Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense Laboratory Department of Computer Science North Carolina State University Presenter: Radha Maldhure for CDA 6133 Spring’08

Overview Memory Corruption Address Space Randomization System Overview System Architecture State Transition of Program Diagnosis Signature Generation Experimental Evaluation Contribution Weakness Suggestions References

Memory Corruption Memory Location are unintentionally modified due to programming errors Attack: –Successful attack allows a remote code execution –Unsuccessful attack causes program crash or strange program behavior Most popular means to take control of target system Type: Buffer Overflow, Integer overflow

Memory Corruption: Example Memory Corruption by Buffer Overflow Code Ret Addr Local Var Local Buffer Attacker’s codeRet Add Process Memory layout for X Attacker’s Packet Stack frame for User_input() For example: User_input( ) is some routine in X Local Var Ret Addr

Address Space Randomization Code Ret Addr Argument Local Var Local Buffer Normal Memory Layout Memory layout with Randomizati on-on

Example: Memory corruption with ASR Memory Corruption by Buffer Overflow The return address points to wrong Memory location CRASH!!! Code Ret Addr Argument Local Var Local Buffer Ret Addr Stack frame

System Overview

System Architecture

Terms needed for Model Some definitions: Memory attack = multiple corrupting instruction Corrupting Instruction( c ) = tricked to overwrite critical program data Initial Corrupting Instruction( i ) = Corrupting program data based on network input Take over Instruction( t ) = Control flow transfer Instruction Faulting Instruction( f ) = Cause process to crash

State Transition of a randomized program under memory corruption attack initial corrupting instr c Normal Crash Security Compromise Inconsistent Execution Critical Data Corruption initial corrupting instr c (c=f) faulting instr f t with correct addr prediction Case 2 : K= Non-takeover instr i with incorrect addr prediction( i=f ) k t with incorrect addr prediction(t = f) Case 1 Case 3Case 4

Case1 buf Input to GetUserName( ) is large This causes buffer overflow and accesses illegal memory location and hence the system crashes!!!! hhhwdhw vhdvhvdhj hdhvdhvd dsadjvdvh vdqwdgg gdggdggg dwgfbfns Sample program int foo( int b, int *c ) { buf[10]; GetUserName(buf) (*c)++; return *c } b b c c Corrupting Instruction is the Faulting instruction( c = f )

Case 2 The attack corrupts some critical data without crash. However, process crashes when executing non-takeover instruction int foo( int b, int *c ) { buf[10]; GetUserName(buf) (*c)++; return *c } 0000 c b buf Stack frame Program crashes as third statement executes!!

Case c b Ret addr buf Jmp Invalid memory Stack frame Take-over instruction is the faulting instruction

Case c b Ret addr buf Jmp Invalid memory Stack frame Successfully executes take-over instruction, and continues to execute for some time before crash

Diagnosis Who? By monitor & Diagnosis engine on memory access violation exception How? –Identifying faulting instruction –Converting case 4 crashes –Tracing corrupting instruction

Identifying faulting Instruction Goal: Find address of faulting Instruction ‘f’ Two cases: Simple case: f = preceding instruction of current PC Complex case: f = indirect control flow transfer instruction PC = invalid memory address that causes access violation If not Complex case then its Simple case !!

Complex case C = { m } = indirect control flow instructions in program Decode and compute target addr(a) for m Instr a X x Y y a = Current PC registerUse break points Keep the instruction f = last instr before memory access violation

Converting Case 4 Eliminate the possibility of Case 4 crash –No way to differentiate cases –Uses random re-execution –Convert to other cases

Converting Case 4( condt.) Jmp 4000 Case4 Case3 Case 1 or Case 2 OR Jmp 4000 t Make invalid 4000 Memory access violation exception Converted Memory Layout-A Memory Layout-B

Tracing Corrupting Instruction Basic Idea Trace back to the instruction that writes corrupted data until network input data Not Sure How it works!!

Signature Generation Two types Pure Message Signature Use critical byte sequence from attack Unacceptable false positive rate Correlate Message Signature with program execution state Low false positive rate Speeds up message filtering High detection rate

Experimental Evaluation Effectiveness of Diagnosis

Contribution Automation improves the efficiency of problem diagnosis Model for defense and analysis of memory corruption attacks

Weaknesses Address Space Randomization is susceptible to brute- force attacks Implementation of the suggested prototype requires extensions Gives little information about the type of occurred memory corruption At some points, the explanation is difficult to understand

How To Improve Explanation and Diagrams must be accompanied with examples Few terms like memory corruption, address space randomization must be elaborated

References Wikipedia Address Space Layout Permutation, by Chongkyung Kil

QUESTIONS????