PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14.

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Saumya Debray The University of Arizona Tucson, AZ
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Securing Untrusted Code via Compiler-Agnostic Binary Rewriting Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin The University of Texas.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Software and Security Buffer Overflow 1.
Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
Address Space Layout Permutation
Application Security Tom Chothia Computer Security, Lecture 14.
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
Host and Application Security Lesson 10: Code Injection.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Mitigation of Buffer Overflow Attacks
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.
Exploitation possibilities of memory related vulnerabilities
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Amit Malik SecurityXploded Research Group FireEye Labs.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Introduction to Information Security ROP – Recitation 5.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Slide 1 Chapter 1 Desktop Computer © 2012 EMC Publishing, LLC.
13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Lecture 18: ROP - Continued CS 2011 Spring 2016, Dr. Rozier.
Introduction to Information Security
Secure Programming Dr. X
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Static and dynamic analysis of binaries
Secure Programming Dr. X
Computer Architecture and Assembly Language
Introduction to Information Security
CSC 495/583 Topics of Software Security Return-oriented programming
Recitation: Attack Lab
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Defeating Instruction Set Randomization Nora Sovarel
Software Security Lesson Introduction
Machine Level Representation of Programs (IV)
Week 2: Buffer Overflow Part 2.
Teaching with angr: A Symbolic Execution Curriculum and CTF
RopSteg: Program Steganography with Return Oriented Programming
CSC 497/583 Advanced Topics in Computer Security
System and Cyber Security
Return-to-libc Attacks
Presentation transcript:

PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14 1

© Mandiant Corporation. All rights reserved.  Autobiography  Attack Surface & History  Rewriting x86 Binaries  Defeating ROP on x86  Enforcing Security Policies on x86  DIY  Questions Outline 2

© Mandiant Corporation. All rights reserved.  Richard Wartell, Phd. in CS from UT Dallas  This talk covers my thesis and ongoing research at UTD  Working for Mandiant/FireEye ever since  Malware analysis, incident response, automated unpacking of binaries, computering, etc.  Part of the newly formed FLARE team  Focusing on reverse engineering and research Autobiography 3

© Mandiant Corporation. All rights reserved. The Ol’ Faithful 4 Buffer Overflow

© Mandiant Corporation. All rights reserved. Stacks and Stacks 5 Stack Legit fread() return Some stack address fread( ) Make stack non-executable

© Mandiant Corporation. All rights reserved. Return to Libc 6 Stack Legit crap evil_arg1 evil_arg2 evil_arg3 etc… fread() return evil_API() fread( ) ASLR

© Mandiant Corporation. All rights reserved.  The new gold standard  Attacker uses your own code against you  Finds a series of gadgets and forces them to be executed in sequence  A gadget is a series of instructions in executable process memory that ends with a return Return-Oriented Programming 7

© Mandiant Corporation. All rights reserved. Return-Oriented Programming 8 Binary.text FF D6 3D E D C2 0C B EC 8B 56 8D FF B C FF 15 B8 D8 1B C0 25 BA D8 FF FF B EC 56 8B 75 3D C FF 15 ….text FF D6 3D E D C2 0C B EC 8B 56 8D FF B C FF 15 B8 D8 1B C0 25 BA D8 FF FF B EC 56 8B 75 3D C FF 15 … A gadget is a series of instructions that ends with a return Attack Sequence Runtime Stack Stack AddressValue 0028FF8C 0028FF FF FF FF9C 0028FFA0 0028FFA4 0028FFA8 0028FFAC 0028FFB0 0028FFB4 0028FFB8 Stack AddressValue 0028FF8C 0028FF FF FF FF9C 0028FFA0 0028FFA4 0028FFA8 0028FFAC 0028FFB0 0028FFB4 0028FFB8 *

