9d

cmp eax, r9d

jnz short loc_78B6206E

mov eax, [r8+9Ch]

mov [rcx+9Ch], eax

mov eax, [r8+0A0h]

mov [rcx+0A0h], eax

mov eax, [r8+0A4h]

mov [rcx+0A4h], eax

mov eax, [r8+0A8h]

mov [rcx+0A8h], eax

mov eax, [r8+0ACh]

mov [rcx+0ACh], eax

mov eax, [r8+0B0h]

mov [rcx+0B0h], eax

loc_78B6206E:

mov r9d, 10020h

mov eax, edx

and eax, r9d

cmp eax, r9d

jnz short loc_78B620E4

movdqu xmm0, xmmword ptr [r8+16Ch]

movdqu xmmword ptr [rcx+16Ch], xmm0







movdqu xmm0, xmmword ptr [r8+1ACh]

movdqu xmmword ptr [rcx+1ACh], xmm0

movdqu xmm1, xmmword ptr [r8+1BCh]

movdqu xmmword ptr [rcx+1BCh], xmm1

loc_78B620E4:

mov [rcx], edx

xor eax, eax

retn

RtlpWow64SetContextOnAmd64 endp

Unintended RtlpWow64SetContextOnAmd64 in 32-bit

WOW64CPU.DLL

RtlpWow64SetContextOnAmd64 proc near

inc ecx

mov edx, [eax]

inc ecx

mov byte ptr [ecx], 0

inc ecx

mov ecx, 10001h

mov eax, edx

inc ecx

and eax, ecx

inc ecx

cmp eax, ecx

jnz short loc_78B71410

inc ecx

mov eax, [eax+0B4h]

mov [ecx+0B4h], eax

inc ecx

mov eax, [eax+0B8h]

mov dword ptr [ecx+0BCh], 23h

mov [ecx+0B8h], eax

inc ecx

mov eax, [eax+0C0h]

and eax, 3F0DD5h

or eax, 202h

mov [ecx+0C0h], eax

inc ecx

mov eax, [eax+0C4h]

mov [ecx+0C4h], eax

inc ecx

mov eax, [eax+0C8h]

mov [ecx+0C8h], eax

loc_78B71410:

inc ecx

mov ecx, 10002h

mov eax, edx

inc ecx

and eax, ecx

inc ecx

cmp eax, ecx

jnz short loc_78B7146E

inc ecx

mov eax, [eax+9Ch]

mov [ecx+9Ch], eax

inc ecx

mov eax, [eax+0A0h]

mov [ecx+0A0h], eax

inc ecx

mov eax, [eax+0A4h]

mov [ecx+0A4h], eax

inc ecx

mov eax, [eax+0A8h]

mov [ecx+0A8h], eax

inc ecx

mov eax, [eax+0ACh]

mov [ecx+0ACh], eax

inc ecx

mov eax, [eax+0B0h]

mov [ecx+0B0h], eax

loc_78B7146E:

inc ecx

mov ecx, 10020h

mov eax, edx

inc ecx

and eax, ecx

inc ecx

cmp eax, ecx

jnz short loc_78B714E4

rep inc ecx

movq mm0, qword ptr [eax+16Ch]

movdqu xmmword ptr [ecx+16Ch], xmm0

rep inc ecx



rep inc ecx



rep inc ecx



rep inc ecx

movq mm0, qword ptr [eax+1ACh]

movdqu xmmword ptr [ecx+1ACh], xmm0

rep inc ecx

movq mm1, qword ptr [eax+1BCh]

movdqu xmmword ptr [ecx+1BCh], xmm1

loc_78B714E4:

mov [ecx], edx

xor eax, eax

retn

RtlpWow64SetContextOnAmd64 endp

WOW64CPU.DLL ~64 functions

WOW64.DLL ~694 functions

WOW64Win.DLL ~1,906 functions

NTDLL.DLL ~3,204 functions

Lots of unintended valid code exists!

Valid Functions

If exploit code turns CPU mode to 64-bit, then how

many valid functions will there be in 32-bit code?

Windows should not share different mode-

sensitive code across different CPU modes!

Even Worse

If exploit code turns CPU mode to 32-bit from native

64-bit, then how many valid functions will there be in

64-bit code?

Windows should not create 32-bit segment for

native 64-bit application?

Even Worse

Potential Solution: Branch Transfer Access Control!

References

The Performance Cost of Shadow Stacks and Stack Canaries. Thurston H.Y. Dang, Petros

Maniatis, David Wagner. ASIACCS 2015

Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in

C++ Applications. Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-

Reza Sadeghi, Thorsten Holz. 36th IEEE Symposium on Security and Privacy (Oakland), May

2015

Exploring Control Flow Guard in Windows 10. Jack Tang. Trend Micro Threat Solution Team, 2015

ROP is Still Dangerous: Breaking Modern Defenses. Nicholas Carlini and David Wagner. 23rd

USENIX Security Symposium, Berkeley 2014

Windows 10 Control Flow Guard Internals. MJ0011, POC 2014

Write Once, Pwn Anywhere. Yu Yang. Blackhat 2014

Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded

Systems Against Software Exploitation. Lucas Davi, Patrick Koeberl, and Ahmad-Reza Sadeghi.

DAC 2014

Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. Vasilis Pappas, Michalis

Polychronakis, and Angelos D. Keromytis. Columbia University, 22nd USENIX Security

Symposium 2013

kBouncer: Efficient and Transparent ROP Mitigation. Vasilis Pappas. Columbia University 2012

Security Breaches as PMU Deviation: Detecting and Identifying Security Attacks Using

Performance Counters. Liwei Yuan, Weichao Xing, Haibo Chen, Binyu Zang. APSYS 2011

Transparent Runtime Shadow Stack: Protection against malicious return address modifications.

Saravanan Sinnadurai, Qin Zhao, and Weng-Fai Wong. 2008

Control-Flow Integrity Principles, Implementations, and Applications. Martín Abadi, Mihai Budiu,

Úlfar Erlingsson, Jay Ligatti. CCS2005

Thank You!

[email protected]

Thanks to Haifei Li, Bing Sun, Chong Xu, and Dan Sommer of McAfee

Labs, and to Rodrigo Branco of Intel