Defending against Memory Corruption Vulnerabilities and Advanced - - PowerPoint PPT Presentation
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite
Despite knowledge of buffer overflows for over
This is partly due to the wide variety of exploit
Variety of targets: can exploit more than return
Variety of uses: can exploit on read and write Variety of exploits: can inject or reuse code Variety of workarounds: current defenses are
6
We can take countermeasures at different
before we even begin programming during development when testing when code is running Next we will discuss mostly two kinds Detection and mitigation at runtime Prevention during development
Prevention during compilation
AKA stack cookies Introduced in StackGuard in gcc A dummy (or random) value is written on the
A careless stack overflow will overwrite the
Assume sequential stack smashing
7
Overwrite the canary with the correct value If the range of the random value is small, just
Or perform a memory disclosure attack first
8
9
Big limitation: Disclosure attacks By performing a buffer “overread” Example is the famous Heartbleed attack against
Why is this a problem for Stackguard canaries?
char packet[10]; … // suppose len is adversary controlled strncpy(buf, packet, len); send(fd, buf, len);
Big limitation: Disclosure attacks By performing a buffer “overread” Example is the famous Heartbleed
Why is this a problem for
char packet[10]; … // suppose len is adversary controlled strncpy(buf, packet, len); send(fd, buf, len);
10
11
Big limitation: disclosure attacks By performing a buffer “overread” One may extract the canary values by reading
Which would enable the adversary to learn the
Sometimes no need to overwrite the return
Can overflow
Ultimately, an attacker only needs to hijack a
12
Assume no chance of overflowing the return address Can overflow the buffer so that the function pointer
Then the function call will call bar instead of foo
13
Use heap overflows to hijack a function
Hijacking global function pointers Function pointers in Global Offset Table
Used for dynamically linked functions
14
Can attack buffer located in global data may be located above program code if has function pointer and vulnerable buffer or adjacent process management tables aim to overwrite function pointer later called
/* global static data - targeted for attack */ struct chunk { char inp[64]; /* input buffer */ void (*process)(char *); /* ptr to function */ } chunk; void showlen(char *buf) { int len; len = strlen(buf); printf("buffer6 read %d chars\n", len); } int main(int argc, char *argv[]) { setbuf(stdin, NULL); chunk.process = showlen; printf("Enter value: "); gets(chunk.inp); chunk.process(chunk.inp); printf("buffer6 done\n"); }
example by Stallings
Can be thought of as extension of StackGuard Place guard pages between critical regions of
flagged in MMU as illegal addresses any access aborts process Can even place between stack frames and
at the cost of performance/memory overhead
Computer architectures follow a Von‐Neumann
Storing code as data This allows an attacker to inject code into stack or
A Harvard architecture is better for security Divide the virtual address space into a data region
The code region is readable (R) and executable (X) The data region is readable (R) and writable (W) No region is both writable and executable
execute it
DEP prevents code‐injection attacks AKA Nx‐bit (non executable bit), W ⊕ X DEP is now supported by most OSes and ISAs
Issue: some legit apps support executable
e.g., a JIT (Just‐In‐Time) compiler Runtime code generation need special provisions
Idea: reuse code in the program itself No need to inject code Return‐to‐libc: replace return address with the
attacker constructs suitable parameters on stack
function returns and library function executes
can even chain two library calls
Attack 1: changing f’s value to a libc system
Attack 2: chain two calls of libc functions
22
The difference is subtle, but significant In code injection, we wrote the address of