© Mandiant Corporation. All rights reserved.  This is the current generation of attacks  People are paying good money for discovery and mitigation  Microsoft’s 2012 BlueHat Competition  $260,000 total for top three solutions  Successful attack against 2 nd place solution was published one month later  Google paid Pinkie Pie $60k for a ROP attack on Chrome  They patched it  One month later they paid Pinkie Pie another 60k for a new ROP attack they introduced with the patch Why do you care? 9

© Mandiant Corporation. All rights reserved.  ROP is one example of a broad class of attacks that require attackers to know or predict the location of binary features ROP Defense Strategy 10 Defense Goal Frustrate such attacks by randomizing feature space or removing features Defense Goal Frustrate such attacks by randomizing feature space or removing features

© Mandiant Corporation. All rights reserved.  Control the machine code instructions used in compilation (Gfree [2] and Returnless [3])  Use no return instructions  Avoid gadget opcodes  Hardens against ROP  Requires code producer cooperation  Legacy binaries unsupported Anti-RoP Compilers 11 let rec merge = function | list, [] | [], list -> list | h1::t1, h2::t2 -> if h1 <= h2 then h1 :: merge (t1, h2::t2) else h2 :: merge (h1::t1, t2);; let rec merge = function | list, [] | [], list -> list | h1::t1, h2::t2 -> if h1 <= h2 then h1 :: merge (t1, h2::t2) else h2 :: merge (h1::t1, t2);; Gadget- removing Compiler Gadget-free Binary

© Mandiant Corporation. All rights reserved.  ASLR randomizes the image base of each library  Gadgets hard to predict  With the right gadgets you can calculate your offset  Brute force attacks still possible [4] ASLR 12 Virtual Address Space User Address Space Sys. Address Space

© Mandiant Corporation. All rights reserved.  Instruction Location Randomization (ILR) [5]  Randomize each instruction address using a virtual machine  Increases search space  Cannot randomize all instructions  Overhead due to VM (13%)  In-place Randomization (IPR) [6]  Modify assembly to break known gadgets  Breaks 80% of gadgets on average  Cannot remove all gadgets  Preserves gadget semantics  Deployment issues IPR / ILR main lib3 lib2 lib1 User Address Space

© Mandiant Corporation. All rights reserved.  Self-randomizing COTS binary w/o source code  Low runtime overhead  Complete gadget removal  Flexible deployment (copies randomize themselves)  No code producer cooperation Our Goal 14

© Mandiant Corporation. All rights reserved. Our Goal 15.text # # Basic Code Block Original BinaryRewritten Binary Rewritten Binary (Runtime) We define a basic code block as any sequence of instructions that ends with an unconditional branch ( jmp or retn ) First Execution Second Execution

© Mandiant Corporation. All rights reserved.  Relocation information, debug tables and symbol stores not always available  Reverse engineering concerns  Perfect static disassembly without metadata is provably undecidable  Best disassemblers make mistakes (IDA Pro) Binary Randomization is Hard 16 ProgramInstruction Count IDA Pro Errors mfc42.dll mplayerc.exe vmware.exe

© Mandiant Corporation. All rights reserved.  Disassemble this hex sequence  Undecidable problem Unaligned Instructions 17 FF E0 5B 5D C3 0F F 84 EC 8B Valid Disassembly FF E0jmp eax 5Bpop ebx 5Dpop ebp C3retn 0F F 84 EC jcc 8B …mov Valid Disassembly FF E0jmp eax 5Bpop ebx 5Dpop ebp C3retn F 84 EC mov 8B …mov Valid Disassembly FF E0jmp eax 5Bpop ebx 5Dpop ebp C3retn 52push edx 0F 84 EC 8B … jcc

© Mandiant Corporation. All rights reserved.  Self-Transforming Instruction Relocation  Statically rewrite legacy binaries  Rewritten binaries will randomize at a basic block level every execution  Greatly increases search space against brute force attacks  Introduces no deployment issues  Tested on 100+ Windows and Linux binaries  99.99% gadget reduction on average  1.6% overhead on average  37% process size increase on average STIR all the things 18

