Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy - - PowerPoint PPT Presentation

University of Cyprus 1

Info formation Leaks

Kyriakos Kyriakou

kkyria16@cs.ucy.ac.cy

EPL 682: Advanced Security Topics

University of Cyprus EPL 682: Advanced Security Topics 2

Ju Just st-in in-tim time Code Reuse

On the effectiveness of Fine-Grained Address Space Layout Randomization

Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, Ahmad-Reza Sadeghi

Abstract

University of Cyprus EPL 682: Advanced Security Topics 3

Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks.

University of Cyprus EPL 682: Advanced Security Topics 4

To introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, that undermines the benefits of fine-grained ASLR.

University of Cyprus EPL 682: Advanced Security Topics 5

So Solu lutio ion

University of Cyprus EPL 682: Advanced Security Topics 6

Fine-grained ASLR may not be as pr promising as first thought.

Historical Overview

Introduction

University of Cyprus EPL 682: Advanced Security Topics 7

University of Cyprus EPL 682: Advanced Security Topics 8

Attackers’ ultimate goal is to exploit vulnerabilities and provide the ability to redirect program logic within the vulnerable application (ASLR, DEP)

Exploitation defenses practices through time

§ Shellcode, return address, stack § Overwriting alternative control-flow constructs § Redirect execution to existing shared-library functions, chaining together short instruction sequences ending with ret (gadgets, ROP) § Memory disclosure problem

University of Cyprus EPL 682: Advanced Security Topics 9

Canary NX bit ASLR

?

Background

Review the basis of important concepts

University of Cyprus EPL 682: Advanced Security Topics 10

Code Reuse Attacks

University of Cyprus EPL 682: Advanced Security Topics 11

1

University of Cyprus EPL 682: Advanced Security Topics 12

The The gene neral princ nciple of any code reuse attack Red edirect ect the logical program flow to instructions already present in memory, then us use those instructions to provide alternative program logic

Basic principle of code reuse attacks

13

An example of a ROP attack on the heap using a sequence of single-instruction gadgets

Randomization for Exploit Mitigation

University of Cyprus EPL 682: Advanced Security Topics 14

2

University of Cyprus EPL 682: Advanced Security Topics 15

What is ASLR and how it works?

University of Cyprus EPL 682: Advanced Security Topics 16

The ba basi sic i ide dea of address space layout randomization (ASLR) refer to a new stack memory allocator that ad adds a a ra random pad for stack objects larger than 16 bytes. Sta Start rt ad address of an executable is relocated between co conse secu cutive runs runs of the application.

Current ASLR schemes randomize the base (start) address of segments such as the st stack, he heap, lib librarie ies, and th the executab table le its itself lf

University of Cyprus EPL 682: Advanced Security Topics 17

As a result, an ad advers rsary ary must guess the location of the fu functio tions and in instr tructio tion se sequ quences needed for successful deployment of her co code r e reu euse at e attack ack. Today, ASLR is enabled on nearly all modern

• perating systems such as Windows, Linux, iOS, or

Android.

Fine-Grained Memory and Code Randomization

University of Cyprus EPL 682: Advanced Security Topics 18

Today ASLR suffer from two main problems

• 1. The entropy of 32bit systems is too low
• 2. all ASLR solutions are vulnerable to memory disclosure

attacks

Since current ASLR implementations only randomize on

• n a per-mod

module level, disclosing a single address within a module effectively

re reveals the the locati tion n of every ery piec ece e of code e wi withi thin n tha that t modul ule

University of Cyprus EPL 682: Advanced Security Topics 19

To confound these attacks, a number of fine-grained ASLR and code randomization schemes have recently appeared in the academic literature

University of Cyprus EPL 682: Advanced Security Topics 20

So Solu lutio ion

The und underl rlying ng i idea in these works is to ra randomize the da data ta and cod code st structure e by shuffling functions or basic blocks (ideally for each program run) The location of all gadgets is ra randomized and the disclosure of a single address no no l long nger a r allows an adversary to de depl ploy a code reuse attack.

University of Cyprus EPL 682: Advanced Security Topics 21

Assumptions and Adversarial Model

University of Cyprus EPL 682: Advanced Security Topics 22

An adversary actions may enumerated in two stages

• 1. exercise a vulnerability entry point
• 2. execute arbitrary malicious computations

Modern st stack and he heap mi mitigation

• ns do eliminate categories of attack

supporting stage one, but these mitigations are not comprehensive

(ie. exploitable vulnerabilities still exist)

University of Cyprus EPL 682: Advanced Security Topics 23

Assumptions for the target platform uses the following mechanisms to mitigate the execution of malicious computations

• Non-Executable Memory
• JIT Mitigations
• Export Address Table Access Filtering
• Base Address Randomization
• Strong Fine-Grained ASLR randomization scheme

i. Permutes the order of functions and basic blocks ii. Swaps registers and replaces instructions

• iii. Randomizes the location of each instruction
• iv. Performs randomizations upon each run of an application

University of Cyprus EPL 682: Advanced Security Topics 24

Current Problems with ASLR

• not usually applied to every ex

executable or lib librar ary, thereby allowing an ad adversar ary to leverage the non-randomized code parts for a conventional code reuse attack.

