ETH Zrich FFmpeg and a thousand fixes >1,000 bugs found and - - PowerPoint PPT Presentation

eth z rich
SMART_READER_LITE
LIVE PREVIEW

ETH Zrich FFmpeg and a thousand fixes >1,000 bugs found and - - PowerPoint PPT Presentation

Jan 09, 2023 128 likes •367 views

Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, Thomas R. Gross ETH Zrich FFmpeg and a thousand fixes >1,000 bugs found and fixed 2 person-years & fuzzing on large cluster

slide-1
SLIDE 1

Fine-Grained Control-Flow Integrity through Binary Hardening

Mathias Payer, Antonio Barresi, Thomas R. Gross

ETH Zürich

slide-2
SLIDE 2

FFmpeg and a thousand fixes

http://j00ru.vexillium.org/?p=2211 Jan-10, 2014

2 person-years & fuzzing on large cluster >1,000 bugs found and fixed

slide-3
SLIDE 3

Software is unsafe and insecure

  • Low-level languages (C/C++) trade type safety

and memory safety for performance

– Programmer responsible for all checks

  • Large set of legacy and new applications

written in C / C++ prone to memory bugs

  • Too many bugs to find and fix manually

– Protect integrity through safe runtime system

slide-4
SLIDE 4
slide-5
SLIDE 5

Code Reuse Attacks

slide-6
SLIDE 6

Attack scenario: code reuse

  • Find addresses of gadgets
  • Force memory corruption to set up attack
  • Leverage gadgets for code-reuse attack

Code Heap Stack

slide-7
SLIDE 7

Control-flow hijack attack

1 3 2 4 4'

  • Attacker modifies code pointer

– Function return – Indirect jump – Indirect call

  • Control-flow leaves valid graph
  • Reuse existing code

– Return-oriented programming – Jump-oriented programming

slide-8
SLIDE 8

Control-Flow Integrity

slide-9
SLIDE 9

Control-Flow Integrity (CFI)

  • CFI enforces that each dynamic indirect control

flow transfer must target a statically determined set of locations

  • Three sources of indirect transfers

– Indirect jump – Indirect call – Function returns

slide-10
SLIDE 10

Control-Flow Integrity (CFI)

  • Statically construct Control-Flow Graph

– Find set of allowed targets for each location

  • Online set check

… jmpl *%eax … call *(0xb) … call *(0xc) 0xa 0xb 0xc 0xd 0xd 0xe 0x2 0xf 1 3 2 4

slide-11
SLIDE 11

Control-Flow Integrity (CFI)

  • Statically construct Control-Flow Graph

– Find set of allowed targets for each location

  • Online set check

… jmpl *%eax … call *(0xb) … call *(0xc) 0xa 0xb 0xc 0xd 0xd 0xe 0x2 0xf 1 3 2 4

Attacker may write to memory, code pointers verified if used

slide-12
SLIDE 12

Fine-grained CFI for binaries

  • Fine-grained CFI relies on source code
  • Coarse-grained CFI is imprecise
  • Goal: enforce fine-grained CFI for binaries

– Support legacy, binary code – Support modularity (libraries) – Leverage precise, dynamic analysis – Low performance overhead

slide-13
SLIDE 13

Lockdown design

System Call Interface System Call Interface Kernel User

Lockdown Domain App. Domain ELF Files Loads ELF files /bin/<exe> Loader libc.so.6 lib* Code Cache read only readable + executable main() printf() func*() main' func1() func2() ... func2' printf' Binary Translator translate() CFT Verifier Run-time ICT validation Shadow stack Shadow stack Shadow stack

slide-14
SLIDE 14

Dynamic CFI analysis

  • Leverage program's modularity through loader

imported exported

.text

puts scanf funcA ...

/bin/<exec>

  • imported

exported

.text

_dl* ...

/lib/libc.so.6

puts scanf mprotect ...

imported exported

.text

ifunc* ...

/lib/lib*

funcA funcB ... call puts ... lea fptr, %eax ... call *%eax ... puts: ... mprotect: ... funcA: ... funcB: ... symbol table of ELF DSO .text section of DSO allowed Control Flow transfer illegal Control Flow transfer

slide-15
SLIDE 15

Dynamic CFI analysis

  • Leverage program's modularity through loader

imported exported

.text

puts scanf funcA ...

/bin/<exec>

  • imported

exported

.text

_dl* ...

/lib/libc.so.6

puts scanf mprotect ...

imported exported

.text

ifunc* ...

/lib/lib*

funcA funcB ... call puts ... lea fptr, %eax ... call *%eax ... puts: ... mprotect: ... funcA: ... funcB: ... symbol table of ELF DSO .text section of DSO allowed Control Flow transfer illegal Control Flow transfer

Modularity increases precision. No source needed. Leverage context of transfers.

slide-16
SLIDE 16

Lockdown CFI rules

  • Return instructions must return to the caller

– Precise due to shadow stack

  • Call instructions must target valid functions

– Imported in the current module (context)

  • Jump instructions must target valid instructions

inside the current symbol (or functions)

slide-17
SLIDE 17

Performance: Apache 2.2

Configuration Small file Image Combined

Single threaded 30.41% 1.94% 7.87% Concurrent 6.27% 1.09% 1.83% Concurrent with keep-alive 15.80% 3.00% 4.36%

  • 15,000,000 requests
  • 56 kB HTML file, 1054 kB image
  • Apache 2.2 runs under default configuration
slide-18
SLIDE 18

Security evaluation

  • CVE 2013-2028 compromises nginx

– Both ROP (ret) or COP (icall) exploitation possible

Length RET CALL/JMP/ SYS ROP attack 30 7 COP attack 30 0 (487*) 99

* reachable, but protected by shadow stack

slide-19
SLIDE 19

Necessity of shadow stack

  • Defenses without stack integrity are broken

– Loop through two calls to the same function – Choose any caller as return location

  • Lockdown enforces a protected shadow stack

– Attacker restricted to arbitrary targets on the stack – Each target can only be called once, in sequence

slide-20
SLIDE 20

Conclusion

slide-21
SLIDE 21
  • Protect in the presence of bugs
  • Supports legacy and binary code
  • Control-flow hijack protection

– Shadow stack, dynamic CFI, and locality – System call policy as secondary protection

  • Reasonably low overhead

Conclusion

slide-22
SLIDE 22

Thank you! Questions?

Mathias Payer, Antonio Barresi, Thomas R. Gross

slide-23
SLIDE 23

Performance: SPEC CPU2006

20 40 60 80 100 120 140 160

BT Lockdown Performance overhead