How to Make ASLR Win the Clone Wars: Runtime Re-Randomization - - PowerPoint PPT Presentation

how to make aslr win the clone wars runtime re
SMART_READER_LITE
LIVE PREVIEW

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization - - PowerPoint PPT Presentation

Jan 06, 2024 379 likes •839 views

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

slide-1
SLIDE 1

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization

Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee

Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI

RuntimeASLR 1

slide-2
SLIDE 2

What did we do?

RuntimeASLR 2

  • We re-randomize the memory layout of the

cloned (i.e., forked) processes at runtime

Parent Child fork() code data code data

slide-3
SLIDE 3

In this talk, I will explain…

  • Why we need to re-randomize cloned processes?

– To prevent clone-probing attacks

  • How to re-randomize them?

– A semantic-preserving and runtime-based approach

  • What are the results?

– Defeated clone-probing, e.g., Blind ROP attack – No performance overhead to cloned processes

RuntimeASLR 3

slide-4
SLIDE 4

Background - ASLR

  • Address Space Layout Randomization (ASLR)

– Mitigating code reuses attacks, privilege escalation, and information leaks

RuntimeASLR 4

code data Run 1 code data Run 2 code data Run 3

slide-5
SLIDE 5

Background - ASLR

  • Address Space Layout Randomization (ASLR)

– Mitigating code reuses attacks, privilege escalation, and information leaks – One time, per-process, load-time

RuntimeASLR 5

code data Run 1 code data Run 2 code data Run 3

slide-6
SLIDE 6

Background – Daemon Servers

  • Web services are powered by daemon servers,

e.g., Nginx web server

RuntimeASLR 6

slide-7
SLIDE 7

Designs of Daemon Server

RuntimeASLR 7

Master code data Worker code data Worker code data Worker code data Worker processes (with same layout) fork() fork() fork() HTTP/HTTPS HTTP/HTTPS HTTP/HTTPS 1) The daemon process pre-forks multiple worker processes that handle users requests Daemon process

slide-8
SLIDE 8

Designs of Daemon Server

RuntimeASLR 8

code data Worker code data Worker code data Worker code data Worker processes (with same layout) fork() fork() fork() HTTP/HTTPS HTTP/HTTPS HTTP/HTTPS 1) The daemon process pre-forks multiple worker processes that handle users requests 2) The daemon will re-fork a new worker process if it crashes, to be robust Master Daemon process

slide-9
SLIDE 9

Designs of Daemon Server

RuntimeASLR 9

code data Worker code data Worker code data Worker code data Worker processes (with same layout) fork() fork() fork() HTTP/HTTPS HTTP/HTTPS HTTP/HTTPS 1) The daemon process pre-forks multiple worker processes that handle users requests 2) The daemon will re-fork a new worker process if it crashes, to be robust Master Daemon process

All forked worker processes share the same memory layout as the daemon process

slide-10
SLIDE 10

When ASLR meets daemon servers…

RuntimeASLR 10

slide-11
SLIDE 11

Clone-Probing Attack

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

RuntimeASLR 11

return address 12 34 56 78 9a bc ed f0 buffer Stack in remote server

slide-12
SLIDE 12

Clone-Probing Attack

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

RuntimeASLR 12

return address 12 34 56 78 9a bc ed f0 AAAAAAA 00 34 56 78 9a bc ed f0 buffer Stack in remote server Attack payload Crash, try another one

slide-13
SLIDE 13

RuntimeASLR 13

Clone-Probing Attack

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

return address 12 34 56 78 9a bc ed f0 AAAAAAA 00 34 56 78 9a bc ed f0 AAAAAAA 01 34 56 78 9a bc ed f0 buffer Stack in remote server Attack payload Crash, try another one Crash, try another one

slide-14
SLIDE 14

Clone-Probing Attack

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

RuntimeASLR 14

… return address 12 34 56 78 9a bc ed f0 AAAAAAA 00 34 56 78 9a bc ed f0 AAAAAAA 01 34 56 78 9a bc ed f0 AAAAAAA 12 34 56 78 9a bc ed f0 buffer … Stack in remote server Attack payload Crash, try another one Crash, try another one Bingo, continue to guess next byte