• current systems do n

do not

• t e

enfor force fine-grained randomization.

University of Cyprus EPL 682: Advanced Security Topics 25

Enabling ASLR for all applications, even for the operating system kernel

University of Cyprus EPL 682: Advanced Security Topics 26

as deployed in Windows 8 The trend is

What the proposed framework can do or offer?

• even given all these fortified defenses, the framework for code

reuse attacks can re readily undermine the security provided by these techniques

• an adversary will enjoy a si

simpl pler and mo more st streamlined exploit development process than ever before

• bui

uilds the entire payload on-the-fly

• co

compatible with all OS revisions.

University of Cyprus EPL 682: Advanced Security Topics 27

We only assume that the adversary can..

• 1. Conform memory disclosure vulnerability to the interface that

reveals values at an absolute address

• 2. Discover a single code pointer

University of Cyprus EPL 682: Advanced Security Topics 28

Overview of Just-In-Time Code Reuse

JIT Code Reuse

University of Cyprus EPL 682: Advanced Security Topics 29

Exploiting a memory disclosure multiple times..

• violates implicit assumptions of the fine-grained exploit

mitigation model

• enables the adversary to iterate over mapped memory to

search for all necessary gadgets on-the-fly

University of Cyprus EPL 682: Advanced Security Topics 30

University of Cyprus EPL 682: Advanced Security Topics 31

to by bypass fine-grained exploit mitigation techniques, the authors designed and built a prototype exploit framework that aptly demonstrates one instantiation, called JI JIT-RO ROP

Code Injection Attack Workflow

32

Utilizing just-in-time code reuse against a script-enabled application protected by fine- grained memory (or code) randomization.

University of Cyprus EPL 682: Advanced Security Topics 33

HOW?

• A. Mapping Code Page

Memory

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 34

Challenge

University of Cyprus EPL 682: Advanced Security Topics 35

1

University of Cyprus EPL 682: Advanced Security Topics 36

Lies in developing a reliable method for automatically searching through memory for code without ca causing a cr crash

1

Challenge

University of Cyprus EPL 682: Advanced Security Topics 37

2

University of Cyprus EPL 682: Advanced Security Topics 38

To en enumer erate te any information found in this initial page of code that reliably identifies additional pages of code

Algorithm 1

HarvestCodePages

39

Given an initial code page, recursively disassemble pages and discover direct and indirect pointers to other mapped code pages. It is a recursive search over discovered code pages that results in the set of unique code page virtual addresses along with associated data. Iteration continues only until all the requisite information to build a payload has been acquired.

• B. API Function Discovery

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 40

Challenge

University of Cyprus EPL 682: Advanced Security Topics 41

University of Cyprus EPL 682: Advanced Security Topics 42

Lies in the fact that an exploit will inevitably need to interact with operating system APIs to enact any significant effect.

The solution

• The favored method of interacting with the OS is through API

calls because of the relative stability across OS revisions. [as in kernel32.dll] (not system calls)

• Discover the virtual addresses of API Functions used in the

attacker-supplied program (S (Step ep ❸)

• Proposed code page harvesting gives unfettered access to a

large amount of application code. This offers a unique

• pportunity for automatically discovering a diverse set of API

function pointers. (S (Step ep ❷)

University of Cyprus EPL 682: Advanced Security Topics 43

• C. Gadget Discovery

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 44

University of Cyprus EPL 682: Advanced Security Topics 45

Thus fa far we have automatically mapped a significant portion of the vulnerable application’s code layout and collected API function pointers required by the exploit writer’s designated program.

Challenge

University of Cyprus EPL 682: Advanced Security Topics 46

University of Cyprus EPL 682: Advanced Security Topics 47

Lies in accumulating a set of concrete gadgets to use as building blocks for the just-in-time code reuse payload & Fine-grained exploit mitigations may metamorphose instructions on each execution.

The solution

• In Step ❹ they efficiently collect sequences of instructions by

adapting the Galileo algorithm proposed by Shacham to it iterat ate

• v
• ver the harvested code pages from Step ❷ and populate an

instruction prefix tree structure.

