Q: Exploit Hardening Made Easy

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Exploitation possibilities of memory related vulnerabilities
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Microprocessors The ia32 User Instruction Set Jan 31st, 2002.
CNIT 127: Exploit Development Ch 1: Before you begin.
Introduction to Information Security ROP – Recitation 5.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Superoptimization Venkatesh Karthik Srinivasan Guest Lecture in CS 701, Nov. 10, 2015.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Return Oriented Programming
Protecting Memory What is there to protect in memory?
Credits and Disclaimers
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Exploiting & Defense Day 2 Recap
Aaron Miller David Cohen Spring 2011
CSC 495/583 Topics of Software Security Stack Overflows (2)
Introduction to Compilers Tim Teitelbaum
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
Discussion Section – 11/3/2012
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Defeating Instruction Set Randomization Nora Sovarel
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Address Space Layout Randomization (ASLR) Dirk Gordon
Lecture 9: Buffer Overflow*
Week 2: Buffer Overflow Part 1.
Week 2: Buffer Overflow Part 2.
CSC-682 Advanced Computer Security
RopSteg: Program Steganography with Return Oriented Programming
Credits and Disclaimers
Computer Architecture and System Programming Laboratory
Return-to-libc Attacks
Presentation transcript:

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 11/12/2018

I found a control flow hijack exploit online! Downloading Exploits I found a control flow hijack exploit online! Exploit Evil Ed Windows 7 11/12/2018

11/12/2018

Why didn’t the exploit work? Downloading Exploits Why didn’t the exploit work? Evil Ed Windows 7 11/12/2018

Causes of Broken Exploits Exploit used OS/binary-specific tricks/features OS Defenses 11/12/2018

Modern OS defenses are designed to make exploiting difficult ASLR: Address Space Layout Randomization DEP: Data Execution Prevention Do not guarantee control flow integrity How difficult? 11/12/2018

Exploit hardening: Modifying exploits to bypass defenses 11/12/2018

Overview Background: Defenses and Return Oriented Programming (ROP) Q: ROP + Hardening Automatic ROP Automatic Hardening Evaluation Limitations Conclusion 11/12/2018

Exploit Computation Control Simple Exploit Shellcode Padding Pointer 11/12/2018

Data Execution Prevention (DEP) Exploit Shellcode Padding Pointer Crash User input is non-executable DEP: Buffers cannot be writable and executable 11/12/2018

Bypassing DEP Goal: Specify exploit computation even when DEP is enabled Return Oriented Programming [S07] Use existing instructions from program in special order to encode computation 11/12/2018

Return Oriented Programming Example: How can we write to memory without shellcode? 11/12/2018

Return Oriented Programming nextaddr Exploit addr3 eax address ebx addr2 value stack Gadgets addr1 pop %eax ret addr2 pop %ebx ret addr3 movl %eax, (%ebx) ret 11/12/2018

Address Space Layout Randomization (ASLR) ASLR disabled Exploit Gadgets ASLR enabled Gadgets Exploit Crash ASLR: Addresses are unpredictable 11/12/2018

Return Oriented Programming + ASLR Bad news: Randomized code can’t be used for ROP Good news: ASLR implementations leave small amounts of code unrandomized Evil Ed 11/12/2018

ASLR in Linux (Example) Unrandomized Randomized Program Image Libc Stack Heap Executable 11/12/2018

Consequences Challenge: Program image is often the only unrandomized code Small Program-specific Prior work on ROP assumes unrandomized large code bases; can’t simply reuse We developed new automated ROP techniques for targeting the program image 11/12/2018

Overview Background: Defenses and Return Oriented Programming (ROP) Q: ROP + Hardening Automatic ROP Automatic Hardening Evaluation Limitations Conclusion 11/12/2018

Automatic ROP Overview Source P Instructions from P Computation 11/12/2018

ROP Overview Source P Discovery Assignment Computation Arrangement 11/12/2018

Gadget Discovery Source P Gadget Discovery: Does instruction sequence do something we can use for our computation? Fast randomized test for every program location (thousands or millions) Source P sbb %eax, %eax; neg %eax; ret 11/12/2018

Randomized Testing EAX 0x0298a7bc CF 0x1 ESP 0x81e4f104 Before OutReg <- InReg Semantic Definition For Move sbb %eax, %eax; neg %eax; ret If 10 random runs satisfy a semantic definition, then Q probably found a gadget of that type EAX 0x1 ESP 0x81e4f108 EBX 0x0298a7bc After 11/12/2018

Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret StoreMemG M[Addr + Offset] <- In mov %dl, 0x13(%eax); ret ArithmeticLoadG Out +<- M[Addr + Offset] add 0x1376dbe4(%ebx), %ecx; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 11/12/2018

Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret StoreMemG M[Addr + Offset] <- In mov %dl, 0x13(%eax); ret ArithmeticLoadG Out +<- M[Addr + Offset] add 0x1376dbe4(%ebx), %ecx; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 11/12/2018

Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret StoreMemG M[Addr + Offset] <- In mov %dl, 0x13(%eax); ret ArithmeticLoadG Out +<- M[Addr + Offset] add 0x1376dbe4(%ebx), %ecx; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 11/12/2018

Randomized Testing Randomized testing tells us we likely found a gadget Fast; filters out many candidates Enables more expensive second stage Second stage: SMT-based gadget discovery Gadget discovery is program verification 11/12/2018

SMT-Based Gadget Discovery sbb %eax, %eax neg %eax; ret [D76] Weakest Precondition F EAX <- CF SMT Validity Check Valid (Gadget) Invalid (not Gadget) F

