SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.

Slides:



Advertisements
Similar presentations
Practical Malware Analysis
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit
ByteWeight: Learning to Recognize Functions in Binary Code
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
COMP 2003: Assembly Language and Digital Logic
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Accessing parameters from the stack and calling functions.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
6.828: PC hardware and x86 Frans Kaashoek
Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
1 UCR Code Reuse Attacks (II) Slide credits: some slides and figures adapted from David Brumley, AC Chen, and others.
Mitigation of Buffer Overflow Attacks
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Packet Vaccine: Black-box Exploit Detection and Signature Generation
Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Exploitation possibilities of memory related vulnerabilities
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
CNIT 127: Exploit Development Ch 1: Before you begin.
Introduction to Information Security ROP – Recitation 5.
1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Compiler Construction Code Generation Activation Records
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
1 Assembly Language: Function Calls Jennifer Rexford.
CSC 221 Computer Organization and Assembly Language Lecture 15: STACK Related Instructions.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
CS 177 Computer Security Lecture 9
Machine-Level Programming 2 Control Flow
The Hardware/Software Interface CSE351 Winter 2013
Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Exploiting & Defense Day 2 Recap
Introduction to Compilers Tim Teitelbaum
Assembly IA-32.
High-Level Language Interface
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Continuous, Low Overhead, Run-Time Validation of Program Executions
Machine-Level Programming 2 Control Flow
Machine Level Representation of Programs (IV)
Multi-modules programming
X86 Assembly Review.
ICS51 Introductory Computer Organization
Computer Architecture and System Programming Laboratory
Return-to-libc Attacks
Presentation transcript:

SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael Abu-Ghazaleh Department of Computer Science State University of New York at Binghamton Presented at the19th IEEE International Symposium on High-Performance Computer Architecture (HPCA-19), February 25th, 2013

Vulnerability Classification from NIST-NVD *01/2010 – 12/2012 CVE Records (Severity 7 – 10) HPCA 2013

Buffer Overflow and Code Injection Attack: Example main (int argc, char **argv) { ... vulnerable(argv[1]); } vulnerable(char *str1) char str2[100]; strcpy(str2,str1); return; str2 xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious input (str2) Stack frame for vulnerable() malicious return return address Stack frame for main() Stack growth 0xFFFF HPCA 2013

Existing Protection from Code Injection Attacks: No Execute Bit (NX) Mark memory pages as Either WRITABLE Or EXECUTABLE But not both Standard technique in current processors and operating systems Intel XD bit AMD XN bit Windows DEP Linux PaX xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 WRITABLE NOT EXECUTABLE malicious return Stack growth 0xFFFF HPCA 2013

Next Frontier: Code Reuse Attacks (CRAs) Key Idea: Reuse existing library code instead of code injection Bypass NX Return Oriented Programming Jump Oriented Programming HPCA 2013

Return Oriented Programming Attacks Turing-complete X86 SPARC ARM Exploits Voting machine Atmel sensor Cisco router Xen hypervisor Jailbreak Pwn2Own Automated tools Microsoft BlueHat Prize ($260K) HPCA 2013

Return Oriented Programming (ROP) 0x0000 <Address A> xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 <B> <D> <C> xor ecx, ecx ret mul ecx ret lea ebx, [esp+8] ret Stack frame for vulnerable() <Address B> mov al, 11 int 0x80 Page marked as EXECUTABLE <Address C> <A> malicious return Stack frame for main() <Address D> Stack growth 0xFFFF HPCA 2013

Jump Oriented Programming 0x0000 <Address A> Dispatcher Gadget <Address B> popa jmp esi <register values> <C> <D> <F> <E> xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 <Address C> pop edi jmp edi xor ecx, ecx jmp esi Stack frame for vulnerable() mul ecx jmp esi <Address D> Page marked as EXECUTABLE lea ebx, [esp+8] jmp esi mov al, 11 int 0x80 <Address E> <B> malicious return Stack frame for main() <Address F> Stack growth 0xFFFF HPCA 2013

Defending Against JOP Attacks Use solutions preventing buffer overflows Bounds Checking Information Flow Tracking Ensure the legitimacy of jump targets at runtime {Abadi-05}: Control-Flow Integrity (USENIX Security) {Kayaalp-12}: Branch Regulation (ISCA) Signature-based detection Detect the anomaly in control flow HPCA 2013

Prior Work on Signature-Based Detection “DROP: Detecting ROP malicious code” P. Chen et al. ICISS 2009 if (# instructions between returns <= 5) then it is a gadget if (# consecutive gadgets >= 3) then it is a ROP attack HPCA 2013