• Using criteria for useful gadgets

University of Cyprus EPL 682: Advanced Security Topics 48

Algorithm 2

VerifyGadget

49

Automatically match a sequence of instructions to a gadget’s semantic definition.

University of Cyprus EPL 682: Advanced Security Topics 50

• D. Just-In-Time Compilation

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 51

Challenge

University of Cyprus EPL 682: Advanced Security Topics 52

University of Cyprus EPL 682: Advanced Security Topics 53

Lies in using the dynamically discovered API function pointers and collection of concrete gadgets to satisfy the exploit writer’s target program (Step ❶), then generate a payload to execute (Step ❻)

The solution

• A dynamic compilation is required to ensure we can use a plethora
• f gadget types to build the final payload
• The JIT Gadget Compiler proposed is like a traditional compiler,

except that compilation is embedded directly within an exploit script with a subset of concrete instructions available for code generation

• Next, they perform a lazy search over all possible gadget

combinations that implement a program statement, as well as a search over all schedules and register combinations.

• The final payload is serialized to a structure accessible from the

script, and control is returned to the exploit writer’s code (Step ❻)

University of Cyprus EPL 682: Advanced Security Topics 54

• E. Implementation

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 55

University of Cyprus EPL 682: Advanced Security Topics 56

Evaluation

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 57

• A. On Code Page Harvesting

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 58

University of Cyprus EPL 682: Advanced Security Topics 59

To perform the evaluation, they used memory snapshots created using a custom library. The snapshots contain all process memory, metadata indicating if a page is marked as executable code, and auxiliary information on which pages belong to the application or a shared library.

University of Cyprus EPL 682: Advanced Security Topics 60

University of Cyprus EPL 682: Advanced Security Topics 61

• B. On Gadget Coverage

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 62

University of Cyprus EPL 682: Advanced Security Topics 63

They were ab able to to f find al all th the g gad adgets ts required in their proof of concept exploit. They found that we could generate a payload from 78% of the initial code pages, and 67% of the initial starting points additionally yielded a StackPivotG, which is required for many exploits.

University of Cyprus EPL 682: Advanced Security Topics 64

University of Cyprus EPL 682: Advanced Security Topics 65

To reinforce the point that gadget discovery is not hindered by fine-grained mitigation techniques, they conducted an experiment using the in-place binary code randomizer. The framework discovers slightly more gadgets in the randomized libraries than the original unmodified DLLs.

• C. On API Function Discovery

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 66

University of Cyprus EPL 682: Advanced Security Topics 67

By calling VirtualProtect is the most direct way to undermine non-executable memory They found that within the Internet Explorer 8 process memory (including all libraries), there were

• nly 15

15 distinct call sites to VirtualProtect. They found that call sites for LoadLibrary and GetProcAddress functions were readily available within the Internet Explorer memory– 391 391 instances

• f GetProcAddress and 340

340 instances of LoadLibrary.

• D. On Runtime Performance

JIT-ROP

University of Cyprus EPL 682: Advanced Security Topics 68

University of Cyprus EPL 682: Advanced Security Topics 69

JIT-ROP was able to locate a pivot within 10 pages, all required APIs in 19 pages, and the requisite gadgets for a payload within 50 pages—a total running time of 22.5 seconds.

University of Cyprus EPL 682: Advanced Security Topics 70

University of Cyprus EPL 682: Advanced Security Topics 71

The proposed framework runs incr credibly fa fast when natively compiled—code pages are traversed, gadgets are collected, APIs are resolved, and a payload is compiled in a fraction

• f a second.

Potential Mitigations

Suggestions

University of Cyprus EPL 682: Advanced Security Topics 72

Suggestions that would render this attack ineffective

• Re-randomize code pages at a high rate; the disclosed pages

might be re-randomized before the just-in-time pay-load executes (randomization costs problem)

• Fortify defenses that hinder the first stage (i.e. the entry point)
• f a runtime attack
• Apply an Instruction set randomization (ISR), which mitigates

code injection attacks by encrypting the binary’s code pages with a random key and decrypting them on-the-fly.

• To prevent control-flow attacks is the enforcement of control-

flow integrity (CFI), which mitigates runtime attacks regardless

• f whether the program suffers from vulnerabilities.

University of Cyprus EPL 682: Advanced Security Topics 73

Conclusion

University of Cyprus EPL 682: Advanced Security Topics 74

University of Cyprus EPL 682: Advanced Security Topics 75

In this paper, they introduce a novel framework that undermines fine-grained randomization techniques by using a just-in-time code reuse strategy. They repeatedly abuse a memory disclosure to map an application’s memory layout on-the-fly. It dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets—all within a script environment at the time an exploit is launched.

