Its a TRaP: Table Randomization and Protection against - - PowerPoint PPT Presentation

It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

Chair of IT Security Department of Informatics Technical University of Munich

Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi,Thorsten Holz, Bjorn De Sutter, Michael Franz

Philip Holzmann December 3, 2018

Philip Holzmann It's a TRaP 2

Goals

• Preventing Function-

Reuse Attacks: COOP and RILC → Prevent disclosure of function pointers → Hide code layout

Philip Holzmann It's a TRaP 3

Adversary Model

Philip Holzmann It's a TRaP 4

Adversary Model

─Adversary can exploit a

memory corruption vulnerability

→read and write arbitrary

memory

Philip Holzmann It's a TRaP 5

Adversary Model

─Adversary can exploit a

memory corruption vulnerability

→read and write arbitrary

memory

─Adversary can adjust the

attack payload at runtime (e. g. via a scripting environment in a browser)

Philip Holzmann It's a TRaP 6

Adversary Model

─Adversary can exploit a

memory corruption vulnerability

→read and write arbitrary

memory

─Adversary can adjust the

attack payload at runtime (e. g. via a scripting environment in a browser)

+W^X +X-only +JIT-cache protection

Philip Holzmann It's a TRaP 7

Outline

• Extended COOP
• Dynamic Linking
• PLT Randomization
• Vtable Randomization
• Implementation
• Performance
• Security Evaluation

Philip Holzmann It's a TRaP 8

Extended COOP

Philip Holzmann It's a TRaP 9

Extended COOP

• Regular main loop

gadget (ML-G):

– iterate over container of

• bjects

Philip Holzmann It's a TRaP 10

Extended COOP

• Regular main loop

gadget (ML-G):

– iterate over container of

• bjects
• Alternative ML-Gs:

– Recursive: REC-G – Unrolled: UNR-G

Philip Holzmann It's a TRaP 11

Extended COOP: REC-G

c l a s s X { p u b l i c : v i r t u a l ~ X ( ) ; } ; c l a s s Y { p u b l i c : v i r t u a l v

• i

d u n r e f ( ) ; } ; c l a s s Z { p u b l i c : X *

• b

j A ; Y *

• b

j B ; v i r t u a l ~ Z ( ) { d e l e t e

• b

j A ;

• b

j B

• >

u n r e f ( ) ; } } ;

Philip Holzmann It's a TRaP 12

Extended COOP: REC-G

c l a s s X { p u b l i c : v i r t u a l ~ X ( ) ; } ; c l a s s Y { p u b l i c : v i r t u a l v

• i

d u n r e f ( ) ; } ; c l a s s Z { p u b l i c : X *

• b

j A ; Y *

• b

j B ; v i r t u a l ~ Z ( ) { d e l e t e

• b

j A ;

• b

j B

• >

u n r e f ( ) ; } } ; arbitrary vfgadget

Philip Holzmann It's a TRaP 13

Extended COOP: REC-G

c l a s s X { p u b l i c : v i r t u a l ~ X ( ) ; } ; c l a s s Y { p u b l i c : v i r t u a l v

• i

d u n r e f ( ) ; } ; c l a s s Z { p u b l i c : X *

• b

j A ; Y *

• b

j B ; v i r t u a l ~ Z ( ) { d e l e t e

• b

j A ;

• b

j B

• >

u n r e f ( ) ; } } ; arbitrary vfgadget recursion

Philip Holzmann It's a TRaP 14

Extended COOP: UNR-G

v

• i

d C : : f u n c ( ) { d e l e t e

• b

j A ; d e l e t e

• b

j B ; d e l e t e

• b

j C ; d e l e t e

• b

j D ; . . . }

Philip Holzmann It's a TRaP 15

Extended COOP: UNR-G

v

• i

d C : : f u n c ( ) { d e l e t e

• b

j A ; d e l e t e

• b

j B ; d e l e t e

• b

j C ; d e l e t e

• b

j D ; . . . } vfgadget vfgadget vfgadget vfgadget

Philip Holzmann It's a TRaP 16

Dynamic Linking

(for ELF)

Philip Holzmann It's a TRaP 17

Dynamic Linking

(for ELF)

• Libraries can be loaded

at runtime

– Addresses of symbols

not known at compile time

Philip Holzmann It's a TRaP 18

Dynamic Linking

(for ELF)

• Libraries can be loaded

at runtime

– Addresses of symbols

not known at compile time

• Global Offset Table &

Procedure Linkage Table are used to resolve addresses at runtime

Philip Holzmann It's a TRaP 19

Dynamic Linking: Global Offset Table

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f

• =

3 ; . . . e x t e r n i n t f

• ;

some_lib.h: foo some_lib.so:

Philip Holzmann It's a TRaP 20

Dynamic Linking: Global Offset Table

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f

• =

3 ; . . . e x t e r n i n t f

• ;

some_lib.h: . . . 6 d 4 : m

• v

l $ x 3 , x 2 9 5 a ( % r i p ) . . . foo some_lib.so:

Philip Holzmann It's a TRaP 21

Dynamic Linking: Global Offset Table

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f

• =

3 ; . . . e x t e r n i n t f

• ;

some_lib.h: . . . 6 d 4 : m

• v

l $ x 3 , x 2 9 5 a ( % r i p ) . . . x . . . x 8 . . . . . . . . . x 3 . . . x 3 8 * x 2 1 < G O T > foo some_lib.so:

Philip Holzmann It's a TRaP 22

Dynamic Linking: Global Offset Table

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f

• =

3 ; . . . e x t e r n i n t f

• ;

some_lib.h: . . . 6 d 4 : m

• v

l $ x 3 , x 2 9 5 a ( % r i p ) . . . x . . . x 8 . . . . . . . . . x 3 . . . x 3 8 * x 2 1 < G O T > foo some_lib.so:

Philip Holzmann It's a TRaP 23

Dynamic Linking: Procedure Linkage Table

v

• i

d f u n ( v

• i

d ) ; v

• i

d f u n 2 ( v

• i

d ) ;

fun2 fun some_lib.so:

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f u n ( ) ; . . .

some_lib.h:

Philip Holzmann It's a TRaP 24

Dynamic Linking: Procedure Linkage Table

6 9 < . p l t > : 6 9 : p u s h q x 2 9 7 2 ( % r i p ) 6 9 6 : j m p q * x 2 9 7 4 ( % r i p ) 6 9 c : n

• p

l x ( % r a x ) 6 a < f u n 2 @ p l t > : 6 a : j m p q * x 2 9 7 2 ( % r i p ) 6 a 6 : p u s h q $ x 6 a b : j m p q 6 9 < . p l t > 6 b < f u n @ p l t > : 6 b : j m p q * x 2 9 6 a ( % r i p ) 6 b 6 : p u s h q $ x 1 6 b b : j m p q 6 9 < . p l t > . . . 8 1 9 : c a l l q 6 b < f u n @ p l t > . . . v

• i

d f u n ( v

• i

d ) ; v

• i

d f u n 2 ( v

• i

d ) ;

fun2 fun some_lib.so:

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f u n ( ) ; . . .

some_lib.h:

Philip Holzmann It's a TRaP 25

Dynamic Linking: Procedure Linkage Table

6 9 < . p l t > : 6 9 : p u s h q x 2 9 7 2 ( % r i p ) 6 9 6 : j m p q * x 2 9 7 4 ( % r i p ) 6 9 c : n

• p

l x ( % r a x ) 6 a < f u n 2 @ p l t > : 6 a : j m p q * x 2 9 7 2 ( % r i p ) 6 a 6 : p u s h q $ x 6 a b : j m p q 6 9 < . p l t > 6 b < f u n @ p l t > : 6 b : j m p q * x 2 9 6 a ( % r i p ) 6 b 6 : p u s h q $ x 1 6 b b : j m p q 6 9 < . p l t > . . . 8 1 9 : c a l l q 6 b < f u n @ p l t > . . . v

• i

d f u n ( v

• i

d ) ; v

• i

d f u n 2 ( v

• i

d ) ;

x . . . x 8 . . . x 1 . . . x 1 8 * x 2 * x 2 8 . . . x 2 1 < G O T > fun2 fun some_lib.so:

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f u n ( ) ; . . .

some_lib.h:

Philip Holzmann It's a TRaP 26

Dynamic Linking: Procedure Linkage Table

6 9 < . p l t > : 6 9 : p u s h q x 2 9 7 2 ( % r i p ) 6 9 6 : j m p q * x 2 9 7 4 ( % r i p ) 6 9 c : n

• p

l x ( % r a x ) 6 a < f u n 2 @ p l t > : 6 a : j m p q * x 2 9 7 2 ( % r i p ) 6 a 6 : p u s h q $ x 6 a b : j m p q 6 9 < . p l t > 6 b < f u n @ p l t > : 6 b : j m p q * x 2 9 6 a ( % r i p ) 6 b 6 : p u s h q $ x 1 6 b b : j m p q 6 9 < . p l t > . . . 8 1 9 : c a l l q 6 b < f u n @ p l t > . . . v

• i

d f u n ( v

• i

d ) ; v

• i

d f u n 2 ( v

• i

d ) ;

x . . . x 8 . . . x 1 . . . x 1 8 * x 2 * x 2 8 . . . x 2 1 < G O T > fun2 fun some_lib.so:

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f u n ( ) ; . . .

some_lib.h:

Philip Holzmann It's a TRaP 27

Dynamic Linking: Procedure Linkage Table

6 9 < . p l t > : 6 9 : p u s h q x 2 9 7 2 ( % r i p ) 6 9 6 : j m p q * x 2 9 7 4 ( % r i p ) 6 9 c : n

• p

l x ( % r a x ) 6 a < f u n 2 @ p l t > : 6 a : j m p q * x 2 9 7 2 ( % r i p ) 6 a 6 : p u s h q $ x 6 a b : j m p q 6 9 < . p l t > 6 b < f u n @ p l t > : 6 b : j m p q * x 2 9 6 a ( % r i p ) 6 b 6 : p u s h q $ x 1 6 b b : j m p q 6 9 < . p l t > . . . 8 1 9 : c a l l q 6 b < f u n @ p l t > . . . v

• i

d f u n ( v

• i

d ) ; v

• i

d f u n 2 ( v

• i

d ) ;

x . . . x 8 . . . x 1 . . . x 1 8 * x 2 * x 2 8 . . . x 2 1 < G O T > fun2 fun some_lib.so:

# i n c l u d e “ s

• m

e _ l i b . h ” . . . f u n ( ) ; . . .

some_lib.h:

Philip Holzmann It's a TRaP 28

Problems with GOT and PLT

• Global Offset Table has to be stored in read-

writable memory

→ Adversary can read code pointers and infer memory layout

Philip Holzmann It's a TRaP 29

PLT Randomization

Philip Holzmann It's a TRaP 30

PLT Randomization

• Transform indirect jumps into direct jumps

– Can now strip function pointers from GOT

Philip Holzmann It's a TRaP 31

PLT Randomization

• Transform indirect jumps into direct jumps

– Can now strip function pointers from GOT

• Place PLT in X-only memory

Philip Holzmann It's a TRaP 32

PLT Randomization

• Transform indirect jumps into direct jumps

– Can now strip function pointers from GOT

• Place PLT in X-only memory
• Eager binding (instead of lazy)

Philip Holzmann It's a TRaP 33

PLT Randomization

• Transform indirect jumps into direct jumps

– Can now strip function pointers from GOT

• Place PLT in X-only memory
• Eager binding (instead of lazy)
• Insert booby traps

Philip Holzmann It's a TRaP 34

PLT Randomization

• Transform indirect jumps into direct jumps

– Can now strip function pointers from GOT

• Place PLT in X-only memory
• Eager binding (instead of lazy)
• Insert booby traps
• Randomize order of PLT entries

Philip Holzmann It's a TRaP 35

PLT Randomization

• Transform indirect jumps into direct jumps

– Can now strip function pointers from GOT

• Place PLT in X-only memory
• Eager binding (instead of lazy)
• Insert booby traps
• Randomize order of PLT entries
• Call using trampolines

Philip Holzmann It's a TRaP 36

Vtable Splitting

RTTI ... vtable (R) &funA &funB

c l a s s A { p u b l i c : v i r t u a l v

• i

d f u n A ( ) ; v i r t u a l v

• i

d f u n B ( ) ; } ;

Philip Holzmann It's a TRaP 37

Vtable Splitting

RTTI ... vtable (R) &funA &funB RTTI ... rvtable (R) xvtable (X) jmp funA jmp funB xpointer split

c l a s s A { p u b l i c : v i r t u a l v

• i

d f u n A ( ) ; v i r t u a l v

• i

d f u n B ( ) ; } ;

Philip Holzmann It's a TRaP 38

Vtable Randomization

c l a s s A { p u b l i c : v i r t u a l v

• i

d f u n A ( ) ; v i r t u a l v

• i

d f u n B ( ) ; } ; c l a s s B : p u b l i c A { p u b l i c : v i r t u a l v

• i

d f u n C ( ) ; } ;

Philip Holzmann It's a TRaP 39

Vtable Randomization

c l a s s A { p u b l i c : v i r t u a l v

• i

d f u n A ( ) ; v i r t u a l v

• i

d f u n B ( ) ; } ; c l a s s B : p u b l i c A { p u b l i c : v i r t u a l v

• i

d f u n C ( ) ; } ; ... regular vtable &funA &funB &funC

Philip Holzmann It's a TRaP 40

Vtable Randomization

c l a s s A { p u b l i c : v i r t u a l v

• i

d f u n A ( ) ; v i r t u a l v

• i

d f u n B ( ) ; } ; c l a s s B : p u b l i c A { p u b l i c : v i r t u a l v

• i

d f u n C ( ) ; } ; ... regular vtable &funA &funB &funC

Philip Holzmann It's a TRaP 41

Vtable Randomization

c l a s s A { p u b l i c : v i r t u a l v

• i

d f u n A ( ) ; v i r t u a l v

• i

d f u n B ( ) ; } ; c l a s s B : p u b l i c A { p u b l i c : v i r t u a l v

• i

d f u n C ( ) ; } ; ... regular vtable &funA &funB &funC randomized xvtable ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A ( t r a p ) ( t r a p ) j m p f u n C ( t r a p )