© Mandiant Corporation. All rights reserved. STIR Architecture 19 Binary Rewriter Memory Image Original Application Binary Original Application Binary Static Rewriting Phase Load-time Stirring Phase Self-stirring Binary Self-stirring Binary Conservative Disassembler Lookup Table Generator Load-time Randomizer (Helper Library) Randomized Instruction Addresses

© Mandiant Corporation. All rights reserved. Disassembly Error Tolerance HexPath 1Path 2Path 3Path 4 FFjmp eax E0loopne 5Bpop 5DL1: pop C3retn 0Fjcc 88mov B0mov 50 FFN/A FF 8BL2: mov 20 FF E0 5B 5D C3 0F 88 B0 50 FF FF 8B Disassembled Invalid Included Disassembly jmp eax pop L1: pop retn jcc L2: mov loopne jmp L1 mov jmp L2

© Mandiant Corporation. All rights reserved.  High Level View Dynamic Jump Table 21.text.told.tnew # # Code Function 1’ 2’ 3’ 4’ 5’ *1’ *2’ *3’ *4’ *5’ Marker Byte (0xF4)

© Mandiant Corporation. All rights reserved.  Low level view Dynamic Jump Table 22 0x401000: 55 8B EC 83 EC B 3B 33 C0 83 C7 04 … 0x401000: 55 8B EC 83 EC B 3B 33 C0 83 C7 04 … Function 1 0x401000: F4 B B 3B 33 C0 83 C7 04 … 0x401000: F4 B B 3B 33 C0 83 C7 04 … Function 1 0x5123B0: 55 8B EC 83 EC B 3B 33 C0 83 C7 04 … 0x5123B0: 55 8B EC 83 EC B 3B 33 C0 83 C7 04 … Rewritten Function 1 Original BinaryRewritten Binary 0x401000: 55 8B EC 83 EC 0x401000: F4 B B x5123B0:

© Mandiant Corporation. All rights reserved. Computed Jump Preservation 23.text:0040CC9Bcall eaxFF DO.tnew:0052A1CB.tnew:0052A1CE.tnew:0052A1D2 cmp byte ptr [eax], F4h cmovz eax, [eax+1] call eax F4 0F FF D0 Original Instruction: Rewritten Instructions:.told:00411A40F4 dw 0x534AB9F4 B9 4A Rewritten Jump Table:.text:00411A40pop ebp5B Original Possible Target:.tnew:00534AB9pop ebp5B Rewritten Target: eax = 0x411A40 eax = 0x534AB9 cmp byte ptr [eax], F4h cmovz eax, [eax+1] call eax pop ebp F4h F4 0x534AB9 call eax pop ebp

© Mandiant Corporation. All rights reserved. Static Rewriting 24 Header IAT.data.text Original Binary Rewritten Header IAT.data.told (NX bit set) Rewritten Binary.tnew Modified Section ’ 2’ 3’ 4’ 5’ *1’ *2’ *3’ *4’ *5’ # # Basic Code Block Marker Byte

© Mandiant Corporation. All rights reserved.  When binary is loaded:  Initializer randomizes.tnew layout  Lookup table pointers are updated  Execution is passed to the new start address Load-time Stirring main lib3 lib2 lib1 User Address Space

© Mandiant Corporation. All rights reserved. INSERT DEMO HERE Do a thing… 26

© Mandiant Corporation. All rights reserved. MATH! 27

© Mandiant Corporation. All rights reserved. Gadget Reduction 28

© Mandiant Corporation. All rights reserved.  Tiny gadgets Why not 100%? 29 pop ebx retn pop ecx retn

© Mandiant Corporation. All rights reserved. Windows Runtime Overhead 30

© Mandiant Corporation. All rights reserved. Linux Runtime Overhead 31

© Mandiant Corporation. All rights reserved.  First static rewriter to protect against ROP attacks  Greatly increases search space  Introduces no deployment issues  Tested on 100+ Windows and Linux binaries  99.99% gadget reduction on average  1.6% overhead on average  37% process size increase on average STIR Conclusions 32