University of Cyprus EPL 682: Advanced Security Topics 76

Moving on

University of Cyprus EPL 682: Advanced Security Topics 77

Ha Hacking ng Blind nd

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh

Abstract

University of Cyprus EPL 682: Advanced Security Topics 78

University of Cyprus EPL 682: Advanced Security Topics 79

Re Retur urn n Orient nted Prog

• grammi

mming ng (RO ROP) The attacker knows the location of useful gadgets, because binary and distribution are available

University of Cyprus EPL 682: Advanced Security Topics 80

What if the binary remains unknown to the attacker?

It is possible to write remote stack buffer

• verflow exploits without possessing a copy of

the target binary or source code, against services that restart after a crash.

University of Cyprus EPL 682: Advanced Security Topics 81

Blind ROP (BROP) attack remotely fi finds enough ROP gadgets to perform a write system call and tr transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques.

University of Cyprus EPL 682: Advanced Security Topics 82

So Solu lutio ion

• The source code is available

for everyone

• Open Source is most within

reach

• Attackers can audit the code

to find vulnerabilities

• Usually proprietary software

that none has access to see the source code

• Hacking this software is also

possible, but harder

• Attackers can use fuzz testing

and reverse engineering

University of Cyprus EPL 682: Advanced Security Topics 83

University of Cyprus EPL 682: Advanced Security Topics 84

Si Simples est p possible vu e vulner erability: y: St Stack ck b buffer Overf er Overflows bugs such as these go unnoticed in proprietary software, where the source (and binary) has not been under the heavy scrutiny of the public and security specialists

Challenge

University of Cyprus EPL 682: Advanced Security Topics 85

University of Cyprus EPL 682: Advanced Security Topics 86

Lies in developing a methodology for exploiting these vulnerabilities when information about the target binary is limited

University of Cyprus EPL 682: Advanced Security Topics 87

One advantage attack ckers oft ften have Many servers restart their worker processes after a crash for robustness

They present a new attack, Blind Return Oriented Programming (BROP), that takes advantage of these situations to build exploits for proprietary services for which both the binary and source are unknown.

University of Cyprus EPL 682: Advanced Security Topics 88

BROP attack assumptions

• A server application with stack vulnerability
• One that is restarted after a crash
• Runs 64-bit Linux with ASLR, non-executable (NX) memory, and

stack canaries enabled

University of Cyprus EPL 682: Advanced Security Topics 89

Position Independent Executables (PIE) are an output of the hardened package build process. A PIE binary and all of its dependencies are loaded into random locations within virtual memory each time the application is executed.

University of Cyprus EPL 682: Advanced Security Topics 90

The attack is enabled by two new techniques

• 1. Generalized stack reading: this generalizes a known technique,

used to leak canaries, to also leak saved return addresses in order to defeat ASLR on 64-bit even when Position Independent Executables (PIE) are used

• 2. Blind ROP: this technique remotely locates ROP gadgets

Both techniques share the idea of using a single stack vulnerability to leak information based on whether a server process crashes or not. The stack reading technique overwrites the stack byte-by-byte with possible guess values, until the correct one is found and the server does not crash.

University of Cyprus EPL 682: Advanced Security Topics 91

The Blind ROP attack remotely finds enough gadgets to perform the write system call, after which the server’s binary can be transferred from memory to the attacker’s socket. At this point, canaries, ASLR and NX have been defeated and the exploit can proceed using known techniques.

University of Cyprus EPL 682: Advanced Security Topics 92

The BROP attack enables robust, general-purpose exploits for three new scenarios:

• 1. Hacking proprietary closed-binary services

One may notice a crash when using a remote service or discover one through remote fuzz testing.

• 2. Hacking a vulnerability in an open-source library thought

to be used in a proprietary closed-binary service A popular SSL library for example may have a stack vulnerability and one may speculate that it is being used by a proprietary service.

• 3. Hacking an open-source server for which the binary is

unknown This applies to manually compiled installations or source-based distributions such as Gentoo

University of Cyprus EPL 682: Advanced Security Topics 93

University of Cyprus EPL 682: Advanced Security Topics 94

Br Braille makes BROP attacks highly automated

Their overall contribution

• 1. A technique to defeat ASLR on servers (generalized stack

reading).

• 2. A technique to remotely find ROP gadgets (BROP) so that

software can be attacked when the binary is unknown.

• 3. Braille: a tool that automatically constructs an exploit

given input on how to trigger a stack overflow on a server

• 4. The first public exploit for nginx’s recent vulnerability,

that is generic, 64-bit, and defeats (full/PIE) ASLR, canaries and NX.

