Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Annulling Data Injection Attacks with Return Address Randomization 2006.02.20.

Published byJaylan Branyan Modified over 9 years ago

Similar presentations

Presentation on theme: "2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Annulling Data Injection Attacks with Return Address Randomization 2006.02.20."— Presentation transcript:

1 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Annulling Data Injection Attacks with Return Address Randomization 2006.02.20 Researcher: Deokjin Kim Presenter: Cheolsoon Yim High Performance Computing Laboratory, POSTECH, Republic of KOREA

2 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 2/16 Contents  Introduction  Backgrounds  Related Works  Proposed Scheme  Analysis  Conclusion & Future Work

3 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 3/16 Introduction  Buffer overflow vulnerability is one of the today's most serious security problems.  Many attackers are able to take the vulnerability to intrude software systems.  Various defense schemes have been proposed such as Compiler based scheme Dynamically loadable library based scheme Instruction sets randomization based scheme

4 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 4/16 Backgrounds (1/2)  Buffer overflow vulnerability A buffer which does not check the boundary in the program will be overflowed when it is stuffed with more data than it can handle.  Step of a buffer overflow attack 1. Overflowing the vulnerable buffer 2. Redirecting control flow to the position intended by attacker  Classification of buffer overflow attacks 1. Code-injection attack inserts instruction codes(shellcode) and jumping into it. 2. Data-injection attack inserts data(arguments of function) and jumping into shared libraries.

5 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 5/16 buffer frame pointer RA=XXXX buffer frame pointer RA=XXXX Backgrounds (2/2) buffer frame pointer RA=XXXX system(cmd){... } int main(int argc, char *argv[]) { char buffer[20]; strcpy(buffer, argv[1]); return 0; } dummy buffer overflowed RA=YYYY shellcode * : Overflowed region * RA : Return address High Address Low Address NormalCode-injection attackData-injection attack faked RA 1 st argument “/bin/sh\0” buffer overflowed RA=ZZZZ * In standard C library * * Vulnerable program code *

6 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 6/16 Related Works (1/3)  Compiler based scheme Modifies C compiler to interpose a canary word. Ex> StackGuard, StackShield, Propolice, SplitStack Shortcoming  It needs a program source code for recompilation.  The methods of bypassing this scheme are explored. buffer Return Addr. High Address Low Address Stack of a process canary local variable Stack Growth String Growth

7 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 7/16 Related Works (2/3)  Dynamically loadable library based scheme Intercepts the vulnerable functions in the standard C library and uses instead its own safe implementation of the function. Ex> Libsafe Shortcoming  It needs patching dynamic libraries.  It can protect only C library function introduced vulnerabilities. void main() { char buffer[20];... strcpy(buf, input_string);... } char *strcpy(char *dest, const char *src) { // Compute the length of input_string. // Compute the upper bound of size of buf(dest). // Check the bound. // Call original libc’s memcpy().... } void *memcpy(void *dest, const void *src, size_t n) {... } Program code Libsafe library Original libc library

8 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 8/16 Related Works (3/3)  Instruction sets randomization based scheme Performs exclusive-or operation to instruction bytes with random keys. It defends all typical code-injection attacks. It dose not need recompiling and patching a kernel or a protected program. It dose not need a program source code. Ex> RISE/Valgrind, Boch emulator Shortcoming  It can not cover the data-injection attacks.

9 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 9/16 Proposed Scheme (1/5)  Instruction Set Randomization Scheme When loading a binary image, a loader scrambles all instruction codes using a secret randomization key and loads them into memory. When fetching instructions, the instructions are unscrambled and executed correctly. Random key Code from binary file Injected code from network Normally executing SIGILL fault !! In memory = XORing LoadingFetching

10 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 10/16 Proposed Scheme (2/5)  Return Address Randomization Scheme When calling function, CALL instruction scrambles a return address and pushes it into memory. When returning from function, RET instruction pops a return address from memory and unscrambles it. Random key Return address (address of next instruction) Return address in injected code Normally executing SIGSEGV fault !! Stack section in memory = XORing pushed injected popped CALLRET

