in memory: an evolution of attacks Mathias Payer - - PowerPoint PPT Presentation

in memory an evolution of attacks
SMART_READER_LITE
LIVE PREVIEW

in memory: an evolution of attacks Mathias Payer - - PowerPoint PPT Presentation

Feb 19, 2023 270 likes •729 views

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory attacks: an ongoing war David

slide-1
SLIDE 1

… in memory: an evolution of attacks

Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley

Images (c) MGM, WarGames, 1983

slide-2
SLIDE 2

Memory attacks: an ongoing war

Vulnerability classes according to CVE

slide-3
SLIDE 3

Memory attacks: an ongoing war

David Lightman: Hey, I don't believe that any system is totally secure."

slide-4
SLIDE 4

Memory attacks: an ongoing war

  • Low-level languages trade type safety and

memory safety for performance

– Programmer in control of all checks

  • Large set of legacy and new applications

written in C / C++ prone to memory bugs

  • Too many bugs to find and fix manually

– Protect integrity through low-level security policy

slide-5
SLIDE 5

Memory corruption Memory corruption

slide-6
SLIDE 6

Memory corruption

  • Unintended modification of memory location

due to missing / faulty safety check

– Exploitable only if address or value input dependent – Attacker sees all memory, controls writable memory

void vulnerable(int user1, int *array) { // missing bound check for user1 array[user1] = 42; }

slide-7
SLIDE 7

Memory safety: temporal error

void vulnerable(char *buf) { free(buf); buf[12] = 42; }

slide-8
SLIDE 8

Memory safety: spatial error

void vulnerable() { char buf[12]; char *ptr = buf[11]; *ptr++ = 10; *ptr = 42; }

slide-9
SLIDE 9

Control-flow hijacking: Control-flow hijacking: Attack opportunities Attack opportunities

slide-10
SLIDE 10

Control-flow hijack attack

1 3 2 4 4'

  • Attacker modifies code pointer

– Function return – Indirect jump – Indirect call

  • Control-flow leaves static graph
  • Reuse existing code

– Return-oriented programming – Jump-oriented programming

slide-11
SLIDE 11

Control-flow hijack attack

void vuln(char *u1) { // assert(strlen(u1)) < MAX char tmp[MAX]; strcpy(tmp, u1); return strcmp(tmp, "foo"); } vuln(&exploit); return address saved base pointer tmp[MAX] 1st argument: *u1 next stack frame

slide-12
SLIDE 12

Control-flow hijack attack

Memory safety Integrity Randomization Flow Integrity Attack

*C &C *&C Violation

Control-flow hijack

void vuln(char *u1) { // assert(strlen(u1)) < MAX char tmp[MAX]; strcpy(tmp, u1); return strcmp(tmp, "foo"); } vuln(&exploit); return address saved base pointer tmp[MAX] 1st argument: *u1 next stack frame don't care don't care points to &system() ebp after system call 1st argument to system()

slide-13
SLIDE 13

Code corruption attack

  • Code modified or new code added
  • Hardware protection enforces code integrity

Code Heap Stack C

slide-14
SLIDE 14

Control-flow hijacking: Control-flow hijacking: Defense strategies Defense strategies

slide-15
SLIDE 15

Defense strategies

Memory safety Integrity Randomization Flow Integrity Attack

*C &C *&C Violation

Control-flow hijack

Stop memory corruption

– Safe dialects of C/C++:

CCured, Cyclone

– Retrofit on C/C++:

SoftBounds+CETS

– Rewrite in safe language:

Java/C#

slide-16
SLIDE 16

Defense strategies

Memory safety Integrity Randomization Flow Integrity Attack

*C &C *&C Violation

Control-flow hijack

Enforce integrity of reads/writes

– Write Integrity Testing – (DEP and W^X for code)

slide-17
SLIDE 17

Defense strategies

Memory safety Integrity Randomization Flow Integrity Attack

*C &C *&C Violation

Control-flow hijack

Probabilistic defenses

– Randomize locations,

code, data, or pointer values

slide-18
SLIDE 18

Defense strategies

Memory safety Integrity Randomization Flow Integrity Attack

*C &C *&C Violation

Control-flow hijack

Protect control transfers

– Data-flow integrity – Control-flow integrity

slide-19
SLIDE 19

Control-Flow Integrity

  • Dynamic control flow must follow the

static control flow graph (CFG)

– Use points-to analysis to get CFG – Runtime check if target in static set

  • Current implementations over-approximate

– Imprecision of static analysis, runtime concerns – One set each for indirect calls, jumps, and returns