University of Cyprus EPL 682: Advanced Security Topics 95

Their overall contribution

• 5. Suggestions for defending against BROP attacks.

In summary, ASLR must be applied to all executable segments (PIE) and re-randomization must occur after each crash (at odds with fork-only servers). Holding the binary from the attacker or purposefully altering it may not be an effective security countermeasure.

University of Cyprus EPL 682: Advanced Security Topics 96

Historical Overview

University of Cyprus EPL 682: Advanced Security Topics 97

Exploitation defenses practices through time

§ Shellcode, return address, stack § Structured exception handlers (SEH) § Redirect execution to existing shared-library functions, chaining together short instruction sequences ending with ret (gadgets, ROP) § Memory disclosure problem

University of Cyprus EPL 682: Advanced Security Topics 98

Canary NX bit ASLR

?

ROP Tutorial

University of Cyprus EPL 682: Advanced Security Topics 99

University of Cyprus EPL 682: Advanced Security Topics 100

University of Cyprus EPL 682: Advanced Security Topics 101

Buffer Overflows Today

University of Cyprus EPL 682: Advanced Security Topics 102

An attacker must fulfill at least two requirements in order to gain full control of a remote program’s execution:

• 1. To defeat NX, the attacker must know where gadgets

reside inside the program executable

• 2. To defeat ASLR, the attacker must de-randomize the

location at which the executable’s text segment is actually loaded in memory

University of Cyprus EPL 682: Advanced Security Topics 103

University of Cyprus EPL 682: Advanced Security Topics 104

The proposed stack reading technique makes it possible to attack PIE servers that do not re- randomize after crash.

University of Cyprus EPL 682: Advanced Security Topics 105

BROP Environment

University of Cyprus EPL 682: Advanced Security Topics 106

BROP attack makes the following assumptions and requires the following environment:

• A stack vulnerability and knowledge of how to trigger it
• A server application that restarts after a crash

University of Cyprus EPL 682: Advanced Security Topics 107

What’s the thread model?

The thread model is an attacker that..

• knows an input string that crashes a server due to a stack
• verflow bug
• is able to overwrite a variable length of bytes including a return

instruction pointer

• knows the source or binary of the server
• is able to crash the server as many times as he wishes while

conducting the attack, and the server must restart

• is able to distinguish when a server crashes prematurely, e.g., by

noticing that the socket closes without receiving a response If the server is compiled with the PIE flag, the server must be a forking daemon and must restart without using execve. The same is true for

• verflows where the canary must be modified by the exploit.

University of Cyprus EPL 682: Advanced Security Topics 108

Attack Outline

University of Cyprus EPL 682: Advanced Security Topics 109

The BROP attack has the following phases:

• 1. Stack reading: read the stack to leak canaries and a return

address to defeat ASLR

• 2. Blind ROP: find enough gadgets to invoke write and

control its arguments

• 3. Build the exploit: dump enough of the binary to find

enough gadgets to build a shellcode, and launch the final exploit

University of Cyprus EPL 682: Advanced Security Topics 110

Stack Reading: ASLR de-randomization

University of Cyprus EPL 682: Advanced Security Topics 111

University of Cyprus EPL 682: Advanced Security Topics 112

Exploits must have a method of defeating ASLR for configurations where PIE is used. They present a new stack reading technique that generalizes a known technique used for leaking canaries.

The basic idea

• 1. Overflow a single byte of the canary with value x
• 2. If x is correct, the server does not crash
• 3. The algorithm is re

repeated for all possible 256 byte values until it is found (128 tries on average)

• 4. The attack co

continues for the next byte until all 8 canary bytes (on 64-bit) are leaked

University of Cyprus EPL 682: Advanced Security Topics 113

University of Cyprus EPL 682: Advanced Security Topics 114

University of Cyprus EPL 682: Advanced Security Topics 115

BROP Attack

University of Cyprus EPL 682: Advanced Security Topics 116

University of Cyprus EPL 682: Advanced Security Topics 117

BROP Attack Allows writing exploits without possessing the target binary. It introduces techniques to find ROP gadgets remotely and optimizations to make the attack practical.

BROP Attack Outline

• A. The pieces of a puzzle
• B. Finding gadgets and the stop gadget
• C. Identifying gadgets
• D. Finding the Procedure Linking Table (PLT)
• E. Controlling rdx via strcmp

F. Finding write

• G. Concluding the attack
• H. Attack Summary

I. First principles attack J. Other low-level details

University of Cyprus EPL 682: Advanced Security Topics 118

• A. The pieces of a puzzle

University of Cyprus EPL 682: Advanced Security Topics 119

University of Cyprus EPL 682: Advanced Security Topics 120

The goal is to find enough gadgets to invoke write

University of Cyprus EPL 682: Advanced Security Topics 121

The write system call takes three arguments: a socket, a buffer and a length Arguments are passed in rdi, rsi and rdx registers, and the system call number is stored in the rax register.

