Presentation is loading. Please wait.

Presentation is loading. Please wait.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Published byAlexia Bridges Modified over 8 years ago

Similar presentations

Presentation on theme: "Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer."— Presentation transcript:

1 Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton Presented at the 39 th International Symposium on Computer Architecture (ISCA), June 11 th 2012

2 Attack Classification from NIST Database *2009 – 2010 CVE Records (Vulnerability level 8 – 10) ISCA 20122 48%

3 Buffer Overflow and Code Injection Attack: Example main (int argc, char **argv) {... vulnerable(argv[1]);... } vulnerable(char *str1) { char str2[100]; strcpy(str2,str1); return; } 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() return address str2 malicious input (str2) xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return ISCA 20123

4 Existing Protection from Code Injection Attacks: No Execute Bit (NX) 0x0000 0xFFFF WRITABLE NOT EXECUTABLE xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return Mark memory pages as –Either WRITABLE –Or EXECUTABLE –But not both Standard technique in current processors and operating systems –Intel XD bit –AMD XN bit –Windows DEP –Linux PaX ISCA 20124 Stack growth

5 Next Frontier: Code Reuse Attacks (CRAs) Key Idea: Reuse existing library code instead of code injection CRA timeline –Return-into-libc attack (1997) –Return Oriented Programming (2007) –Jump Oriented Programming (2010) All bypass NX ISCA 20125

6 Return Oriented Programming (ROP) 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return xor ecx, ecx ret lea ebx, [esp+8] ret mov al, 11 int 0x80 mul ecx ret ISCA 20126 Page marked as EXECUTABLE

7 Protecting Against ROP: Secure Call Stack Semantics of return instruction – ret expects an address pushed by a call Keep a copy of return addresses in a separate memory space –Secured by OS/Hardware On each return: –Compare two copies of the return addresses –Generate exception if they mismatch Citations to these works are in the paper ISCA 20127

8 Example of a Secure Call Stack main (int argc, char **argv) {... vulnerable(argv[1]);... } vulnerable(char *str1) { char str2[100]; strcpy(str2,str1); return; } 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() return address str2 malicious input return addressmalicious return ≠ ISCA 20128

9 Defeating Secure Call Stacks Initiating an attack –Overwrite a function pointer, –Overwrite a longjmp buffer, –Exploit a format string vulnerability Performing an attack –Use indirect jumps instead of returns Jump Oriented Programming Need a special gadget to orchestrate control ISCA 20129

10 Jump Oriented Programming 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return pop edi jmp edi lea ebx, [esp+8] jmp esi mov al, 11 int 0x80 mul ecx jmp esi xor ecx, ecx jmp esi popa jmp esi ISCA 201210 Page marked as EXECUTABLE Dispatcher Gadget

11 Defending Against JOP Attacks Use solutions preventing buffer overflows –Bounds Checking –Information Flow Tracking Can ensure the legitimacy of jump targets at runtime –Difficult to do Need to construct a Control Flow Graph –Control Flow Integrity (CFI) Abadi et al, USENIX Security 2005 ISCA 201211

12 Control Flow Integrity Generate Control Flow Graph –Unique labels for edges Instrument the code with checks –Each indirect branch checks target for a label... cmp [ecx], 12345678h jne error_label lea ecx, [ecx+4] jmp ecx... mov eax, [esp+4]... jmp ecx... mov eax, [esp+4]... SourceDestination CFI instrumentation ISCA 201212 Added instructions

13 CFI Limitations Need to construct Control Flow Graph –No publicly available tools for constructing CFG from binaries Need access to source code Runtime performance overhead due to extra instructions –About 20% for SPEC 2K6 Benchmarks Problems with dynamic linking Does not handle unintended instructions ISCA 201213

14 Where Do Jump Targets Go? Typical use of indirect jump instruction –To efficiently implement switch-case statements Target is in the same function –To support dynamic linking Target is a function entry point Key Observation: Legitimate jump targets ARE NOT in the middle of another function ISCA 201214

15 Our Proposal: Branch Regulation Enforce the following rules: –Returns go to the correct addresses –Jumps target same functions or function entry points –Calls target function entry points Use hardware checks for enforcement –Low performance overhead (around 2%) –Unintended instructions are handled –No CFG needed –Requires minimal binary annotations Security shown for common libraries ISCA 201215

16 How Does BR Mitigate JOP Attacks? 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return pop edi jmp edi lea ebx, [esp+8] jmp esi mov al, 11 int 0x80 mul ecx jmp esi xor ecx, ecx jmp esi popa jmp esi function1() function2() NOT ALLOWED ISCA 201216

17 Implementing Branch Regulation Use a Secure Call Stack Annotate function entry points with function size info Compare jump targets with function bounds and allow if checks pass Store bounds in secure call stack Cache a few secure stack entries for performance ISCA 201217

18 Inserting Code Annotations ISCA 201218 080483e4 : 80483e4: push ebp 80483e5: mov ebp, esp... 80483f9: mov eax, 0 80483fe: leave 80483ff: ret... 08048410 g F.text 005a __libc_csu_init 080483e4 g F.text 001c main 080482b8 g F.init 0000 _init... 080483d2 : 80483d2: 80483e4: push ebp 80483e5: mov ebp, esp... 80483f9: mov eax, 0 80483fe: leave 80483ff: ret Original Code Annotated Code Symbol Table