B in B A in B

Philip Holzmann It's a TRaP 42

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; }

Philip Holzmann It's a TRaP 43

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; } e x a m p l e : j m p < t r a m p

• l

i n e > r e t u r n _ s i t e : . . . t r a m p

• l

i n e : c a l l x

• >

v t a b l e

• >

x v t a b l e [ 3 ] j m p < r e t u r n _ s i t e >

Philip Holzmann It's a TRaP 44

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; } e x a m p l e : j m p < t r a m p

• l

i n e > r e t u r n _ s i t e : . . . t r a m p

• l

i n e : c a l l x

• >

v t a b l e

• >

x v t a b l e [ 3 ] j m p < r e t u r n _ s i t e >

Philip Holzmann It's a TRaP 45

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; } e x a m p l e : j m p < t r a m p

• l

i n e > r e t u r n _ s i t e : . . . t r a m p

• l

i n e : c a l l x

• >

v t a b l e

• >

x v t a b l e [ 3 ] j m p < r e t u r n _ s i t e >

Philip Holzmann It's a TRaP 46

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; } e x a m p l e : j m p < t r a m p

• l

i n e > r e t u r n _ s i t e : . . . t r a m p

• l

i n e : c a l l x

• >

v t a b l e

• >

x v t a b l e [ 3 ] j m p < r e t u r n _ s i t e > funA()

Philip Holzmann It's a TRaP 47

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; } e x a m p l e : j m p < t r a m p

• l

i n e > r e t u r n _ s i t e : . . . t r a m p

• l

i n e : c a l l x

• >

v t a b l e

• >

x v t a b l e [ 3 ] j m p < r e t u r n _ s i t e > return funA()

Philip Holzmann It's a TRaP 48

Vtable Randomization: Virtual Function Call

xvtable (X) ( t r a p ) j m p f u n B ( t r a p ) j m p f u n A v

• i

d e x a m p l e ( v

• i

d ) { A * x = . . . ; x

• >

f u n A ( ) ; } e x a m p l e : j m p < t r a m p

• l

i n e > r e t u r n _ s i t e : . . . t r a m p

• l

i n e : c a l l x

• >

v t a b l e

• >

x v t a b l e [ 3 ] j m p < r e t u r n _ s i t e > return funA()

Philip Holzmann It's a TRaP 49

Implementation: Readactor++

Philip Holzmann It's a TRaP 50

Implementation: Readactor++

• Extends Readactor

(protects against ROP)

Philip Holzmann It's a TRaP 51

Implementation: Readactor++

• Extends Readactor

(protects against ROP)

• Modified Clang:

– Ensure separation of

code and data

– Collect TRaP information

Philip Holzmann It's a TRaP 52

Implementation: Readactor++

• Extends Readactor

(protects against ROP)

• Modified Clang:

– Ensure separation of

code and data

– Collect TRaP information

• At program start:

RandoLib

– Perform randomization – Rewrite call-sites – Unloaded afterwards

Philip Holzmann It's a TRaP 53

Performance

Philip Holzmann It's a TRaP 54

Performance

• Overall average

performance overhead

• f 1.1 %

Philip Holzmann It's a TRaP 55

Performance

• Overall average

performance overhead

• f 1.1 %
• Combined with

Readactor: 8.4 %

Philip Holzmann It's a TRaP 56

Performance

• Overall average

performance overhead

• f 1.1 %
• Combined with

Readactor: 8.4 %

• Memory overhead

negligible (?)

Philip Holzmann It's a TRaP 57

Security Evaluation

(Ignoring side channels)

Philip Holzmann It's a TRaP 58

Security Evaluation

(Ignoring side channels)

• Attacker can only

disclose code pointers to trampolines

– Cannot infer location of

• ther functions from that

Philip Holzmann It's a TRaP 59

Security Evaluation

(Ignoring side channels)

• Attacker can only

disclose code pointers to trampolines

– Cannot infer location of

• ther functions from that
• Program-allocated

function pointer tables are unprotected

Philip Holzmann It's a TRaP 60

Security Evaluation

(Ignoring side channels)

• Attacker can only

disclose code pointers to trampolines

– Cannot infer location of

• ther functions from that
• Program-allocated

function pointer tables are unprotected

• Probability of correctly

guessing 3 vfgadgets < (1/16)³ ≈ 0.024 %

Philip Holzmann It's a TRaP 61

References

‒ Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, Michael Franz. “It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks.” ‒ Michael Matz, Jan Hubic̍ka, Andreas Jaeger, Mark Mitchell. “System V Application Binary Interface AMD64 Architecture Processor Supplement Draft Version 0.99.6”

Philip Holzmann It's a TRaP 62

Questions?