Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.

Published byDomenic Reynolds Modified over 8 years ago

Similar presentations

Presentation on theme: "Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer."— Presentation transcript:

1 Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer Sciences Department University of Wisconsin ESSoS 2014 Munich, Germany February 27, 2014

2 Attack goal: effect some malicious intent by hijacking program control flow Historically, accomplished via code injection Threat Model Detecting Code Reuse Attacks with a Model of Conformant Program Execution heap entry point code process address space stack injected shellcode 2

3 W X prevents code injection So, code cannot be executed from the stack or heap Alternative: construct an exploit using code that already exists within the program’s address space Threat Model code reuse attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution heap entry point code process address space stack injected shellcode 3

4 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 Anatomy of a Code Reuse Attack xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) code Detecting Code Reuse Attacks with a Model of Conformant Program Execution Example based on exploit presented in Bletsch et al. 2011 4 indirect jump instructions  “jump-oriented programming” (JOP)

5 Anatomy of a Code Reuse Attack Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Detecting Code Reuse Attacks with a Model of Conformant Program Execution 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) Example based on exploit presented in Bletsch et al. 2011 5

6 Existing Defenses Against Code Reuse Attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Making gadget discovery difficult: ASLR software diversification removal of useful instruction sequences [Li et al. 2010] [Onarlioglu et al. 2010] [Hiser et al. 2012] [Pappas et al. 2012] [Wartell et al. 2012] [Davi et al. 2013] Make discovery difficult, not impossible Detecting control flow manipulations: shadow stack matched call/return pairs [Davi et al. 2009] [Francillon et al. 2009] [Chen et al. 2010] [Huang et al. 2012] [Kayaalp et al. 2012] [Davi et al. 2013] Defeated by JOP Enforcing control flow integrity: [Abadi et al. 2009] [Zhang et al. 2012] [Zhang et al. 2013] Require binary rewriting of all code 6

7 Our Approach Define security policy based on well-defined behaviors of the program binary Does not rely on behavior of known attacks Use static analysis of binary to extract the model Does not require learning phase or expert knowledge Enforce expected behavior Protects against new exploit variations Detecting Code Reuse Attacks with a Model of Conformant Program Execution 7

8 Our Approach Define conformant program execution (CPE) as a set of requirements on program states Valid program counter Valid callstack Enforce CPE by monitoring program at runtime Monitor is protected from being exploited because it’s in a separate process Detecting Code Reuse Attacks with a Model of Conformant Program Execution 8

9 Model Component #1 Valid program counter (PC): PC must point to a valid instruction in the original program Detecting Code Reuse Attacks with a Model of Conformant Program Execution b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret 0xb7fe3424 PC CFG 9

10 Model Component #2 Detecting Code Reuse Attacks with a Model of Conformant Program Execution Valid callstack: For each frame: 1.frame must have valid stack frame height 2.(caller  current frame) must represent a valid control flow transfer in the program stack pointer callstack CFG expected stack frame push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret pop %ebp pop %edx pop %ecx ret pop %ebp pop %edx pop %ecx ret invalid return address valid control flow transfer? 10

11 Program Validation Design decision: when do we validate? Option 1: At all instructions “Conformant program execution” Disadvantage: inefficient Option 2: At system calls “Observed conformant program execution”(OCPE) Effective because attacks must use the system call interface to modify overall machine state Disadvantage: relies on attack being observable at system calls Detecting Code Reuse Attacks with a Model of Conformant Program Execution 11

12 ROPStop Implementation Detecting Code Reuse Attacks with a Model of Conformant Program Execution Operating System running process (monitored application) running process (monitored application) system calls intercept via ptrace binary running process ROPStop 1.Attach to running process or launch new process from binary 2.Parse program binary 3.Register callbacks at system calls 4.Continue process At each system call: 1.Validate current program counter 2.Perform robust stackwalk and validate the current callstack or 12

13 Accuracy Evaluation Overhead False negatives? False positives? Detecting Code Reuse Attacks with a Model of Conformant Program Execution 13

14 Results: Real Code Reuse Attacks 100% accuracy using real ROP and JOP exploits Detecting Code Reuse Attacks with a Model of Conformant Program Execution 14

15 Results: Real Code Reuse Attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution CFG push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret pop %ebp pop %edx pop %ecx ret pop %ebp pop %edx pop %ecx ret stack pointer callstack expected stack frame invalid return address 15

16 Results: SPEC CPU2006 100% accuracy (0 false positives), 5.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 16

17 Results: SPEC CPU2006 Where does the overhead come from? PC validity Callstack validity Monitor context switching (~frequency of system calls) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 241.5 system calls/ second 2.0 system calls/ second 17

18 Results: Apache HTTP Server 100% accuracy (0 false positives), 6.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 18

19 Open Questions Data-driven attacks (orthogonal type of attack) [Chen et al. 2005] [Demay et al. 2011] Exploits that modify program data (e.g., system call arguments) to effect an attack May not have visible effects on the program states we monitor Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006] [Wagner and Soto 2002] Exploits that evade system call monitoring by ensuring program state is restored before system call check takes place Are designed to have no visible effects on the program states we monitor Detecting Code Reuse Attacks with a Model of Conformant Program Execution 19

20 Conclusion Approach for detecting code reuse attacks We defined conformant program execution and an efficient and adoptable approximation, observed conformant program execution We built a tool to enforce OCPE, ROPStop Detecting Code Reuse Attacks with a Model of Conformant Program Execution 20

21 Questions? jacobson@cs.wisc.edu www.paradyn.org Detecting Code Reuse Attacks with a Model of Conformant Program Execution 21

22 Overhead breakdown Benchmark System call rate (calls/second)% Overhead Imposed% Instruction Validity% Callstack Validity% Context Switching perlbench167.89.60.250.749.1 bzip220.8043.856.2 bwaves3.31.4031.768.2 gamess29.52.40.15940.9 mcf3.41.9051.448.5 milc25.55.70.123.576.4 zeusmp0.20.7054.245.7 gromacs1.50.6045.154.9 cactusADM7.610.15247.9 leslie3d31.49.20.114.285.7 namd3.10.9061.638.4 gobmk142.20.143.656.4 soplex241.518.10.250.849.1 povray156.218.10.153.346.6 hmmer18.62.60.138.861.1 sjeng4.81.3040.559.5 GemsFDTD88.77.30.240.959 libquantum0.30.7050.249.8 h264ref5.11.3028.971 tonto119.619.10.141.258.7 lbm1.43.4015.584.5 omnetpp3.78.8012.787.3 astar7.21.30.156.743.3 wrf53.215.7013.486.6 sphinx318.62.40.138.161.8 22

Download ppt "Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin

Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Similar presentations

Ads by Google