© Mandiant Corporation. All rights reserved.  So we have a ROP mitigation rewriter, what about security policies based on API calls?  E.g. No network sends after read from the file system  REINS  Wrap system library APIs with our own code  Specify regular expression based security policies  Guarantee security policy cannot be circumvented  Accomplished via Software Fault Isolation (SFI) and an Inline-Reference Monitor (IRM) What else? 33

© Mandiant Corporation. All rights reserved.  Trusted & untrusted modules in common address space  Example #1: web browser plug-ins  Example #2: trusted system libraries inside untrusted application  Goal: protect trusted modules from untrusted ones  confine untrusted module behaviors  Example: Untrusted modules must obey trusted module interfaces  Blocks ROP attacks [Shacham07] Software Fault Isolation (SFI) 34 eMule.exe kernel32.dll user.dll Trusted Untrusted

© Mandiant Corporation. All rights reserved.  SFI foundation supports higher-level policies [CFI05]  Example: IRMs [Schneider00]  Enforces powerful policies:  program-specific (no other programs affected)  light-weight enforcement (minimize context switches)  Statefulness  Example: Adobe Reader may access the network (to check for updates) and may read my confidential files, but may not access the network after reading my confidential files. Inlined Reference Monitors (IRMs) 35 eMule.exe kernel32.dll user.dll Trusted Untrusted IRM

© Mandiant Corporation. All rights reserved. A Brief History of SFI Wahbe 1 PittSFIeld 3 CFI / SMAC 2 XFI 4 NaCl 5 1: [Wahbe93] 2: [CFI05] 3: [PittSFIeld06] 4: [XFI06] 5: [NaCl09]

© Mandiant Corporation. All rights reserved. A Brief History of SFI Wahbe 1 RISC only PittSFIeld 3 GCC only CFI / SMAC 2 Needs PDB XFI 4 Needs PDB NaCl 5 Special GCC All prior works require explicit code-producer cooperation 1: [Wahbe93] 2: [CFI05] 3: [PittSFIeld06] 4: [XFI06] 5: [NaCl09]

© Mandiant Corporation. All rights reserved.  Three main modifications  Separation of trusted and untrusted modules via memory  High memory is trusted  Low memory is untrusted  Use masking to enforce this  Use PittSFIeld approach to SFI  Turns every chunk (16 bytes) into an atomic unit of execution  Use the same framework as STIR for preserving behavior  Old code section becomes a jump table with marker bytes  New rewritten code section is added The Solution? 38

© Mandiant Corporation. All rights reserved. Original Binary Rewritten Binary Separating Code from Data Original Memory LayoutRewritten Memory Layout 39 High Memory Low Memory kernel32.dlluser32.dll kernel32.dll Memory separation is chosen at location 2 d (32-d) is the number of high order bits we must mask