The following gadgets are therefore needed:

• 1. pop rdi; ret

(socket)

• 2. pop rsi; ret

(buffer)

• 3. pop rdx; ret

(length)

• 4. pop rax; ret

(write syscall number)

• 5. syscall

University of Cyprus EPL 682: Advanced Security Topics 122

University of Cyprus EPL 682: Advanced Security Topics 123

University of Cyprus EPL 682: Advanced Security Topics 124

The optimized attack therefore requires:

• 1. Finding the BROP gadget
• 2. Finding the PLT.
• Finding the entry for write.
• Finding the entry for strcmp.

University of Cyprus EPL 682: Advanced Security Topics 125

• B. Finding Gadgets

University of Cyprus EPL 682: Advanced Security Topics 126

University of Cyprus EPL 682: Advanced Security Topics 127

The basic idea in finding gadgets remotely is to scan the application’s text segment by overwriting the saved return address with an address pointing to text and inspecting program behavior.

A stop gadget is anything that would cause the program to block, like an infinite loop or a blocking system call (like sleep).

University of Cyprus EPL 682: Advanced Security Topics 128

• C. Identifying Gadgets

University of Cyprus EPL 682: Advanced Security Topics 129

University of Cyprus EPL 682: Advanced Security Topics 130

How to classify gadgets? By co controlling the stack ck layout and inspect cting pr program beh behavi vior

We define three values that the attacker can place on the stack:

Probe The address of the gadget being scanned. Stop The address of a stop gadget that will not crash Trap The address of non-executable memory that will cause a crash (e.g., 0x0).

University of Cyprus EPL 682: Advanced Security Topics 131

University of Cyprus EPL 682: Advanced Security Topics 132

The idea is that by varying the position of the stop and trap on the stack, one can deduce the instructions being executed by the gadget, either because the tr trap or st stop will execute, causing a cr crash or no cr crash respectively.

Here are some examples and possible stack layouts:

• probe, stop, traps (trap, trap, . . . )

Will find gadgets that do not pop the stack like ret or xor rax, rax; ret

• probe, trap, stop, traps

Will find gadgets that pop exactly one stack word like pop rax; ret or pop rdi; ret

• probe, stop, stop, stop, stop, stop, stop, stop, traps

Will find gadgets that pop up to six words (e.g., the BROP gadget)

University of Cyprus EPL 682: Advanced Security Topics 133

University of Cyprus EPL 682: Advanced Security Topics 134

• D. Finding the Procedure

Linking Table (PTL)

University of Cyprus EPL 682: Advanced Security Topics 135

University of Cyprus EPL 682: Advanced Security Topics 136

To control the third argument (rdx) one needs to find a call to strcmp, which sets rdx to the length of the string compared. The PLT is a jump table at the beginning of the executable used for all external calls (e.g., libc).

University of Cyprus EPL 682: Advanced Security Topics 137

University of Cyprus EPL 682: Advanced Security Topics 138

Most of the PLT entries will not cause a crash regardless of arguments because they are system calls that return EFAULT on invalid parameters. The stack layout to find a PLT entry will be: probe, stop, trap.

• E. Controlling rdx via strcmp

University of Cyprus EPL 682: Advanced Security Topics 139

University of Cyprus EPL 682: Advanced Security Topics 140

The attacker can identify PLT entries by exercising each entry with different arguments and seeing how the function performs. The first two arguments can be controlled thanks to the BROP gadget.

strcmp for example has the following behavior and signature, where “bad” is an invalid memory location (e.g., 0x0) and “readable” is a readable pointer (e.g., an address in .text):

• strcmp(bad, bad): crash
• strcmp(bad, readable): crash
• strcmp(readable, bad): crash
• strcmp(readable, readable): no crash

The attacker finds strcmp by finding an entry that responds to the previously mentioned signature.

University of Cyprus EPL 682: Advanced Security Topics 141

• F. Finding write

University of Cyprus EPL 682: Advanced Security Topics 142

University of Cyprus EPL 682: Advanced Security Topics 143

The attacker so far can control the first three arguments to any call: the first two via the BROP gadget, and the third one indirectly via strcmp. write can now trivially be found by scanning each PLT entry and forcing a write to the socket and checking whether the write occurred.

University of Cyprus EPL 682: Advanced Security Topics 144

The only complication is figuring out the file descriptor number for the socket. There are two approaches: 1. chaining multiple writes each with different file descriptor numbers in a single ROP chain, or 2.

