• No results found

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

The Beast is Resting in Your Memory

On Return-Oriented Programming Attacks and Mitigation Techniques

To appear at USENIX Security & BlackHat USA, 2014

Lucas Davi

Intel CRI-SC, CASED/TU Darmstadt

Joint Work with

Daniel Lehmann, Ahmad-Reza Sadeghi (TU Darmstadt)

Intelligent Things, Vehicles and Factories:

Intel Workshop on Cyberphysical and Mobile Security 2014, Darmstadt, June 11

(2)

Motivation

• Sophisticated, complex

• Created by various of different

developers

• Native Code

Large attack surface for control-flow attacks (runtime attacks)

(3)

Return-Oriented Programming (ROP)

n o r ien ted Pro g ra mm ing r

u t Re

(4)

ROP Attack Technique: Overview

Program Stack

Return Address 2 Value 1

Value 2

Return Address 3

Program Code

REG1: Value 1

Sequence 1

asm_ins RET

Sequence 2

POP REG1 POP REG2

RET

Sequence 3

asm_ins RET

Corrupt Control Structures

...

(5)

ROP Attack History - Selected

ROP without Returns

Checkoway et al. (CCS)

JIT-ROP

Snow et al. IEEE S&P

2011 –

2013 Real-World ROP-based Exploits

(6)

No Code Restrictions

Existing ROP attacks can leverage and jump to any code mapped into the program‘s address space

(7)

Control-Flow Integrity (CFI)

Restricting indirect control-flow targets to a pre-defined control-flow graph

(8)

CFI Label Checking

[Abadi et al., CCS 2005 & TISSEC 2009]

label_A ENTRY asm_ins, … EXIT

BBL A

A

C B

label_B ENTRY asm_ins, … EXIT

BBL B

CFI CHECK EXIT(A) -> label_B ?

(9)

CFI: Benefits and Limitations

Fine-grained protection

Security of CFI

can be „formally“

defined and anaylzed

Requires side information Induces

performance overhead

(10)

“Coarse-Grained CFI”

Making CFI practical for real-world deployment

kBouncer

[USENIX Sec’13]

ROPecker

[NDSS’14] ROPGuard

[Microsoft EMET]

CFI for COTS Binaries

[USENIX Sec’13]

(11)

“Coarse-Grained” CFI Proposals

Last Branch Record (LBR)

Win API /

Critical Function Application

POP PUSH

Stack kBouncer

[USENIX Sec’13]

ROPecker

[NDSS’14]

ROPGuard

[Windows EMET]

HOOK

Paging

HOOK

CFI Wrapper

CFI for COTS Binaries

[USENIX Sec’13]

CCFIR

[IEEE S&P‘13]

(12)

Deployed CFI Policies

(13)

CFI Policy 1: Call-Preceded Sequence

 Fine-Grained CFI

 Returns need to target their original caller (shadow stack)

 Coarse-Grained CFI

 Return instructions are only allowed to target a valid call site, i.e., a call-preceded instruction

Application Function A asm_ins

CALL LIB_function asm_ins

Function B asm_ins

CALL open asm_ins CALL write asm_ins

Library LIB_function asm_ins

...

RET

(14)

CFI Policy 2: Chain of Short Sequences

 Report a ROP attack after N sequences each consisting of less than S instructions

ROP Sequence 1

ROP Sequence 2

ROP Sequence 3

ROP Sequence 4 to (N-1) 3

4

2

<= S

Threshold Setting kBouncer: (N=8; S <= 20) ROPecker: (N=11; S <= 6)

(15)

The claim is that coarse-grained CFI policies are sufficient to thwart real-world and

Turing-complete ROP attacks

(16)

Our Contributions

Systematic security analysis of coarse-grained CFI solutions (kBouncer, ROPecker, ROPGuard/EMET, CFI for COTS)

1

Turing-complete gadget set based on a single and default Windows library (kernel32.dll)

2

Transformation of 2 real-world ROP exploits

3

(17)

Taking the Most Restrictive Setting in Coarse-Grained CFI

CFI Policy kBouncer ROPecker ROPGuard EMET

CFI for COTS Binaries

Combined CFI Policy CFI Policy 1

Call-Preceded Instruction

CFI Policy 2

Chain of Short Sequences

Time of CFI Check WinAPI 2 Pages Sliding Window /

Critical Functions

WinAPI/

Critical Functions

Any Time Any Time

No Restriction CFI Policy

Note that there are also other CFI policies (e.g., for indirect jumps/calls). We have considered these policies in our security analysis, but omit them at this place and

(18)

Our Analysis Methodology and Assumptions

 Assumptions

 Attacker can bypass ASLR, see our JIT-ROP paper [IEEE S&P 2013]

 Attacker has only access to one standard shared Windows library

 Methodology

Common Library kernel32.dll

Sequence Finder (IDA Pro)

Sequence Filter (D Program)

List of Call-

Gadget Generation (manual)

Sequence Sequence MOV ESP LNOP

Provide filters on

Reg, Ins, Opnd, Length Search for Gadgets

LOAD

(19)