slide-15
SLIDE 15

Clone-Probing Attack

RuntimeASLR 15

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

… return address 12 34 56 78 9a bc ed f0 AAAAAAA 00 34 56 78 9a bc ed f0 AAAAAAA 01 34 56 78 9a bc ed f0 AAAAAAA 12 34 56 78 9a bc ed f0 buffer … Stack in remote server Attack payload Crash, try another one Crash, try another one Bingo, continue to guess next byte … … AAAAAAA 12 00 56 78 9a bc ed f0 …

slide-16
SLIDE 16

RuntimeASLR 16

Clone-Probing Attack

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

… return address 12 34 56 78 9a bc ed f0 AAAAAAA 00 34 56 78 9a bc ed f0 AAAAAAA 01 34 56 78 9a bc ed f0 AAAAAAA 12 34 56 78 9a bc ed f0 buffer … Stack in remote server Attack payload Crash, try another one Crash, try another one Bingo, continue to guess next byte … … AAAAAAA 12 00 56 78 9a bc ed f0 … … … AAAAAAA 12 34 56 78 9a bc ed f0 Finally, get all bytes

slide-17
SLIDE 17

RuntimeASLR 17

Clone-Probing Attack

  • Attack goal: guess the randomized address

(e.g., return address), say a web server with a stack buffer overflow vulnerability

… return address 12 34 56 78 9a bc ed f0 AAAAAAA 00 34 56 78 9a bc ed f0 AAAAAAA 01 34 56 78 9a bc ed f0 AAAAAAA 12 34 56 78 9a bc ed f0 buffer … Stack in remote server Attack payload Crash, try another one Crash, try another one Bingo, continue to guess next byte … … AAAAAAA 12 00 56 78 9a bc ed f0 … … … AAAAAAA 12 34 56 78 9a bc ed f0 Finally, get all bytes

Brute-forcing complexity is reduced from 264 to 8*28 (From thousands of years to 2 minutes J)

slide-18
SLIDE 18

This Attack is Critical!

RuntimeASLR 18

A simple buffer overflowà bypass ASLR (two minutes)à control daemon server L

slide-19
SLIDE 19

Preventing clone-probing with RuntimeASLR

Solution: re-randomizing the memory layout of cloned processes

RuntimeASLR 19

slide-20
SLIDE 20

Challenge

  • Remapping memory à dangling pointers
  • How to track all pointers on the fly and update

them?

– Accuracy – Efficiency

RuntimeASLR 20

slide-21
SLIDE 21

Pointer Tracking Problem

  • Treat it as a taint tracking problem

RuntimeASLR 21

Source pointers Pointer tracking policy All tracked pointers

slide-22
SLIDE 22

Source Pointers

  • Kernel routinely loads program

– Easy to find source pointers

  • Only in stack and registers

RuntimeASLR 22

Source pointers Pointer tracking policy All tracked pointers

slide-23
SLIDE 23

Pointer Tracking Policy

RuntimeASLR 23

Source pointers Pointer tracking policy All tracked pointers

slide-24
SLIDE 24

Pointer Tracking Policy

  • Read 1,513- pages Intel ISA manual and

manually define them??

RuntimeASLR 24

Source pointers Pointer tracking policy All tracked pointers

slide-25
SLIDE 25

Automatic Tracking Policy Generation

  • Automatically identifying instructions

behaviors

  • This way, we know if it generates or destroys

some “values”

RuntimeASLR 25

instruction

Execution Process status Process status snapshot Memory and registers snapshot Instruction behaviors compare

slide-26
SLIDE 26

How to Determine a Pointer?

  • Without type info, how do we know if a value

is a pointer?

  • Example: mov rdi, rsp

– Before: rsp=0xcafebabe, and know it is a pointer – After: rdi=0xcafebabe, memory is unchanged – How to know if rdi is a pointer?

RuntimeASLR 26

slide-27
SLIDE 27

Multi-Run Pointer Verification

  • Observation: rdi is likely a pointer if it points to

mapped memory on 64-bits platform, why?

