cse543 introduction to computer and network security

CSE543 - Introduction to Computer and Network Security Module: - PowerPoint PPT Presentation


  1. �������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 CSE543 - Introduction to Computer and Network Security Page

  2. Anatomy of Control-Flow Exploits • Two steps in control-flow exploitation • First -- attacker gets control of program flow (return address) Stack (buffer), heap, format string vulnerability ‣ • Second -- attacker uses control of program flow to launch attacks Code injection ‣ Defense: NX, W (xor) X • return-to-libc ‣ Defense: remove unwanted functions (e.g., system) • How to overcome these limitations??? ‣ Return-oriented programming • 30 CSE543 - Introduction to Computer and Network Security Page

  3. Return-Oriented Programming • Arbitrary exploitation without code injection or whole-function reuse (return-to-libc) 31 CSE543 - Introduction to Computer and Network Security Page

  4. Return-Oriented Programming 32 CSE543 - Introduction to Computer and Network Security Page

  5. ROP Thesis 33 CSE543 - Introduction to Computer and Network Security Page

  6. Return-to-libc 34 CSE543 - Introduction to Computer and Network Security Page

  7. ROP vs return-to-libc 35 CSE543 - Introduction to Computer and Network Security Page

  8. ROP Attacks 36 CSE543 - Introduction to Computer and Network Security Page

  9. Machine Instructions 37 CSE543 - Introduction to Computer and Network Security Page

  10. ROP Execution 38 CSE543 - Introduction to Computer and Network Security Page

  11. Building ROP Functionality 39 CSE543 - Introduction to Computer and Network Security Page

  12. Building ROP Functionality 40 CSE543 - Introduction to Computer and Network Security Page

  13. Building ROP Functionality 41 CSE543 - Introduction to Computer and Network Security Page

  14. Creating Programs 42 CSE543 - Introduction to Computer and Network Security Page

  15. Finding Gadgets 43 CSE543 - Introduction to Computer and Network Security Page

  16. ROP Conclusions 44 CSE543 - Introduction to Computer and Network Security Page

  17. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 0x8048000$= %ebx$=

  18. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 0x8048000$= %ebx$=

  19. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 0x8048000$= %ebx$=

  20. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$=

  21. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$=

  22. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$= 0x8048000

  23. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$= 0x8048000

  24. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= 5 %ebx$= 0x8048000

  25. Advanced Defenses • Control-flow attack defenses operate at two stages Prevent attacker from getting control ‣ StackGuard, heap sanity checks, ASLR, shadow stacks, ... • Prevent attacker from using control for malice ‣ NX, W (xor) X, ASLR, Control Flow Integrity (CFI), ... • • For maximum security, a system should use a combination of these defenses • Q. Is subverting control-flow the only goal of an attacker? 47 CSE543 - Introduction to Computer and Network Security Page

  26. Control-Flow Integrity • Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow ‣ sequences • Build a model from source code that describes control flow E.g., control-flow graph ‣ • Enforce the model on program execution Instrument control-flow code ‣ Jumps, calls, returns, ... • • Challenges Building accurate model ‣ Efficient enforcement ‣ 48 CSE543 - Introduction to Computer and Network Security Page

  27. Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 49

  28. Our Mechanism F A F B nop IMM 1 if(*fp != nop IMM 1 ) halt if(**esp != nop IMM 2 ) halt call fp return nop IMM 2 CFG excerpt B 1 A call NB: Need to ensure bit patterns for nops B ret A call+1 appear nowhere else in code memory 50

  29. More Complex CFGs CFG excerpt Maybe statically all we know is that F A can call any int int function B 1 A call F A C 1 succ(A call ) = {B 1 , C 1 } F B nop IMM 1 if(*fp != nop IMM 1 ) halt call fp F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 51

  30. Imprecise Return Information Q: What if F B can return CFG excerpt F A to many functions ? A call+1 A: Imprecise CFG B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 CFG Integrity: F D if(**esp != nop IMM 2 ) halt Changes to the return PC are only to valid successor call F B PCs, per succ(). nop IMM 2 52

  31. No “Zig-Zag” Imprecision Solution I: Allow the imprecision Solution II: Duplicate code to remove zig-zags CFG excerpt CFG excerpt B 1 B 1 A call A call C 1 C 1A E call E call C 1E 53

  32. More Challenges • Returns used as jumps E.g., signal handling ‣ • Exceptions • Runtime generation of indirect jumps E.g., dynamic shared libraries ‣ • Indirect jumps using arithmetic operators E.g., assembly ‣ • Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 54 CSE543 - Introduction to Computer and Network Security Page

  33. ASLR • For control-flow attacks, attacker needs absolute addresses Stack ??? • Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program ‣ Attacker cannot predict absolute ??? Heap addresses • Heap, stack, data, text, mmap, ... ??? Data ??? Text 55 CSE543 - Introduction to Computer and Network Security Page

  34. ASLR Implementations Linux • Introduced in Linux 2.6.12 (June 2005) ‣ Shacham et al. [2004]:16 bits of randomization defeated by a (remote) ‣ brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used ‣ Only few programs in Linux use PIE • Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] • Windows • Introduced from Vista onwards (Jan 2007) ‣ Reality: Only few programs opt in for ASLR ‣ E.g., Oracle’s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or • one of their libraries) are not marked ASLR-compatible ASLR can be bypassed by information leaks about memory layout • E.g., format string vulnerabilities ‣ 56 CSE543 - Introduction to Computer and Network Security Page

  35. Conclusion • Defense against control-flow and data attacks is an ongoing arms race • Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers ‣ However, they have implementation limitations ‣ Active area of research ‣ 57 CSE543 - Introduction to Computer and Network Security Page

Recommend


More recommend