1 3 2 4

slide-20
SLIDE 20

CFI: Limitations and Drawbacks

  • Precision limited by static type analysis

– Imprecision leads to ambiguities

  • Static analysis must “see” all code

– Support for dynamic libraries challenging

  • Performance overhead or imprecision

– Current implementations (greatly) over-approximate

target set to achieve performance and compatibility

slide-21
SLIDE 21

Model for memory attacks

Memory safety Integrity Randomization Flow Integrity Bad things

C *C D *D &C *&C &D *&D Memory corruption

Code corruption Data-only Control-flow hijack

slide-22
SLIDE 22

Data-only attacks Data-only attacks

slide-23
SLIDE 23

Data-only attack

  • Privileged or informative data changed

– Simple, powerful and hard to detect

Code Heap Stack D

slide-24
SLIDE 24

Deployed defenses Deployed defenses

slide-25
SLIDE 25

Data Execution Prevention

  • Enforces code integrity on page granularity

– Execute code if eXecutable bit set

  • W^X ensures write access or executable

– Mitigates against code corruption attacks – Low overhead, hardware enforced, widely deployed

  • Weaknesses and limitations

– No-self modifying code supported

slide-26
SLIDE 26

Data Execution Prevention

Memory safety Integrity Randomization Flow Integrity Bad things

C *C D *D &C *&C &D *&D Memory corruption

Code corruption Data-only Control-flow hijack

slide-27
SLIDE 27

Address Space Layout Randomization

  • Randomizes locations of code and data regions

– Probabilistic defense – Depends on loader and OS

  • Weaknesses and limitations

– Prone to information leaks – Some regions remain static (on x86) – Performance impact (~10%)

slide-28
SLIDE 28

ASLR: Performance overhead

  • ASLR uses one register for PIC / ASLR code

– Performance degradation on x86

slide-29
SLIDE 29

Address Space Layout Randomization

Memory safety Integrity Randomization Flow Integrity Bad things

C *C D *D *&C *&D Memory corruption

Code corruption Data-only Control-flow hijack

&C &D

slide-30
SLIDE 30

Stack canaries

  • Protect return instruction pointer on stack

– Compiler modifies stack layout – Probabilistic protection

  • Weaknesses and limitations

– Prone to information leaks – No protection against targeted writes / reads

slide-31
SLIDE 31

Stack canaries

Memory safety Integrity Randomization Flow Integrity Bad things

C D *D &C *&C &D *&D Memory corruption

Code corruption Data-only Control-flow hijack

*C

slide-32
SLIDE 32

Widely deployed defenses

  • Memory safety: none
  • Integrity: partial

– Code integrity: W^X – Code pointer integrity: canaries and safe exceptions – Data integrity: none

  • Randomization: partial

– Address Space Layout Randomization

  • Control/Data-flow integrity: none
slide-33
SLIDE 33

Widely deployed defenses

Memory safety Integrity Randomization Flow Integrity Bad things

C *C D *D &C *&C &D *&D Memory corruption C

Code corruption Data-only Control-flow hijack

*C &C &D

Code corruption Data-only Control-flow hijack

slide-34
SLIDE 34

Widely deployed defenses

Memory safety Integrity Randomization Flow Integrity Bad things

C *C D *D &C *&C &D *&D Memory corruption C

Code corruption Data-only Control-flow hijack

*C &C &D

Code corruption Data-only Control-flow hijack

  • Mr. McKittrick, after very careful

consideration, sir, I've come to the conclusion that your new defense system sucks.

slide-35
SLIDE 35

Why did stronger defenses fail?

  • Too much overhead

– More than 10% is not feasible

  • Compatibility to legacy and source code

– Shared library support, no code modifications

  • Effectiveness against attacks

– Protection against complete classes of attacks

slide-36
SLIDE 36

Onwards? Onwards?

(c) MGM

slide-37
SLIDE 37

Partial? Data Integrity

  • Memory safety stops control-flow hijack attacks

– … but memory safety has high overhead – SoftBounds+CETS reports up to 250% overhead

  • Enforce memory safety for “some” pointers

– Compiler analysis can help – Tricky engineering to make it work

slide-38
SLIDE 38

Secure execution platform

  • Must support legacy, binary code
  • Dynamic binary translation allows virtualization
  • Leverage runtime information

– Enables preciser security checks

slide-39
SLIDE 39

Secure execution platform

Application Kernel

slide-40
SLIDE 40

Secure execution platform

Sandbox Application Kernel Loader System call policy

slide-41
SLIDE 41

Original code

Sandbox implementation

1 3 2 4

Protected code

1' 3' 2' 4' Dynamic binary translator

  • Check targets and origins
  • Weave guards into code
slide-42
SLIDE 42
slide-43
SLIDE 43

Conclusion

  • Low level languages are here to stay

– We need protection against memory vulnerabilities – Performance, legacy, compatibility

  • Mitigate control-flow hijack attacks

– Secure execution platform for legacy code

  • Future directions: strong policies for data
slide-44
SLIDE 44

?

Pictures (c) MGM

If the winning move is not to If the winning move is not to play then we need to change play then we need to change the rules of the game! the rules of the game! http://nebelwelt.net http://nebelwelt.net