1 The problem Address the problem of stopping determined - - PowerPoint PPT Presentation
1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout
1 ¡
Address the problem of stopping determined attackers
from exploiting our software
Interest in Control Flow Integrity(CFI)
Data execution prevention (DEP), stack smashing
protection (SSP), address space layout randomization (ASLR)
2 ¡
Hardware-enforced DEP
Marks all memory locations in a process as non-
executable unless the location explicitly contains executable code(NX bit term)
Software-enforced DEP
Software-enforced DEP performs additional checks on
exception handling mechanisms in Windows.
3 ¡
Prevents changes to return addresses:
detecting the change of the return address before the
function returns
preventing the write to the return address
Checks the canary word is intact before jumping to the
address
The return address is read-only
(invariant)while the function is active
4 ¡
Randomly arranging the positions
The base of the executable Position of libraries Heap and stack
Only guessing with brute force
Program crashes at wrong guessing
5 ¡
Guessing attacks
Brute force attacks
Information leakage
An information leak occurs when system data or
debugging information leaves the program through an
Control flow hijacking
Return-to-libc ROP JOP
6 ¡
Evaluate fast, state-of-the-art CFI techniques and show that they do
not protect against advanced ROP exploits
Develop a methodology for performing code-reuse attacks against
CFI-protected software
Demonstrate the chaining of gadgets using function calls to perform
useful actions, i.e., call-oriented programming (COP)
Construct a working exploit for Internet Explorer 8 on Windows 7 with
DEP and ASLR on, and assuming CCFIR is in place;
Assess the availability of gadgets required to launch such attacks
against other popular software on Windows 7, such as Internet Explorer 9, Acrobat Reader XI, the Microsoft Office 2013 suite of programs, and Firefox 24.
7 ¡
CFI thwarts control-hijacking attacks by keeping control
flow in the control-flow graph (CFG)
All programs usually contain two types of control-flow
transfers: direct and indirect
For every control-flow transfer
is assigned a ID and checks are inserted before control-flow instructions to ensure that only valid targets are allowed.
8 ¡
There are two major challenges for the adoption of CFI in
its ideal form.
it requires a complete and precise CFG of the
protected application in order to accurately identify all indirect transfer targets and assign IDs.
it incurs a non-negligible performance overhead
caused by the introduced checks before indirect control-flow instructions
9 ¡
Distinguishes between calls and returns, and prevents
unauthorized returns into sensitive functions
Directing indirect control
transfers through a dedicated “Springboard section” that encodes target restrictions via code alignment
10 ¡
11 ¡
Two types of gadgets:
Call – site gadgets(CS)
Blocks of instructions right after a call instruction that
terminate with a return instruction.
Entry – point gadgets (EP)
Blocks of instructions starting at a function’s entry
point and ending with an indirect call or jump
Begin at an allowable control-transfer pointer. Their length is large and may contain instructions
unrelated to the ones performing the desire functionality.
In larger gadgets may include code branches within them. Generally we prioritize gadgets based on their size,
examining smaller ones first.
12 ¡
There is two – stage attacks.
1.
Learn information about the layout of the target application.
2.
Use that information to locate the gadget in the payload.
ASLR becomes a key component in modern systems. CFI checking for the three different targets supported.
Each entry is 8 or 16 bytes long and their location within
the spring board is randomized at load time.
In CCFIR the attacker has to identify the location of the
appropriate entries in the springboard.
13 ¡
Options under CFI :
Through Indirect Calls :
Indirect call instructions are always to jump to a certain function.
Calling through Gadgets :
Look for gadgets that include an indirect or fixed functions call in their body
14 ¡
We cannot link the gadgets available to us in arbitrary
ways, since not all control flows are permitted.
Different ways to link the gadgets.
Transfer control to CS gadget and set up the stack to
chain multiple gadgets of the same type together.
Receive control with a call instruction, we can only link EP gadgets.
15 ¡
Moving from EP – to CS – gadget linking. Moving from CS – to EP – gadget linking.
Link CS gadget to a CS – IC gadget, where we control
the operand of an indirect call. Use that to redirect control to an EP gadget.
Gadget uses data: one of its instructions uses the data
before it is set.
16 ¡
Goal is to link the gadgets and bypass DEP. Find a vulnerable function and put our injection code to
the stack.
Gadget set data : any data un registers or memory that
are set by the gadget before exiting.
Calling a function in a gadget chain depends on our ability
to set up its arguments on the stack.
Achieve it by linking available gadgets to move arguments
from the controlled buffer to the appropriate registers or memory location.
17 ¡
System protected with CCFIR (strictest of the loose CFI
frameworks)
Generic exploit, applicable to similar frameworks (bin-
CFI)
Heap overflow in Internet Explorer, gives control to an
indirect jump.