19 Executing Call Instruction calleax. 8048232: call eax. 80482bc: 0x98 80482be: push esp 80482C0: …. 8048300: jmp ecx. 8048354: ret. FetchDecodeExecute Commit Instruction Cache call eax … | … | … Base | Bound | Return … | … | … BR Check Function Bounds Stack 0098 80482bc 0098 (function size) 80482bc | 8048354 | 8048236 ISCA 201219

20 Executing Jump Instruction jmpecx. 0x8048232: call eax. 0x80482BC: 0x98 0x80482BE: push esp 0x80482C0: …. 0x8048300: jmp ecx. 0x8048354: ret. FetchDecodeExecute Commit Instruction Cache jmp ecx … | … | … Base | Bound | Return … | … | … BR Check Function Bounds Stack 0x80483AA 0x80482BC | 0x8048354 | 0x8048236 0x80482BC > 0x8048354 > ISCA 201220

21 Executing Return Instruction ret. 0x8048232: call eax. 0x80482BC: 0x98 0x80482BE: push esp 0x80482C0: …. 0x8048300: jmp ecx. 0x8048354: ret. FetchDecodeExecute Commit Instruction Cache ret … | … | … Base | Bound | Return … | … | … BR Check Function Bounds Stack 0x8048236 0x80482BC | 0x8048354 | 0x8048236 0x8048236 = Return Address from Stack ISCA 201221

22 Security of Branch Regulation Effectively reduces the exploitable code base to the current function An attacker needs to find in same function: –A vulnerability to exploit –Sufficient functional gadgets –Dispatcher gadget –A system call instruction ISCA 201222

23 Number of Vulnerable Functions Library libc libm libcrypto libgcrypt libssl ISCA 201223 Functions with Dispatcher Gadget and System Call 0 0 0 0 0 Functions with Dispatcher Gadget 12 0 3 2 0 Total Number of Functions 7775 1077 7991 1135 1017

24 Additional Security Analysis in the Paper Analysis of available gadgets Dispatcher gadget discovery algorithms Gadget trie example Analysis of gadget side effects –Gadget length –Impact of unintended gadgets ISCA 201224

25 Increase of Executable Size ISCA 201225

26 Impact of Secure Stack Cache Size ISCA 201226

27 BR Performance with 4-Entry Cache ISCA 201227

28 Conclusions ISCA 201228 Emerging Code Reuse Attacks bypass existing defenses against code injection New low overhead solutions are needed We proposed Branch Regulation –Uses hardware checks to enforce a limited set of rules –Incurs 2% performance overhead and 1% increase in code size –Handles unintended instructions –Does not rely on Control Flow Graph of the program –Can protect legacy binaries with minimal effort We demonstrated security of Branch Regulation for a variety of common libraries

29 Thank you! Questions? ISCA 201229

30 Backup Slides ISCA 201230

31 Unintended Instructions 08048484: E8 33 FE FF FF 08048489: 8D BB 18 FF FF FF 0804848F: 8D 83 18 FF FF FF 08048495: 29 C7 08048488: FF 8D BB 18 FF FF 0804848E: FF 8D 83 18 FF FF 08048494: FF 29 Code Snippet from __libc_csu_init function 08048484: E8 33 FE FF FF 08048489: 8D BB 18 FF FF FF 0804848F: 8D 83 18 FF FF FF 08048495: 29 C7 Unintended Code Snippet from __libc_csu_init function call lea edi, [ebx-e8h] lea eax, [ebx-e8h] sub, edi, eax dec [ebp-e745h] dec [ebp-e77dh] jmp [ecx] FF 8D BB 18 FF FF FF 8D 83 18 FF FF FF 29 ISCA 201231

32 Dispatcher Gadgets Replacement of return for JOP attacks Advance a register/memory to represent program counter Dispatcher Gadget Potential (DGP) –If able to write to the target of indirect jump –If not, not Turing-complete Dispatcher Gadget Confirmed (DGC) –If found a potential dispatcher gadget –Still a system call is needed for harmful attack (DGC-SYS) ISCA 201232

33 Identifying Dispatcher Gadgets If memory indirect branch –Find an iterator If register indirect branch –Find a loader and an iterator mov / pop etc. loads add / sub / lea / pop etc. iterates ISCA 201233

34 Dispatcher Gadget Examples Instruction Type loader and iterator register indirect jump iterator memory indirect jump iterator loader register indirect jump iterator conveyor memory indirect jump Dispatcher Gadget pop r1 jmp r1 add r1, r2 jmp [r1] lea r1, [r1 + r2] mov r3, [r1] jmp r3 sub r1, 4 mov r2, [r1] mov r3, r2 jmp [r3] ISCA 201234

35 Unintended Instructions Mostly garbage instructions Usually more side effects than intentional 246894925 ISCA 201235

36 Gadget Length Long gadget means more intermediate instructions ISCA 201236

Download ppt "Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer."

Similar presentations

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin

Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Lecture 6 Machine Code: How the CPU is programmed.

Lecture 6 Machine Code: How the CPU is programmed.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Similar presentations

Ads by Google