• pening multiple connections and using a

relatively high file descriptor number in hope that it will match one of the connections. They use both techniques in combination.

• G. Concluding the attack

University of Cyprus EPL 682: Advanced Security Topics 145

University of Cyprus EPL 682: Advanced Security Topics 146

At this point the attacker can write the entire .text segment from memory to the attacker’s socket, disassemble it, and find more gadgets. The attacker can also dump the symbol table and find useful functions in the PLT like dup2 and execve.

Generally speaking the attacker will need to:

• 1. Redirect the socket to standard input / output

The attacker can use dup2 or close, followed by either dup

• r fcntl(F_DUPFD). These are often in the PLT.
• 2. Find “/bin/sh” in memory

An effective technique is to find a writable memory region like the environment, environ, from the symbol table, and read “/bin/sh” from the attacker’s socket to that address.

• 3. execve the shell

If execve is not in the PLT, the attacker will need to transfer more of the binary to find a pop rax; ret and syscall gadget.

University of Cyprus EPL 682: Advanced Security Topics 147

• H. Attack summary

University of Cyprus EPL 682: Advanced Security Topics 148

The optimized BROP attack is as follows:

1. Find where the executable is loaded. Either 0x400000 for non-PIE executables (default) or stack read a saved return address. 2. Find a stop gadget. This is typically a blocking system call (like sleep

• r read) in the PLT. The attacker finds the PLT in this step too.

3. Find the BROP gadget. The attacker can now control the first two arguments to calls. 4. Find strcmp in the PLT. The attacker can now control the first three arguments to calls. 5. Find write in the PLT. The attacker can now dump the entire binary to find more gadgets. 6. Build a shellcode and exploit the server.

University of Cyprus EPL 682: Advanced Security Topics 149

• I. First principles attack

University of Cyprus EPL 682: Advanced Security Topics 150

The attack outline:

• 1. Find all pop x; ret gadgets.
• 2. Find a syscall gadget.
• 3. Identify the pop gadgets previously found

University of Cyprus EPL 682: Advanced Security Topics 151

The attack outline:

• The attacker starts by finding a stop gadget and all pop x; ret

instructions.

• The difficulty is now in identifying the pop instructions and

finding a syscall gadget.

• The idea is to identify the pop instructions based on system call

behavior after tweaking system call arguments, in a similar way as to how strcmp was found in the optimized attack.

University of Cyprus EPL 682: Advanced Security Topics 152

University of Cyprus EPL 682: Advanced Security Topics 153

There is a bootstrap problem because to find syscall one must control the system call number (rax), so one must have a priori identified pop rax; ret

The solution

• Chain all pop instructions found by the attacker, popping the

desired system call number, and one of them will likely be rax

• The system call to use is pause() which takes no arguments

and so ignores all other registers. It also stops program execution until a signal is raised and so it acts as a stop gadget, making it identifiable

• The attacker can now append the probe address for syscall

to the pop chain to find a system call gadget

• Once an address that makes the program pause is found, the

attacker can eliminate the pops one by one to find which one controls rax

University of Cyprus EPL 682: Advanced Security Topics 154

University of Cyprus EPL 682: Advanced Security Topics 155

At this point the attacker has the address of a syscall gadget and a pop rax; ret gadget.

The attacker also holds a list of unidentified pops. These are identified by using the following system calls

University of Cyprus EPL 682: Advanced Security Topics 156

University of Cyprus EPL 682: Advanced Security Topics 157

One can now call write and continue the attack by dumping the .text segment and finding more gadgets

• J. Other low level details

University of Cyprus EPL 682: Advanced Security Topics 158

In this section they list a number of not so obvious low-level attack details, many of which added to the attack’s stability:

a) Stack reading with zeros b) Further strcmp verification c) Dealing with small buffers d) Dealing with few event-based workers

University of Cyprus EPL 682: Advanced Security Topics 159

Implementation

University of Cyprus EPL 682: Advanced Security Topics 160

University of Cyprus EPL 682: Advanced Security Topics 161

The BROP attack was implemented in a tool called “Braille” that automatically goes from a crash to a remote shell. It is written in 2,000 lines of Ruby code. Braille is essentially a meta-exploit that takes a driver function that can crash a server, and figures out all the information needed to build an exploit.

