Its a TRaP: Table Randomization and Protection against - PowerPoint PPT Presentation

It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi,Thorsten Holz, Bjorn De Sutter, Michael Franz Chair of IT Security Department of Informatics Technical University of Munich December 3, 2018 Philip Holzmann

● Preventing Function- Goals Reuse Attacks: COOP and RILC → Prevent disclosure of function pointers → Hide code layout Philip Holzmann It's a TRaP 2

Adversary Model Philip Holzmann It's a TRaP 3

Adversary Model ─ Adversary can exploit a memory corruption vulnerability → read and write arbitrary memory Philip Holzmann It's a TRaP 4

Adversary Model ─ Adversary can exploit a memory corruption vulnerability → read and write arbitrary memory ─ Adversary can adjust the attack payload at runtime (e. g. via a scripting environment in a browser) Philip Holzmann It's a TRaP 5

Adversary Model ─ Adversary can exploit a + W^X memory corruption + X-only vulnerability + JIT-cache protection → read and write arbitrary memory ─ Adversary can adjust the attack payload at runtime (e. g. via a scripting environment in a browser) Philip Holzmann It's a TRaP 6

● Extended COOP Outline ● Dynamic Linking ● PLT Randomization ● Vtable Randomization ● Implementation ● Performance ● Security Evaluation Philip Holzmann It's a TRaP 7

Extended COOP Philip Holzmann It's a TRaP 8

● Regular main loop Extended gadget (ML-G): COOP – iterate over container of objects Philip Holzmann It's a TRaP 9

● Regular main loop Extended gadget (ML-G): COOP – iterate over container of objects ● Alternative ML-Gs: – Recursive: REC-G – Unrolled: UNR-G Philip Holzmann It's a TRaP 10

Extended COOP: REC-G c l a s s X { c l a s s Z { p u b l i c : p u b l i c : v i r t u a l ~ X ( ) ; X * o b j A ; Y * o b j B ; } ; v i r t u a l ~ Z ( ) { c l a s s Y { d e l e t e o b j A ; p u b l i c : v i r t u a l v o i d u n r e f ( ) ; o b j B - > u n r e f ( ) ; } ; } } ; Philip Holzmann It's a TRaP 11

Extended COOP: REC-G c l a s s X { c l a s s Z { p u b l i c : p u b l i c : v i r t u a l ~ X ( ) ; X * o b j A ; Y * o b j B ; } ; v i r t u a l ~ Z ( ) { c l a s s Y { arbitrary vfgadget d e l e t e o b j A ; p u b l i c : v i r t u a l v o i d u n r e f ( ) ; o b j B - > u n r e f ( ) ; } ; } } ; Philip Holzmann It's a TRaP 12

Extended COOP: REC-G c l a s s X { c l a s s Z { p u b l i c : p u b l i c : v i r t u a l ~ X ( ) ; X * o b j A ; Y * o b j B ; } ; v i r t u a l ~ Z ( ) { c l a s s Y { arbitrary vfgadget d e l e t e o b j A ; p u b l i c : v i r t u a l v o i d u n r e f ( ) ; o b j B - > u n r e f ( ) ; } ; } } ; recursion Philip Holzmann It's a TRaP 13

Extended COOP: UNR-G v o i d C : : f u n c ( ) { d e l e t e o b j A ; d e l e t e o b j B ; d e l e t e o b j C ; d e l e t e o b j D ; . . . } Philip Holzmann It's a TRaP 14

Extended COOP: UNR-G v o i d C : : f u n c ( ) { vfgadget d e l e t e o b j A ; vfgadget d e l e t e o b j B ; d e l e t e o b j C ; vfgadget d e l e t e o b j D ; vfgadget . . . } Philip Holzmann It's a TRaP 15

Dynamic Linking (for ELF) Philip Holzmann It's a TRaP 16

● Libraries can be loaded Dynamic at runtime Linking – Addresses of symbols (for ELF) not known at compile time Philip Holzmann It's a TRaP 17

● Libraries can be loaded Dynamic at runtime Linking – Addresses of symbols (for ELF) not known at compile time ● Global Offset Table & Procedure Linkage Table are used to resolve addresses at runtime Philip Holzmann It's a TRaP 18

Dynamic Linking: Global Offset Table some_lib.h: e x t e r n i n t f o o ; # i n c l u d e “ s o m e _ l i b . h ” . . . f o o = 3 ; . . . some_lib.so: foo Philip Holzmann It's a TRaP 19

Dynamic Linking: Global Offset Table some_lib.h: e x t e r n i n t f o o ; # i n c l u d e “ s o m e _ l i b . h ” . . . . . . f o o = 3 ; 6 d 4 : m o v l $ 0 x 3 , 0 x 2 0 0 9 5 a ( % r i p ) . . . . . . some_lib.so: foo Philip Holzmann It's a TRaP 20

Dynamic Linking: Global Offset Table 0 x 2 0 1 0 0 0 < G O T > some_lib.h: 0 x 0 0 . . . e x t e r n i n t f o o ; 0 x 0 8 . . . . . . . . . # i n c l u d e “ s o m e _ l i b . h ” 0 x 3 0 . . . 0 x 3 8 * . . . . . . f o o = 3 ; 6 d 4 : m o v l $ 0 x 3 , 0 x 2 0 0 9 5 a ( % r i p ) . . . . . . some_lib.so: foo Philip Holzmann It's a TRaP 21