The vulnerability is triggered by accessing the span and
width attributes of a column, in an HTML table, through JavaScript.
18 ¡
<html> <body> <table style="table-layout:fixed" > <col id="132" width="41" span="1" >  </col> </table> <script> function over_trigger() { var obj_col = document.getElementById("132");
} setTimeout("over_trigger();",1); </script> </body> </html>
Overwrite a virtual function table (VFT) pointer in a button,
leading to the control of an indirect jump instruction.
Overwrite the size of a string object (add reference to the
Trigger it multiple times, as long as the process does not
crush.
19 ¡
CCFIR replaces the function pointers in the binary with
pointers to the function stubs.
Replaces indirect calls with direct jump to the springboard. Information flow is enforced by aligning the call and return
stubs, and by checking that the function’s address and the return address follow the alignment (emulate 2 IDs).
Only for non-sensitive functions. Returns from sensitive
functions are omitted.
20 ¡
CCFIR checks indirect control-flow transfers through its springboard section (special memory layout) call function stub return address stub placed in springboard.
21 ¡
Heap Feng Shui à Positioning the vulnerable buffer, the string
1st buffer overflow: string object’s size property is
2nd buffer overflow: the button object’s VTF pointer is
Heap Spraying à injects multiple instances of a specially
crafted buffer in memory.
Copies of the buffer are allocated at reliable addresses. One is written to the VTF pointer of the button. The buffer guides the chaining of gadgets, from the initial
indirect transfer instruction to code injection.
22 ¡
Constraints to bypass:
ASLR is used
need to find the base address of modules of interest
(DLLs containing the gadgets)
CCFIR springboard for indirect transfers
need to find the addresses of function call and return
stubs, for the used gadgets. If not, CFI check fails.
23 ¡
Find base address gadgets from mshtml.dll and
ieframe.dll
mshtml.dll: revealed by the VFT pointer within the
button.
pointer at constant relative offset from string the object. pointer at a constant known offset in mshtml.dll (base)
ieframe.dll: read the address of a function that is
contained in ieframe.dll and imported in mshtml.dll.
button object, fixed relative distance to the string object. after knowing string’s address, relative distance from string
to the imported address
24 ¡
CCFIR stubs
Have the base address of the 2 modules Have the offsets for the EP and CS gadgets CS have direct references to their stubs
references can be resolved as offsets are know
EP offsets are known, but they do not reveal stub address
in the springboard.
EP that have a stub in springboard, have a relocation entry
in the code, which is altered by CCFIR to point the stubs of EP gadgets in springboard.
25 ¡
Phase 1: Converting the indirect jump to a return
instruction.
The exploit grand us control of an indirect jump instruction.
In CCFIR, we can use only longlmp (sensitive function)
26 ¡
Phase 2: Stack pivoting – to the stack hosting ROP
chain.
A pop instruction before the first controlled return. Then, a Gadget points esp to the sprayed buffer.
Phase 3: Change memory permissions
code-injection attack, overwrite program’s code with
shellcode.
Making code area writable with VirtualProtect.
(sensitive)
Overwrite area code with shellcode, using memcpy
27 ¡
We selected and analyzed six widely used applications
(Win 7 x86)
Internet Explorer 9.0.20 Firefox 24.0 Adobe Reader XI 11.0.5 Microsoft Office Professional Plus 2013 suite:
Word, Excel, PowerPoint
Dataset including applications and libraries consisted of
164 unique PE files
CS gadget definition -usable under CFI-: (EP/CS)-R, (EP/
CS)-IC-R, (EP/CS)-F-R,, (EP/CS)-IJ and (EP/CS)-IC
28 ¡
Different types of gadgets found
in Internet Explorer 9
Gadgets with (w/) and with out
(w/o) branches
We count all paths from a
particular CS or EP to an exit Instruction.
Number of w/ gadgets is larger
than w/o
29 ¡
Number and types of w/o gadgets in various
applications.
30 ¡
Number of gadgets with fixed calls to sensitive functions
(i.e. CS-F-R or EP-F-R)
31 ¡
Frequency of w/o and w/ branches in IE 9 based
32 ¡
kBouncer (vulnerable defense)
Can be potentially bypassed by using CS-F-R or CS-
IC-R
Tracking a shadow stack
Not trivial. Not every call instruction matched by a ret
ROPDefender
Also using a shadow stack. Aims to enforce a call-ret
pairing policy
Control-Flow Locking (CFL)
Promising direction using locks to preserve CFG
integrity
33 ¡
Examined security implications of CCFIR. Bypass ASLR with memory leackage. ROP for bypassing DEP. Virtual Protect – Shellcode Injection
34 ¡