Evaluation

University of Cyprus EPL 682: Advanced Security Topics 162

The BROP attack was tested in three scenarios:

1. 1. An An op

• pen-so

source e SSL library with a known st stack vulner erability (ya yaSSL). ). This mimics the scenario where one is attacking a proprietary service that is believed to use a vulnerable open-source component. As a sample target we used an older version of MySQL that used yaSSL. 2. 2. An An ope pen-so source e so software e with a known st stack vulner erability (ng nginx nx), ), ma manually comp

• mpiled fr

from

• m sou
• urce. In this scenario the attacker knows the

source of the entire server but does not hold the binary. 3. 3. A A toy y cl closed-bi bina nary pr propr prieta tary service ce with th a sta tack ck vul ulne nerabi bility

• ty. This

was written by a colleague and both the binary and source were kept

• secret. Ideally we would have tested this against a real-world

proprietary service but it would have been difficult to do so legally

University of Cyprus EPL 682: Advanced Security Topics 163

University of Cyprus EPL 682: Advanced Security Topics 164

They ran Braille against all three attack scenarios, without any application-specific

• ptimizations, and the attack succeeded in all

cases.

Evaluation aspects

1.

• 1. Perf

Perform rmanc nce: e: number of requests and time. 2.

• 2. Sta

Stability ty: how robust the attack is. 3.

• 3. At

Attack ck paired with so source ce-co code kn knowledge: : whether having access to the source code (but not the binary) can make the attack better

University of Cyprus EPL 682: Advanced Security Topics 165

University of Cyprus EPL 682: Advanced Security Topics 166

University of Cyprus EPL 682: Advanced Security Topics 167

Limitations

University of Cyprus EPL 682: Advanced Security Topics 168

The BROP Attack has its limitations

• Applied only to simple stack overflows.
• Stack reading assumes that the attacker can overflow at a byte

granularity and controls the last byte being overflown.

• Assumes that the same machine and process can be hit after

each attempt.

• Relies on a number of workers being available and not ending

up in a situation where all workers become “stuck” in an infinite loop.

University of Cyprus EPL 682: Advanced Security Topics 169

BROP Prevention

University of Cyprus EPL 682: Advanced Security Topics 170

Defenses mechanisms that will prevent the BROP Attack

A.

• A. Rer

Rerand ndomizati tion The most basic protection against the BROP attack is to rerandomize canaries and ASLR as often as possible. It is important that any child processes forked are randomized independently so that any information learned from one child cannot be used against another one. They suggest servers write a new canary before entering a per-request function.

University of Cyprus EPL 682: Advanced Security Topics 171

Defenses mechanisms that will prevent the BROP Attack

B.

• B. Sl

Sleep on n crash In some situations, servers should not respawn, but in practice users and developers find this an unacceptable solution. Modern Linux desktops use systemd to monitor services and automatically restart services on failures. Developers should be cautious about which remote services they really need or want to restart automatically to reduce the attack surface.

University of Cyprus EPL 682: Advanced Security Topics 172

Defenses mechanisms that will prevent the BROP Attack

C.

• C. ROP

ROP protec tecti tions ns Control Flow Integrity (CFI), prevents return oriented programming in general by enforcing the control flow graph. There are many other similar techniques that can be applied.

University of Cyprus EPL 682: Advanced Security Topics 173

Defenses mechanisms that will prevent the BROP Attack

D.

• D. Co

Compiler r Techni hnique ues Many modern compilers support inserting runtime bounds checks on buffers.

University of Cyprus EPL 682: Advanced Security Topics 174

University of Cyprus EPL 682: Advanced Security Topics 175

The main problem with all these solutions is that they may suffer as much as a 2x 2x perfo formance ce slowdown, and as such they are used mostly for testing

Conclusion

University of Cyprus EPL 682: Advanced Security Topics 176

University of Cyprus EPL 682: Advanced Security Topics 177

They show that, under the right conditions, it is possible to write exploits without any knowledge of the target binary or source code

To sum up

• 1. Their attack is able to defeat ASLR, NX and stack canaries on

modern 64-bit Linux servers

• 2. They present two new techniques:

a) a) gen gener eraliz lized ed st stack re reading: which defeats full ASLR on 64-bit systems b) b) BR BROP P atta ttack: which is able to remotely find ROP gadgets.

• 3. Braille, can take under 4,000 requests to spawn a shell, under

20 minutes, tested against real versions of yaSSL+MySQL and nginx with known vulnerabilities, and a toy proprietary service running an unknown binary

University of Cyprus EPL 682: Advanced Security Topics 178

To sum up

• 4. ASLR is only effective when it is applied to all code segments

in the binary (including PIE)

• 5. Security through obscurity, where the binary is unknown or

randomized, can only slow but not prevent buffer overflow attacks

• 6. To defend against their attack, they suggest that systems

should rerandomize ASLR and canaries after any crash, and that no library or executable should be exempt from ASLR

University of Cyprus EPL 682: Advanced Security Topics 179

Thank you for your time

Feel free to ask any questions

University of Cyprus EPL 682: Advanced Security Topics 180