SMT-Based Gadget Discovery Q is better at finding gadgets than I am! imul $1, %eax, %ebx ret Move %eax to %ebx lea (%ebx,%ecx,1), %eax Store %ebx+%ecx in %eax sbb %eax, %eax; neg %eax Move carry flag to %eax 11/12/2018

ROP Overview Source P Discovery Assignment Computation Arrangement 11/12/2018

Alternate view: Compile user computation for gadget type architecture Gadget Arrangement Gadget Arrangement: How can gadget types be combined to implement a computation? Alternate view: Compile user computation for gadget type architecture Example: M[0xcafecafe] := 0xdeadbeef 11/12/2018

Arrangement: Storing to Memory LoadConst deadbeef LoadConst cafecafe Address Value StoreMem, u32 11/12/2018

How can we write to memory without StoreMem? Gadget Arrangement How can we write to memory without StoreMem? 11/12/2018

Arrangement: Storing to Memory Writes zero to M[cafecafe] LoadConst LoadConst cafecafe Address Value ArithmeticStore, u32, Bitwise And 11/12/2018

Arrangement: Storing to Memory Adds deadbeef to M[cafecafe]. 0 + deadbeef = deadbeef LoadConst deadbeef LoadConst cafecafe Address Value ArithmeticStore, u32, Plus 11/12/2018

Gadgets types are often unavailable Gadget Arrangement Gadgets types are often unavailable Synthesize alternatives on the fly Flexible arrangement rules are necessary for small code bases 11/12/2018

ROP Overview Source P Discovery Assignment Computation Arrangement 11/12/2018

Assignments must be compatible Gadget Assignment: Assign concrete gadgets found in source program to arrangements Assignments must be compatible 11/12/2018

Assignment: Register Mismatch CONFLICT %ebx and %ecx mismatch LoadConst deadbeef StoreMem, u32 pop %eax ret mov %eax, (%ecx) ret LoadConst cafecafe pop %ebx ret 11/12/2018

We developed dynamic programming approach to find assignment Gadget Assignment Need to search over Gadgets Schedules We developed dynamic programming approach to find assignment Easy to print payload bytes with assignment 11/12/2018

Overview Background: Defenses and Return Oriented Programming (ROP) Q: ROP + Hardening Automatic ROP Automatic Hardening Evaluation Limitations Conclusion 11/12/2018

Exploit Hardening Old Exploit (stopped by DEP+ASLR) Hardened Exploit (bypasses DEP+ASLR) ROP Payload 11/12/2018

Stop at vulnerability condition Trace-based Analysis Record P on the old exploit Branch 1 Branch 2 Branch 3 Stop at vulnerability condition 11/12/2018

Reasoning about Executions Logical Formula For All Inputs On Path [SAB10] Symbolic Execution 11/12/2018

Exploit Constraints Path Exploit 11/12/2018

Exploit Constraints Exploit Constraints SMT Exploit Path Constraints How do we ensure the ROP payload gets in the exploit? Exploit Gadgets M[ESP] = &gadget1 M[ESP+off1] = &gadget2 M[ESP+off2] = &gadget3 Exploit Constraints SMT Exploit Path Constraints 11/12/2018

Demo! 11/12/2018

Overview Background: Defenses and Return Oriented Programming (ROP) Q: ROP + Hardening Automatic ROP Automatic Hardening Evaluation Limitations Conclusion 11/12/2018

Can Q harden exploits for real binary programs? Evaluation Questions Can Q harden exploits for real binary programs? How much unrandomized code is sufficient to create ROP payloads? 11/12/2018

Real Exploits Q was able to automatically harden nine exploits downloaded from exploit-db.com Name Total Time OS Free CD to MP3 Converter 130s Windows 7 Fatplayer 133s A-PDF Converter 378s A-PDF Converter (SEH exploit) 357s MP3 CD Converter Pro 158s rsync 65s Linux opendchub 225s gv 237s Proftpd 44s 11/12/2018

ROP Probability Given program size, what is the probability Q can create a payload? Measure over all programs in /usr/bin Depends on target computation Call functions statically or dynamically linked by the program (blue on next slide) Call any function in libc (red; harder) system, execv, connect, mprotect, … 11/12/2018

ROP Probability Call linked functions in 80% of programs >= true (20KB) Probability that attack works Call libc functions in 80% of programs >= nslookup (100KB) Program Size (bytes) 11/12/2018

Overview Background: Defenses and Return Oriented Programming (ROP) Q: ROP + Hardening Automatic ROP Automatic Hardening Evaluation Limitations Conclusion 11/12/2018

Limitations Single path (trace-based) analysis restrictive; prevents finding exploits Q’s gadgets types are not Turing-complete Calling system(“/bin/sh”) or mprotect() usually enough Comparison with related work Q cannot find conditional gadgets Potential automation of interesting work on ROP without Returns [CDSSW10] 11/12/2018

Overview Background: Defenses and Return Oriented Programming (ROP) Q: ROP + Hardening Automatic ROP Automatic Hardening Evaluation Limitations Conclusion 11/12/2018

Conclusion We built Q, a system that automatically hardens exploits to bypass defenses Challenge: Reusing small amounts of code Q automatically hardened nine real exploits found in the wild against latest OS defenses Takeaway: Unrandomized code is dangerous 20KB makes DEP+ASLR ineffective 11/12/2018

Thanks!  Questions? Check out some of the gadgets Q can find at http://plaid.cylab.cmu.edu:8080/~ed/gadgets Edward J. Schwartz edmcman@cmu.edu http://www.ece.cmu.edu/~ejschwar 11/12/2018

Sizes of Gadget Sources Ratio File size (bytes) 11/12/2018

Types of Gadgets Number of StoreMem Number of ArithStore 11/12/2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.