In code reuse, we can modify the return
In many attacks, a code reuse attack is used
Goal is to allow execution of stack memory There’s a system call for that
int mprotect(void *addr, size_t len, int prot);
Sets protection for region of memory starting
Invoke this system call to allow execution on
Return‐Oriented Programming (ROP) [Shacham et al], 2008 Arbitrary behavior without code injection Combine snippets of existing code (gadgets) A set of Turing‐complete gadgets and a way of
People have shown that in small programs (e.g.,
Use gadgets to
arithmetics; arbitrary
27
movl $0x006f6d2e,(%eax,%ebx) movl 0xd4(%ebp),%eax movl %eax,(%esp) calll 0x0008ba11 addl $0x1f,%eax andl $0xf0,%eax subl %eax,%esp leal 0x20(%esp),%edx movl %edx,0xb4(%ebp) jmp 0x0006d8b4 incl 0xd4(%ebp) movl 0xd4(%ebp),%eax movzbl (%eax),%ecx cmpb $0x3a,%cl je 0x0006d8b1 testb %cl,%cl movl 0xb4(%ebp),%ebx jne 0x0006d8db movb $0x43,(%ebx) movb $0x00,0x01(%ebx) jmp 0x0006d90d movb %cl,(%ebx) incl %ebx incl 0xd4(%ebp) movl 0xd4(%ebp),%eax movzbl (%eax),%ecx testb %cl,%cl setne %dl cmpb $0x3a,%cl setne %al testb %al,%dl jne 0x0006d8cf movb $0x00,(%ebx) cmpl $0x01,0x0008a780 jne 0x0006d90d movl 0xb4(%ebp),%edx movl $0x0000002f,0x04(%esp) movl %edx,(%esp) calll 0x0008b9e9 testl %eax,%eax jne 0x0006d8b4 movl 0xb4(%ebp),%esi movl $0x00000002,%ecx movl $0x0007e270,%edi cld repz/cmpsb (%esi),(%edi) movl $0x00000000,%eax je 0x0006d92e movzbl 0xff(%esi),%eax movzbl 0xff(%edi),%ecx subl %ecx,%eax testl %eax,%eax jel 0x0006da53 movl 0xb4(%ebp),%esi movl $0x00070bbb,%edi movl $0x00000006,%ecx repz/cmpsb (%esi),(%edi) movl $0x00000000,%edx je 0x0006d956 movzbl 0xff(%esi),%edx movzbl 0xff(%edi),%ecx subl %ecx,%edx testl %edx,%edx
ROP’s control stack (just data)
28
29
32
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5
34
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5
35
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5 0x8048000
36
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5 0x8048000
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5 0x8048000
37
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5 0x8048000
38
Code reuse attacks can be employed more
Termed “return‐oriented attacks”
%eax = %ebx = 0x8048000 = Registers Memory Code Stack
G1 5 jmp G2 Return Address
buf
0x8048000 jump G3 . . .
pop %eax ret pop %ebx ret movl %eax, (%ebx) ret
G2: G2 G3 G1: G3:
5 0x8048000 5
41
What can we do with return‐oriented
Anything any other program can do How do we know?
What can we do with return‐oriented
Anything any other program can do How do we know? Turing completeness A language is Turing complete if it has
Conditional branching Can change memory arbitrarily Both are possible in ROP
ROP works by changing the control flow of the
Control‐flow integrity (CFI) Take a vulnerable program and a pre‐
Insert checks into the program so that it stops
44
Exploits requires knowing code/data addresses E.g., the start address of a buffer E.g., the address of a library function Idea: introduce artificial diversity (randomization) Make addresses unpredictable for attackers Many ways of doing randomization Randomize location of the stack, location of key data
Randomly pad stack frames At compile time, randomize code generation for
45
Can be performed At compile time At link time Or at runtime (e.g., via dynamic binary
46
For a position‐independent executable (PIE),
The base address of the executable All libraries are PIE So their base addresses are randomized Main executables may not be PIE May not be protected by PIE A form of coarse‐grained randomization Only the base address is randomized Relative distances between memory objects are
47
Perform an exhaustive search, if the random
E.g., Linux provides 16‐bit of randomness
ASLR often defeated by memory disclosure E.g., if the attacker can read the value of a
48
Defenses Stack Guard DEP ASLR Advanced attacks Memory disclosure (e.g., via buffer overread) Code reuse
49