© Mandiant Corporation. All rights reserved. PittSFIeld 40  Move targets to the beginning of chunks  Move calls to the end of chunks  Make sure no instruction overlaps a chunk boundary  Mask indirect branches to guarantee chunk atomicity  Add guards to ensure behavioral equivalence AddressInstruction 0x40111Amov eax, [ebp+8] 0x40111Dpush 0x x401122call eax 0x401124push eax 0x401125call 0x4012BC …… 0x4012BCpush ebp AddressInstruction 0x40111Amov eax, [ebp+8] 0x40111Dpush 0x x401122call eax 0x401124push eax 0x401125call 0x4012C0 …… 0x4012BCnop (x4) 0x4012C0push ebp AddressInstruction 0x40111Amov eax, [ebp+8] 0x40111Dpush 0x x401122nop (*C) 0x40112Ecall eax 0x401130push eax 0x401131nop (*A) 0x40113Bcall 0x4012C0 …… 0x4012BCnop (*4) 0x4012C0push ebp 0x4012C1mov ebp, esp AddressInstruction 0x40111Amov eax, [ebp+8] 0x40111Dnop (*3) 0x401120push 0x x401125nop (*9) 0x40112Ecall eax 0x401130push eax 0x401131nop (*A) 0x40113Bcall 0x4012C0 …… 0x4012BCnop (*4) 0x4012C0push ebp 0x4012C1mov ebp, esp AddressInstruction 0x40111Amov eax, [ebp+8] 0x40111Dnop (*3) 0x401120push 0x x401125nop (*3) 0x401128and eax, 0x0FFFFFF0 0x40112Ecall eax 0x401130push eax 0x401131nop (*A) 0x40113Bcall 0x4012C0 …… 0x4012BCnop (*4) 0x4012C0push ebp AddressInstruction 0x40111Amov eax, [ebp+8] 0x40111Dnop (*3) 0x401120push 0x x401125nop (*3) 0x401131cmp eax, 0xF4 0x401134cmovz eax, [eax+1] 0x401138and eax, 0x0FFFFFF0 0x40113Ecall eax 0x401140push eax 0x401141nop (*A) 0x40114Bcall 0x4012C0 …… 0x4012BCnop (*4) 0x4012C0push ebp

© Mandiant Corporation. All rights reserved.  Enforced policies on Eureka client (>1.6MB code):  Disallow creation of.exe,.msi, or.bat files  Disallow execution of Windows explorer as an external process  Disallow opening more than 100 SMTP connections  Malware policies:  Disallow creation of.exe,.msi, or.bat files  Successfully stopped virus propagation for real world malware samples IRM Synthesis 41 Policy-adherant binary Policy Rewriter Binary

© Mandiant Corporation. All rights reserved. Windows Runtime Overhead 42

© Mandiant Corporation. All rights reserved. Do It Yourself 43

© Mandiant Corporation. All rights reserved.  Inject useless obfuscated code to frustrate reverse engineers  Nops, unused conditionals, functions that do nothing, pointless math, etc. Obfuscation 44 Original Binary push eax call 0x Rewritten Binary call junk_function1 push eax call 0x call junk_function2

© Mandiant Corporation. All rights reserved. Stack Canaries 45 Original Binary push eax call … 0x401200: push ebp … mov eax, retn Rewritten Binary push eax push call … 0x401200: push ebp … mov eax, call check_canary retn  Push a value on to the stack and check it before returning  Great test against stack manipulation

© Mandiant Corporation. All rights reserved. 46

© Mandiant Corporation. All rights reserved.  Put your name in binaries for fun, or hide strings for CTFs Signatures / CTFs 47 Original Binary push eax call 0x Rewritten Binary push eax jmp the_call.ascii “Wartortell was here” the_call: call 0x401200

© Mandiant Corporation. All rights reserved.  The first binary rewriter for x86 that requires no metadata  Works for Linux and Windows  Two proof of concepts  Low overhead Conclusions 48

© Mandiant Corporation. All rights reserved.  Reversing CTF available online July 7th  Series of reversing challenges I wrote  Tests a variety of reversing skills  X86, x64, ELF, PE, Mach-O, php, js,.NET, C++, etc. could all be included in the challenges  Visit for more infowww.flare-on.com The FLARE On Challenge 49

© Mandiant Corporation. All rights reserved. Questions? 50

© Mandiant Corporation. All rights reserved. Linux Runtime Overhead 51

© Mandiant Corporation. All rights reserved. Preserving Good Inter-module Flows 52 jmp [IAT:CreateWindow] Original CodeRewritten Code CreateWindow jmp [IAT:CreateWindow] CreateWindow  IAT data section locked non-writable

© Mandiant Corporation. All rights reserved. Computed Inter-module Flows  computed jumps to trusted modules  dynamic linking (DLLs)  callbacks (event-driven programming) 53 trusted library trusted library intermediary library (trusted) intermediary library (trusted) rewritten code rewritten code caller callback stub callback_ret callback return trampoline

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.