11 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 11/16 Proposed Scheme (3/5)  We modified CALL, RET micro-instructions. ANI : Address of Next Instruction RANI : Randomized Address of Next Instruction TR: Temporary Register instr.OriginalModified CALL func() 1. push ANI into [%esp] 2. jump to func() 1. Randomize ANI 2. push RANI into [%esp] 3. jump to func() RET1. pop from [%esp] into %eip 2. jump to %eip 1. pop from [%esp] into TR 2. De-randomize TR 3. move TR to %eip 4. jump to %eip

12 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 12/16  A random key is generated by the Linux /dev/urandom device when a program is loaded on the memory. The key is dynamically allocated in the heap region.  We should select a random key so as to avoid infinite loops or unwilling instructions.  We should select a random key which makes the scrambled address of a injected address to lead to a memory access violation. Proposed Scheme (4/5)

13 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 13/16 Proposed Scheme (5/5)  Ex> Excluding this key Intended address: 0x42 Random key: 0xfd, 4a, 00  Scrambled address: 0xbf, 08, 42 Other random keys lead to a memory access violation. (SIGSEGV) # cat /proc/`ps -C hello -o pid=`/maps address perms offset 08048000-08049000 r-xp 00000000 (hello.code) 08049000-0804a000 rw-p 00000000 (hello.data) 40000000-40015000 r-xp 00000000 (loader.code) 40015000-40016000 rw-p 00014000 (loader.data) 42000000-4212e000 r-xp 00000000 (libc.code) 4212e000-42131000 rw-p 0012e000 (libc.data) bfffe000-c0000000 rwxp fffff000 (hello stack) 0x00000000 0x08048000 code static data bss heap shared library stack kernel space 0x42000000 0xffffffff loader 0x40000000 0xc0000000 0xbf000000 x x SIGSEGV [ The memory map of simple process “hello” ]

14 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 14/16 [elitemir@gt40 ~/exercise/ch2]$ rise./vulne `perl -e 'print "ABCD"x7. "\x60\x33\x17\x40"."\xb0\xe7\x15\x40"."\xc3\xfe\xff\xbf";'` ==15566== RISE, for x86-linux. ==15566== buffer is at 0xbffffa60 ==15570== RISE, for x86-linux. ==15570== sh-2.05b$ id ==15571== RISE, for x86-linux. ==15571== uid=1000(elitemir) gid=100(users) groups=100(users),10(wheel),18(audio) ==15571==. [elitemir@gt40 ~/exercise/ch2]$ risara./vulne `perl -e 'print "ABCD"x7. "\x60\x93\x05\x40"."\xb0\x47\x04\x40"."\x61\xfe\xff\xbf";'` ==18794== RISARA, for x86-linux. ==18794== buffer is at 0xbffffa30 Segmentation fault [elitemir@gt40 ~/exercise/ch2]$ [ Output under the RISE : protection failure ] [ Output under the proposed scheme : protection success ] Analysis - Protection against a Data-injection Attack

15 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 15/16 Analysis - Performance  The proposed scheme executes about 1 % more slowly than RISE for the same program.  Though there is 5 times performance penalty due to implement with emulator, this penalty can be removed by implementing with supporting of hardware in the future. Type of operation RISERISARARISARA / RISE Operation of integer 5.891115.900271.00156 19.8848919.895601.00054 47.1403347.388491.00526 92.0918692.120111.00031 159.13206159.229281.00061 Operation of floating-point 2.574422.576821.00093 20.5797520.585291.00027 69.5308769.510460.99971 164.90991164.905820.99998 322.47283322.481551.00003 Operation of I/O 0.496090.533301.07500 1.213741.248441.02859 2.822072.899001.02726 8.334628.573121.02861 18.6788018.782611.00556 Table. Comparison of the Execution Time Per Operation between the RISE and the proposed scheme(RISARA) [ Environment ] Linux kernel 2.4.20 CPU : Xeon 2.66GHz*3 RAM : 2GB

16 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 16/16 Conclusion & Future work  Conclusion We proposed a new defense scheme against both code- injection and data-injection attacks through network. It scrambles instruction sets and return addresses using a random key. It implemented without significant extra overheads in comparison with RISE.  Future work We are planning to implement on hardware in the near future for decreasing overheads which incurred because of using the emulator.

Download ppt "2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Annulling Data Injection Attacks with Return Address Randomization 2006.02.20."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
SE-292: High Performance Computing

SE-292: High Performance Computing
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua

Similar presentations

Ads by Google