CSE543 - Introduction to Computer and Network Security Module: - - PowerPoint PPT Presentation

cse543 introduction to computer and network security
SMART_READER_LITE
LIVE PREVIEW

CSE543 - Introduction to Computer and Network Security Module: - - PowerPoint PPT Presentation

Dec 14, 2022 159 likes •527 views

slide-1
SLIDE 1

฀฀฀฀ ฀

  • ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE543 - Introduction to Computer and Network Security Page

CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses

Professor Trent Jaeger

29

slide-2
SLIDE 2

CSE543 - Introduction to Computer and Network Security Page

Anatomy of Control-Flow Exploits

  • Two steps in control-flow exploitation
  • First -- attacker gets control of program flow (return

address)

  • Stack (buffer), heap, format string vulnerability
  • Second -- attacker uses control of program flow to

launch attacks

  • Code injection
  • Defense: NX, W (xor) X
  • return-to-libc
  • Defense: remove unwanted functions (e.g., system)
  • How to overcome these limitations???
  • Return-oriented programming

30

slide-3
SLIDE 3

CSE543 - Introduction to Computer and Network Security Page

Return-Oriented Programming

  • Arbitrary exploitation without code injection or

whole-function reuse (return-to-libc)

31

slide-4
SLIDE 4

CSE543 - Introduction to Computer and Network Security Page

Return-Oriented Programming

32

slide-5
SLIDE 5

CSE543 - Introduction to Computer and Network Security Page

ROP Thesis

33

slide-6
SLIDE 6

CSE543 - Introduction to Computer and Network Security Page

Return-to-libc

34

slide-7
SLIDE 7

CSE543 - Introduction to Computer and Network Security Page

ROP vs return-to-libc

35

slide-8
SLIDE 8

CSE543 - Introduction to Computer and Network Security Page

ROP Attacks

36

slide-9
SLIDE 9

CSE543 - Introduction to Computer and Network Security Page

Machine Instructions

37

slide-10
SLIDE 10

CSE543 - Introduction to Computer and Network Security Page

ROP Execution

38

slide-11
SLIDE 11

CSE543 - Introduction to Computer and Network Security Page

Building ROP Functionality

39

slide-12
SLIDE 12

CSE543 - Introduction to Computer and Network Security Page

Building ROP Functionality

40

slide-13
SLIDE 13

CSE543 - Introduction to Computer and Network Security Page

Building ROP Functionality

41

slide-14
SLIDE 14

CSE543 - Introduction to Computer and Network Security Page

Creating Programs

42

slide-15
SLIDE 15

CSE543 - Introduction to Computer and Network Security Page

Finding Gadgets

43

slide-16
SLIDE 16

CSE543 - Introduction to Computer and Network Security Page

ROP Conclusions

44

slide-17
SLIDE 17

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-18
SLIDE 18

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-19
SLIDE 19

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-20
SLIDE 20

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory 5 Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-21
SLIDE 21

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory 5 Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-22
SLIDE 22

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory 5 0x8048000 Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-23
SLIDE 23

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory 5 0x8048000 Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-24
SLIDE 24

ROP$Example

  • Use$ESP$as$program$counter

– E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code)

%eax$= %ebx$= 0x8048000$= Registers Memory 5 0x8048000 5 Code Stack

G1 5 jmp G2 Return Address

buf

0x8048000 jump G3

. . .

pop$%eax ret pop$%eax ret movl$%eax,$(%ebx) ret

slide-25
SLIDE 25

CSE543 - Introduction to Computer and Network Security Page

Advanced Defenses

  • Control-flow attack defenses operate at two stages
  • Prevent attacker from getting control
  • StackGuard, heap sanity checks, ASLR, shadow stacks, ...
  • Prevent attacker from using control for malice
  • NX, W (xor) X, ASLR, Control Flow Integrity (CFI), ...
  • For maximum security, a system should use a

combination of these defenses

  • Q. Is subverting control-flow the only goal of an attacker?

47

slide-26
SLIDE 26

CSE543 - Introduction to Computer and Network Security Page

  • Goal: Ensure that process control follows source code
  • Adversary can only choose authorized control-flow

sequences

  • Build a model from source code that describes control

flow

  • E.g., control-flow graph
  • Enforce the model on program execution
  • Instrument control-flow code
  • Jumps, calls, returns, ...
  • Challenges
  • Building accurate model
  • Efficient enforcement

Control-Flow Integrity

48

slide-27
SLIDE 27

49

Software Control Flow Integrity

Techniques, Proofs, & Security Applications

Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi

slide-28
SLIDE 28

50

Our Mechanism

FA FB return call fp Acall Acall+1 B1 Bret CFG excerpt

nop IMM1 if(*fp != nop IMM1) halt nop IMM2 if(**esp != nop IMM2) halt

NB: Need to ensure bit patterns for nops appear nowhere else in code memory

slide-29
SLIDE 29

51

More Complex CFGs

Maybe statically all we know is that FA can call any int int function FA FB call fp Acall B1 CFG excerpt C1 FC

nop IMM1 if(*fp != nop IMM1) halt nop IMM1

Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction

succ(Acall) = {B1, C1}

slide-30
SLIDE 30

52

Imprecise Return Information

Q: What if FB can return to many functions ? Bret Acall+1 CFG excerpt Dcall+1 FB FA return call FB FD call FB

nop IMM2 if(**esp != nop IMM2) halt nop IMM2

succ(Bret) = {Acall+1, Dcall+1}

CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). A: Imprecise CFG

slide-31
SLIDE 31

53

No “Zig-Zag” Imprecision

Acall B1 CFG excerpt C1 Ecall Solution I: Allow the imprecision Solution II: Duplicate code to remove zig-zags Acall B1 CFG excerpt C1A Ecall C1E

slide-32
SLIDE 32

CSE543 - Introduction to Computer and Network Security Page

  • Returns used as jumps
  • E.g., signal handling
  • Exceptions
  • Runtime generation of indirect jumps
  • E.g., dynamic shared libraries
  • Indirect jumps using arithmetic
  • perators
  • E.g., assembly
  • Take away: CFI is a principled approach

to stop control flow attacks, but challenges remain

More Challenges

54

slide-33
SLIDE 33

CSE543 - Introduction to Computer and Network Security Page

ASLR

  • For control-flow attacks, attacker needs

absolute addresses

  • Address-space Layout Randomization

(ASLR) randomizes base addresses of memory segments on each invocation

  • f the program
  • Attacker cannot predict absolute

addresses

  • Heap, stack, data, text, mmap, ...

55

Text Data Stack Heap

??? ??? ??? ???

slide-34
SLIDE 34

CSE543 - Introduction to Computer and Network Security Page

ASLR Implementations

  • Linux
  • Introduced in Linux 2.6.12 (June 2005)
  • Shacham et al. [2004]:16 bits of randomization defeated by a (remote)

brute force attack in minutes

  • Reality: ASLR for text segment (PIE) is rarely used
  • Only few programs in Linux use PIE
  • Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011]
  • Windows
  • Introduced from

Vista onwards (Jan 2007)

  • Reality: Only few programs opt in for ASLR
  • E.g., Oracle’s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or
  • ne of their libraries) are not marked ASLR-compatible
  • ASLR can be bypassed by information leaks about memory layout
  • E.g., format string vulnerabilities

56

slide-35
SLIDE 35

CSE543 - Introduction to Computer and Network Security Page

Conclusion

  • Defense against control-flow and data attacks is an
  • ngoing arms race
  • Principled approaches such as CFI and ASLR are

promising

  • Significantly raised bar for attackers
  • However, they have implementation limitations
  • Active area of research

57