Dynamic Linking: Global Offset Table 0 x 2 0 1 0 0 0 < G O T > some_lib.h: 0 x 0 0 . . . e x t e r n i n t f o o ; 0 x 0 8 . . . . . . . . . # i n c l u d e “ s o m e _ l i b . h ” 0 x 3 0 . . . 0 x 3 8 * . . . . . . f o o = 3 ; 6 d 4 : m o v l $ 0 x 3 , 0 x 2 0 0 9 5 a ( % r i p ) . . . . . . some_lib.so: foo Philip Holzmann It's a TRaP 22

Dynamic Linking: Procedure Linkage Table some_lib.h: v o i d f u n ( v o i d ) ; v o i d f u n 2 ( v o i d ) ; # i n c l u d e “ s o m e _ l i b . h ” . . . f u n ( ) ; some_lib.so: . . . fun fun2 Philip Holzmann It's a TRaP 23

Dynamic Linking: Procedure Linkage Table 6 9 0 < . p l t > : 6 9 0 : p u s h q 0 x 2 0 0 9 7 2 ( % r i p ) some_lib.h: 6 9 6 : j m p q * 0 x 2 0 0 9 7 4 ( % r i p ) 6 9 c : n o p l 0 x 0 ( % r a x ) v o i d f u n ( v o i d ) ; 6 a 0 < f u n 2 @ p l t > : v o i d f u n 2 ( v o i d ) ; 6 a 0 : j m p q * 0 x 2 0 0 9 7 2 ( % r i p ) 6 a 6 : p u s h q $ 0 x 0 6 a b : j m p q 6 9 0 < . p l t > 6 b 0 < f u n @ p l t > : # i n c l u d e “ s o m e _ l i b . h ” 6 b 0 : j m p q * 0 x 2 0 0 9 6 a ( % r i p ) 6 b 6 : p u s h q $ 0 x 1 . . . 6 b b : j m p q 6 9 0 < . p l t > f u n ( ) ; some_lib.so: . . . . . . fun 8 1 9 : c a l l q 6 b 0 < f u n @ p l t > fun2 . . . Philip Holzmann It's a TRaP 24

Dynamic Linking: Procedure Linkage Table 0 x 2 0 1 0 0 0 < G O T > 6 9 0 < . p l t > : 6 9 0 : p u s h q 0 x 2 0 0 9 7 2 ( % r i p ) 0 x 0 0 . . . some_lib.h: 6 9 6 : j m p q * 0 x 2 0 0 9 7 4 ( % r i p ) 0 x 0 8 . . . 6 9 c : n o p l 0 x 0 ( % r a x ) v o i d f u n ( v o i d ) ; 6 a 0 < f u n 2 @ p l t > : 0 x 1 0 . . . v o i d f u n 2 ( v o i d ) ; 6 a 0 : j m p q * 0 x 2 0 0 9 7 2 ( % r i p ) 0 x 1 8 * 6 a 6 : p u s h q $ 0 x 0 6 a b : j m p q 6 9 0 < . p l t > 0 x 2 0 * 6 b 0 < f u n @ p l t > : # i n c l u d e “ s o m e _ l i b . h ” 0 x 2 8 . . . 6 b 0 : j m p q * 0 x 2 0 0 9 6 a ( % r i p ) 6 b 6 : p u s h q $ 0 x 1 . . . 6 b b : j m p q 6 9 0 < . p l t > f u n ( ) ; some_lib.so: . . . . . . fun 8 1 9 : c a l l q 6 b 0 < f u n @ p l t > fun2 . . . Philip Holzmann It's a TRaP 25

Dynamic Linking: Procedure Linkage Table 0 x 2 0 1 0 0 0 < G O T > 6 9 0 < . p l t > : 6 9 0 : p u s h q 0 x 2 0 0 9 7 2 ( % r i p ) 0 x 0 0 . . . some_lib.h: 6 9 6 : j m p q * 0 x 2 0 0 9 7 4 ( % r i p ) 0 x 0 8 . . . 6 9 c : n o p l 0 x 0 ( % r a x ) v o i d f u n ( v o i d ) ; 6 a 0 < f u n 2 @ p l t > : 0 x 1 0 . . . v o i d f u n 2 ( v o i d ) ; 6 a 0 : j m p q * 0 x 2 0 0 9 7 2 ( % r i p ) 0 x 1 8 * 6 a 6 : p u s h q $ 0 x 0 6 a b : j m p q 6 9 0 < . p l t > 0 x 2 0 * 6 b 0 < f u n @ p l t > : # i n c l u d e “ s o m e _ l i b . h ” 0 x 2 8 . . . 6 b 0 : j m p q * 0 x 2 0 0 9 6 a ( % r i p ) 6 b 6 : p u s h q $ 0 x 1 . . . 6 b b : j m p q 6 9 0 < . p l t > f u n ( ) ; some_lib.so: . . . . . . fun 8 1 9 : c a l l q 6 b 0 < f u n @ p l t > fun2 . . . Philip Holzmann It's a TRaP 26