Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.

Published byBrendan Ethan Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew."— Presentation transcript:

1 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew Bernat, and Bill Williams

2 o Attack goal: effect some malicious intent by hijacking program control flow o Historically, accomplished via code injection Threat Model 2 Detecting Code Reuse Attacks Using Dyninst Components entry point code process address space stack heap injected shellcode

3 o W X prevents code injection o Alternative: construct an exploit using code that already exists within the program’s address space entry point code process address space stack heap injected shellcode Threat Model 3 Detecting Code Reuse Attacks Using Dyninst Components “code reuse attacks”

4 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be Anatomy of a Code Reuse Attack 4 Detecting Code Reuse Attacks Using Dyninst Components xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) code

5 Anatomy of a Code Reuse Attack 5 Detecting Code Reuse Attacks Using Dyninst Components entry point code process address space stack heap xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx code injection attackcode reuse attack entry point code process address space stack heap injected shellcode

6 Previous Code Reuse Attack Defenses o Detect using heuristics based on attack behaviors [Chen et al. 2009,2010], [Davi et al. 2011], [Huang et al. 2012], [Kayaalp et al. 2012] o Enforce control flow integrity at runtime [Abadi et al. 2009], [Bletsch et al. 2011], [Zhang et al. 2013] In the next talk, Tugrul will talk about another interesting defense technique. 6 Detecting Code Reuse Attacks Using Dyninst Components

7 Our Approach o Define conformant program execution (CPE) as a set of requirements on program states o Valid program counter o Valid callstack o Enforce CPE by monitoring program at runtime 7 Detecting Code Reuse Attacks Using Dyninst Components

8 Model Component #1 Valid program counter (PC): PC must point to instruction in the original program 8 Detecting Code Reuse Attacks Using Dyninst Components b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret CFG 0xb7fe3424 PC

9 Model Component #2 Valid callstack: For each frame: 1.frame must have valid stack frame height 2.(caller  current frame) must represent a valid control flow transfer in the program 9 Detecting Code Reuse Attacks Using Dyninst Components stack pointer stack height caller frame: foo current frame: bar foo push %ecx push %edx push %ebp mov %esp, %ebp sysenter pop %ebp … push %ecx push %edx push %ebp mov %esp, %ebp sysenter pop %ebp … callstack CFG

10 Program Validation Design decision: when do we validate? o Option 1: At all instructions o “Conformant program execution” o Disadvantage: inefficient o Option 2: At system calls o “Observed conformant program execution”(OCPE) o Effective because attacks must use the system call interface to modify overall machine state 10 Detecting Code Reuse Attacks Using Dyninst Components

11 ROPStop Implementation 11 Detecting Code Reuse Attacks Using Dyninst Components binary running process Initialization 1.Attach to running process or launch new process from binary 2.Parse program binary 3.Register callbacks at system calls 4.Continue process At each system call 1.Validate current program counter 2.Perform robust stackwalk and validate the current callstack ParseAPI A Dyninst Component ProcControlAPI A Dyninst Component InstructionAPI A Dyninst Component StackwalkerAPI A Dyninst Component DataflowAPI A Dyninst Component ROPStop or

12 Accuracy Evaluation 12 Detecting Code Reuse Attacks Using Dyninst Components Overhead

13 Results: Real Code Reuse Attacks 13 Detecting Code Reuse Attacks Using Dyninst Components 100% accuracy using real ROP and JOP exploits

14 Results: SPEC CPU2006 14 Detecting Code Reuse Attacks Using Dyninst Components 100% accuracy (0 false positives), 5.42% overhead (geometric mean)

15 Open Questions o Data-driven attacks (orthogonal type of attack) [Chen et al. 2005], [Demay et al. 2011] o Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006], [Wagner and Soto 2002] 15 Detecting Code Reuse Attacks Using Dyninst Components

16 Conclusion o We defined conformant program execution and an efficient approximation, observed conformant program execution o We built a tool to enforce OCPE, ROPStop, on top of Dyninst components 16 Detecting Code Reuse Attacks Using Dyninst Components

17 Questions? o For more details, our paper is available at: ftp://ftp.cs.wisc.edu/paradyn/papers/Jacobson13ROPStop.pdf o Come see the demo on Tuesday 17 Detecting Code Reuse Attacks Using Dyninst Components

Download ppt "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.

SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Similar presentations

Ads by Google