(Excerpt of) Turing-Complete Gadget Set in CFI-Protected kernel32.dll

Gadget Type CALL-Preceded Sequence ending in a RET instruction LOAD

Register

EBP := pop ebp

ESI := pop esi; pop ebp EDI := pop edi; leave ECX := pop ecx; leave

EBX := pop edi; pop esi; pop ebx; pop ebp EAX := mov eax,edi; pop edi; leave

EDX := mov eax,[ebp-8]; mov edx,[ebp-4]; pop edi; leave

LOAD/STORE Memory

LD(EAX) := mov eax, [ebp+8]; pop ebp

ST(EAX) := mov [esi],eax; xor eax,eax; pop esi; pop ebp ST(ESI) := mov [ebp-20h],esi

ST(EDI) := mov [ebp-20h],edi

Arithmetic/

Logical

ADD/SUB := sub eax,esi; pop esi; pop ebp

XOR := xor eax,edi; pop edi; pop esi; pop ebp

Branches unconditional branch 1 := leave

unconditional branch 2 := add esp,0Ch; pop ebp

conditional LD(EAX) := neg eax; sbb eax,eax; and eax,[ebp-4]; leave

(20)

Long NOP Gadget

 Purpose

 Bypass behavioral-based heuristics on sequence length

 kBouncer: A sequence of more than 20 instructions after each 7th short sequence

 Challenge

 Longer sequences involve side-effects

 Approach

 Leverage a Long NOP sequence that (1) does not affect many registers and (2) performs many

(21)

New Value

POP esi POP edi POP ebp RET

14 Memory Writes (esi,edi)

3 other instructions POP edi

POP esi

MOV ebx,eax POP ebx

POP ebp RET

ROP Sequence 8 (LNOP) Pre-LNOP (RET 7)

DATA_ADDR (esi) DATA_ADDR (edi)

Pattern (ebp) LNOP (RET 8)

Saved edi Saved esi Saved eax (ebx)

36 Bytes Memory

STORE EAX (RET 6) STORE EDI (RET 5)

POP ESI,EBP (RET 4) EAX_ADDR (esi) STORE ESI (RET 3)

POP EBP (RET 2) ESI_ADDR (ebp) EDI_ADDR (ebp)

ROP Gadget 1 (RET 1)

ROP Gadget 2 (RET 1) DATA_ADDR

(22)

Real-World Exploitation

Adobe Reader 9.1 CVE-2010-0188

MPlayer Lite r33064 m3u Buffer Overflow Exploit

Both detected by Microsoft EMET and

coarse-grained CFI

Exploit Transformation

Common

Library Successful Exploit

Details in Paper

(23)

Recent Independent Work

 Several related attacks have been proposed independently from our work:

 Overcoming Control-Flow Integrity [Göktas et al., IEEE S&P 2014]

 ROP is still dangerous [Carlini et al., USENIX Security 2014]

 Evaluating the Effectiveness of Current Anti-ROP Defenses [Schuster et al., RAID 2014]

 Size Does Matter [Göktas et al., USENIX Security 2014]

-> No details yet published

 Differences

 We show ROP attacks that simultaneously bypass CFI Policy 1 and 2 (return restrictions & behavioral heuristics) independent on when CFI checks are performed

 For the first time, we present a Turing-complete gadget under the presence of combined coarse-grained CFI policy using a single

default 1MB library

(24)

Hardware-Assisted CFI

[Davi et al., DAC 2014]

Application

Static Software- Based

Instrumentation

Hardware-Based CFI Checks Static Analysis Runtime Enforcement

CFIBR label CFIRET label

CFI Label State Application

CFI Wrapper

CALL – Target valid function beginning RET – Target a call site at a currently executing function JMP - Heuristics

(25)

Conclusion and Future Work

 Coarse-Grained CFI policies are too weak

 Realistic ROP attacks are still possible under weak adversarial assumptions

 Ongoing Work

 Fine-Grained HW-based CFI leveraging SW/HW co-design

References

Download now ( PDF - 25 Page - 2.11 MB )

Related documents

Dot-eu Sunrise Validation Services for EURid

“Holders of prior rights recognised or established by national and/or Community law and public bodies shall be eligible to apply to register domain names during a period of

Towards Wearable Cognitive Assistance

CDF of End-to-end Response Time at Glass Device for the NULL Cognitive Engine. End-to-End response time

Enhanced microwave dielectric tunability of Ba0.5Sr0.5TiO3 thin films grown with reduced strain on DyScO3 substrates by three-step technique

Upon post-growth thermal treatment at 1298 K the films grown by the three-step method with the optimized interlayer deposition temperature of 873 K exhibited lower compressive

The Ontario Cancer Registry and its Data Quality. Diane Nishri Senior Research Associate, Surveillance February, 2011

Evaluation of data quality in the cancer registry: Principles and methods part

Using Blogs in EFL Teaching - A Case Study of Macedonia

The main aim of the study, a stated in section 3.1 was to analyze the effectiveness of using Blogs and Blogging, to support learning in an English Language Methodology course,

High School. Course Descriptions. Grades Bellevue Big Picture School. Bellevue High School. Interlake High School. International School

This program provides high school students the opportunity to earn college credit in approved high school courses, when the equivalent course is taught at Bellevue College..

Spartan Speaks - Stouffville District Secondary School

Students will be receiving their recognition certificates on Monday, November 16 (cohort B) and Tuesday, November 17 (cohort A).. Recipients will be called to the school foyer

A bridge to the future European policy for vocational education and training National policy report France

4) The development of new tools in the law on vocational training: the creation of the joint funds for securing professional careers (FPSPP – Fonds paritaire de