DROP S=3 N=5 Consecutive Gadgets CRAs min # gadgets to launch a CRA Regular workloads max tolerable gadget length for CRA Gadget Length N=5 HPCA 2013

Building on DROP Apply the same idea to Adjust the thresholds Indirect jumps Indirect calls Adjust the thresholds HPCA 2013

Extending DROP for JOP CRAs Added dispatcher gadgets Indirect jumps/calls are not that frequent min # gadgets to launch a CRA Regular workloads max tolerable gadget length for CRA HPCA 2013

Case of Long Gadgets Side effects Overwrite registers/memory locations May cause exceptions adc [ebx-0x74EBDBAC], cl Limited number of registers One for the dispatcher One for jumping back to the dispatcher Only 6 left (in x86) HPCA 2013

Gadget Length and State Changes HPCA 2013

Defeating DROP Make the attack pattern less predictable Perform some unnecessary computation Without harming attack state Call a function Execute many instructions Return to the same point in the attack Caller saved registers stay intact ebx, esi, edi, esp, ebp HPCA 2013

Delay Gadgets atoi() Dispatcher Gadget Functional Gadget Delay Gadget pop eax jmp eax add [ebx], edx jmp esi call [ecx-0x56000a00] add bl, bh inc ebx add dh, bh jmp edi HPCA 2013

Summary of DROP Limitations Implemented in software 5x slowdown Tight margin for detecting ROP False positives/negatives Easily defeated by using delay gadgets HPCA 2013

Our Proposal: SCRAP Signature-Based CRA Protection Detects CRAs with delay gadgets No false positives for regular workloads Implemented in hardware Low overhead Protects legacy binaries HPCA 2013

Attack Signatures DROP-like Signature Definition: Symbol Instruction w Indirect Jump x Indirect Call y Call z Return a All Other DROP-like Signature Definition: Up to N instructions S or more gadgets HPCA 2013

SCRAP Attack Signatures Symbol Instruction w Indirect Jump x Indirect Call y Call z Return a All Other Signatures with delay gadgets (N=5, S=3): Attack has 3 parts Each part has a Gadget and Delays A Gadget has up to 5 instructions Delay is a function call A function call can be a Delay as long as it is not an Attack itself HPCA 2013

Example Signatures Signature Detected by DROP-like? Detected by SCRAP? ✔ aaawaawaaw ✔ awaaxaaaaw ✘ ✔ awaxaaaaaazaxaw ✘ ✔ awaxaayaazaaaazaxaw HPCA 2013

Pushdown Automata HPCA 2013

Simple Implementation Augment the stack of PDA with Secure Call Stack Save the PDA state for calls Restore for returns Modify for indirect jumps Commit throttling Only one stack operation for a commit window Negligible slowdown Simplifies the circuitry HPCA 2013

SCRAP Hardware HPCA 2013

False Positives for SCRAP CRAs Consecutive Gadgets 140 Shell-storm CRA exploits 6 5 4 3 2 SPEC 2006 benchmarks 1 5 6 7 8 9 10 11 12 13 Gadget Length HPCA 2013

Performance of SCRAP HPCA 2013

Conclusions Signature-based detection of CRAs is promising No source code, simple, low-overhead, effective Naïve approaches can be defeated Delay gadgets We presented SCRAP Simple hardware state machine, Protects unmodified legacy binaries, No changes to software layers, Small slowdown: 1% on average No false positives HPCA 2013

Thank you! Questions? HPCA 2013

Backup Slides HPCA 2013

Unintended Instructions Code Snippet from __libc_csu_init function 08048484: E8 33 FE FF FF 08048489: 8D BB 18 FF FF FF 0804848F: 8D 83 18 FF FF FF 08048495: 29 C7 08048484: E8 33 FE FF FF 08048489: 8D BB 18 FF FF FF 0804848F: 8D 83 18 FF FF FF 08048495: 29 C7 FF 8D BB 18 FF FF call <_init> lea edi, [ebx-e8h] lea eax, [ebx-e8h] sub, edi, eax FF 8D 83 18 FF FF FF 29 Unintended Code Snippet from __libc_csu_init function 08048488: FF 8D BB 18 FF FF 0804848E: FF 8D 83 18 FF FF 08048494: FF 29 dec [ebp-e745h] dec [ebp-e77dh] jmp [ecx] HPCA 2013

Gadget Length Long gadget means more intermediate instructions HPCA 2013

Two threshold SCRAP HPCA 2013

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.