  • Run program n times with ASLR, if rdi always

points to mapped memory, rdi is more and more likely a pointer

– Mapping n runs with instruction execution sequence

RuntimeASLR

rdi Multi-runs with ASLR-enabled … Run 1 Run 2 Run n

slide-28
SLIDE 28

Accuracy of Multi-Run Verification

  • Assume size of mapped memory is b bytes,

run n times on 64-bits platform, false positive rate for one value is:

RuntimeASLR 28

b 2-64 n

b 264

264 b n Pfpr . .

slide-29
SLIDE 29

Accuracy of Multi-Run Verification

  • Assume size of mapped memory is b bytes,

run n times on 64-bits platform, false positive rate for one value is:

  • Say b is 22MB (Nginx) and run 2 times. This

will result in FPR=2−103

RuntimeASLR 29

b 2-64 n

b 264

264 b n Pfpr . .

slide-30
SLIDE 30

Export Policy

  • Given mov reg1, reg2

– if reg2 is a 64-bits register and tainted (i.e., a pointer) à taint reg1 after execution

RuntimeASLR 30

slide-31
SLIDE 31

Track All Pointers

RuntimeASLR 31

Source pointers Pointer tracking policy All tracked pointers

slide-32
SLIDE 32

Implementation

  • Intel’s PIN—a dynamic instrumentation tool
  • Three modules
  • Source code

– Coming soon

RuntimeASLR 32

Policy generator (pintool) Pointer tracker (pintool)

Randomizer (shared lib)

slide-33
SLIDE 33

Evaluation

  • Correctness

– Applied to Nginx web server – Memory snapshot analysis to find all pointers – RuntimeASLR correctly finds all pointers

RuntimeASLR 33

slide-34
SLIDE 34

Evaluation

  • Security

– Blind ROP is a clone-probing attack – Addresses of all modules are re-randomized – RuntimeASLR successfully defeats it

RuntimeASLR 34

Without RuntimeASLR With RuntimeASLR

slide-35
SLIDE 35

Evaluation

  • Performance

– Pointer tracking is extremely expensive: >10,000 times

  • n SPEC CPU2006
  • One time overhead at startup; 35 seconds for Nginx

– However, no overhead on cloned worker processes

RuntimeASLR 35

slide-36
SLIDE 36

Discussions and Limitations

  • Ambiguous policy
  • Completeness of tracking policy
  • Applicability for general programs
  • Supporting pointer obfuscation

RuntimeASLR 36

slide-37
SLIDE 37

Demo

  • Defeat Blind ROP attack with RuntimeASLR

RuntimeASLR 37

slide-38
SLIDE 38

Recap

  • Clone-probing attacks à bypass ASLR à control

daemon server or steal sensitive data

  • We proposed RuntimeASLR to defeat clone-probing

attacks

– Automatic pointer tracking policy generation – Support COTS binaries, no system modifications – No overhead to cloned worker processes (after fork())

RuntimeASLR 38

slide-39
SLIDE 39

Recap

  • Clone-probing attacks à bypass ASLR à control

daemon server or steal sensitive data

  • We proposed RuntimeASLR to defeat clone-probing

attacks

– Automatic pointer tracking policy generation – Support COTS binaries, no system modifications – No overhead to cloned worker processes (after fork())

RuntimeASLR 39

slide-40
SLIDE 40

Backup slides

RuntimeASLR 40

slide-41
SLIDE 41

Pointer Tracking Approaches

  • Compiler-based instrumentation

– Pros: type info, efficient in tracking – Cons: type-confusion, hard to decouple instrumentation, require source

  • Dynamic instrumentation

– Pros: easy to decouple instrumentation, support COTS – Cons: lack of type info, tracking is expensive

RuntimeASLR 41

slide-42
SLIDE 42

Pointer Tracking Approaches

  • Compiler-based instrumentation

– Pros: type info, efficient in tracking – Cons: type-confusion, hard to decouple instrumentation, require source

  • Dynamic instrumentation

– Pros: easy to decouple instrumentation, support COTS – Cons: lack of type info, tracking is expensive

RuntimeASLR 42

slide-43
SLIDE 43

Accuracy of Multi-Run Verification

  • Assume b instructions in b bytes memory.

Probability for at least one non-pointer value misidentified as a pointer is:

RuntimeASLR 43

b2 2-64 n 1 - (1 - Pfpr)b . .

slide-44
SLIDE 44

Accuracy of Multi-Run Verification

  • Assume b instructions in b bytes memory.

Probability for at least one non-pointer value misidentified as a pointer is:

  • Say b is 100MB and run 2 times. This will

result in FPR=2−76

RuntimeASLR 44

b2 2-64 n 1 - (1 - Pfpr)b . .