Presentation is loading. Please wait.

Presentation is loading. Please wait.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Similar presentations


Presentation on theme: "ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part."— Presentation transcript:

1 ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part of the slides from N. Carlini

2 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

3 Background Code injection●Usually exploited in a buffer overrun vulnerability. ●Inject malicious code ●Overwrites return address of a function. ●Return address -> malicious code

4 Background Code injection Data Execution Prevention (DEP) ●Security feature in modern OS ●Ensures writable pages in memory are not executable ●Stack is no longer executable ●Code cannot be injected

5 Background Code injection Data Execution Prevention (DEP) Return Oriented Programming (ROP)

6 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

7 ROP Attacks Gadgets !

8 ROP Attacks ●Perform malicious computation by only controlling the execution flow ●Each gadget performs small computation ●Gadget chaining is achieved by influencing indirect jumps ●Need to write appropriate values over the stack

9 ROP Attacks 1.eax stores 4a ebs stores eax stores [4a304120] (OV) 4.eax stores (OV ) 5.ecx stores 4a [4a304120] stores (OV )

10 ROP Attacks Defend ROP

11 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

12 Attack Primitives Three building blocks are useful in attacking ROP defenses 1.Call-Preceded ROP 2.Evasion Attack 3.History Flushing

13 Call-Preceded ROP Call-Preceded Policy: Normally, every ret will return to an instruction that immediately follows a call

14 Call-Preceded ROP ●The call-preceded policy limit the choices of gadgets ●Only 6% of gadgets are call- preceded ●People believe the call-preceded policy significantly increases the difficulty of mounting a ROP. ●However, the authors argue it is possible to mount ROP with this policy ●Allow more complex gadgets. ●70KB of binary code

15 Evasion Attacks Classification-based defense ●Monitoring the runtime behavior of a process ●Classify segments of execution as either “gadget” or “non-gadget” ●Length-based classifier (instructions separated by indirect instructions ●Long sequences of short gadgets -> ROP attack

16 Evasion Attacks To break classification-based defense ●Using gadgets that look like benign execution ●An evasion attack is one that will be classified by the defense as normal. ●Actually evasion attack allows the attacker to mount a ROP

17 History flushing History inspection defense ●Inspect program at different points throughout its execution ●Limited amount of history ●due to performance consideration, usually the inspection is invoked in certain points (issue a system call)

18 History flushing To break History inspection defense ●Fool the defense by hiding ROP attack ●Perform ROP when not being watched ●Insert effective no-op instructions, stop making progress when being watched

19 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

20 Attack Goal and Threat Model Attack Goal: ●Issue a single syscall ●mprotect (Linux) or virtualprotect (windows), making a page in memory both executable and writable Threat Model: ●Attacker has a known exploit to control the instruction pointer in the future ●Typically it is a stack overflow

21 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

22 kBouncer kBouncer: a scheme that uses indirect branch tracing to detect ROP attacks ●Uses the Last Branch Record (LBR) to inspect the last 16 indirect branches each ●Run when a system call is invoked ●Low overhead ●Check 2 properties o Call-preceded? o Are 8 most recent gadget-like? (<20 instructions before an indirect branch)

23 kBouncer Detected !

24 kBouncer History Hiding Attack ●Uses history flushing to clear evidence of ROP ●3 steps o Initial exploitation: normal ROP attack (may not be call- preceded) until a syscall is about to be invoked o Hide the history: flush the history o Restore registers and issue the system call

25 kBouncer Flush the history ●Consists of a short flushing gadget and a long termination gadget ●Short flushing gadget - satisfy call- proceded requirement ●Repeat short flushing gadget 16 times ●Termination gadget - at least 20 instructions (non-gadget)

26 kBouncer - Flush History

27 kBouncer Restore registers ●Can be achieved with a few gadgets that pop register values off the stack ●Other ways o Jump Oriented Programming (JOP) o Call Oriented Programming (COP) o etc

28 kBouncer What happens if kBouncer keeps the whole execution history? - can still be broken ●Initial phase will use only call-preceded gadget ●No flushing gadget is needed ●Break up short gadget chains with long termination gadget ●70KB of program will have enough call-preceded calls to finish such a ROP attack

29 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

30 ROPecker ROPecker is a defense that builds on ideas found in kBouncer With a few differences ●Inspect more frequently ●Only a few pages are marked executable at one time ●Will be invoked each time a page not in executable set is executed ●Syscalls ●It looks both history and future to detect attack ●Future emulation will stop when there is not a short sequence of instruction leading to an indirect jump ROPecker: A generic and practical approach for defending against rop attacks. Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H Deng. NDSS, 2014.

31 ROPecker Repeated History Hiding Attack ●repeatedly invokes the history hiding primitives ●3 phases o Loading phase: load useful pages into executable set o Attack phase: invokes gadgets on these pages o Flushing phase: mounts the history hiding attack using only gadgets from these pages ●May need to execute the 3 phases multiple time to achieve the goal

32 ROPecker

33 Attack ROPecker is more complicated ●Carefully pick tasks during each step ●Flushing and Termination gadgets clober register states ●Pick independent operations for each step ●Pick pages that contain more gadgets

34 ROPecker Evasion Attack ●Let ROPecker inspect at any time ●Insert a termination gadget in between every ten useful gadgets. ●Threshold is 11 (past and future)

35 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

36 Evaluation ●A tool is built to find attacks on real-world exploits ●The tool help find gadgets ●Enumerate all potential call-preceded gadgets

37 Evaluation Modify Real-world Exploits to bypass kBouncer ●4 real-world exploits are modified o MPlayer Lite r33063  Stack-based buffer overflow, exploited by overwriting SEH pointer o Adobe Reader o Adobe Flash o Internet Explorer 8 ●Half a day to cloak the attacks

38 Evaluation Use exploitable version of hteditor source to bypass ROPecker ●Evasion attack ●Repeated history hiding attack ●execv is issued eventually

39 Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

40 Related Work ● [Goktas, S&P14] discussed the existence of call-preceded ROP and use it to break many existing CFI defenses ● [Davi, Usenix14] and [Goktas, Usenix14] both independently and concurrently discovered very similar attacks on kBouncer & ROPecker

41 Conclusion This paper has presented: ●3 building blocks for ROP attacks ●Break state-of-art defenses - kBouncer and ROPecker ●Implication o Do not rely on limited history o Call-preceded ROP is possible o Difficult to classify “gadget” and “non-gadget” o Focus on fundamental difference between normal and ROP execution


Download ppt "ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part."

Similar presentations


Ads by Google