lecture 11 control flow hijacking defenses
play

Lecture 11 Control-flow Hijacking Defenses Stephen Checkoway - PowerPoint PPT Presentation

Oct 30, 2022 •307 likes •688 views

Lecture 11 Control-flow Hijacking Defenses Stephen Checkoway Oberlin College Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation shellcode (aka payload) padding &buf computation +

  1. Lecture 11 – Control-flow Hijacking Defenses Stephen Checkoway Oberlin College Slides adapted from Miller, Bailey, and Brumley

  2. Control Flow Hijack: Always control + computation shellcode (aka payload) padding &buf computation + control • code injection Same principle, • return-to-libc different mechanism • Heap metadata overwrite • return-oriented programming • ... 2

  3. Control Flow Hijacks … happen when an attacker gains control of the instruction pointer . Two common hijack methods: • buffer overflows • format string attacks 3

  4. Control Flow Hijack Defenses Bugs are the root cause of hijacks! • Find bugs with analysis tools • Prove program correctness Mitigation Techniques: • Canaries • Data Execution Prevention/No eXecute • Address Space Layout Randomization 4

  5. CANARY / STACK COOKIES 5 http://en.wikipedia.org/wiki/File:Domestic_Canary_-_Serinus_canaria.jpg

  6. “A”x68 . “\xEF\xBE\xAD\xDE” #include<string.h> int main(int argc, char **argv) { … char buf[64]; argv strcpy(buf, argv[1]); argc } return addr Dump of assembler code for function main: caller’s ebp %ebp 0x080483e4 <+0>: push %ebp 0x080483e5 <+1>: mov %esp,%ebp 0x080483e7 <+3>: sub $72,%esp 0x080483ea <+6>: mov 12(%ebp),%eax 0x080483ed <+9>: mov 4(%eax),%eax 0x080483f0 <+12>: mov %eax,4(%esp) buf 0x080483f4 <+16>: lea -64(%ebp),%eax (64 bytes) 0x080483f7 <+19>: mov %eax,(%esp) argv[1] 0x080483fa <+22>: call 0x8048300 <strcpy@plt> 0x080483ff <+27>: leave buf %esp 0x08048400 <+28>: ret 6 6

  7. “A”x68 . “\xEF\xBE\xAD\xDE” #include<string.h> int main(int argc, char **argv) { … char buf[64]; argv strcpy(buf, argv[1]); argc corrupted } overwritten return addr 0xDEADBEEF Dump of assembler code for function main: overwritten caller’s ebp AAAA %ebp 0x080483e4 <+0>: push %ebp buf 0x080483e5 <+1>: mov %esp,%ebp (64 bytes) AAAA… (64 in total) 0x080483e7 <+3>: sub $72,%esp 0x080483ea <+6>: mov 12(%ebp),%eax 0x080483ed <+9>: mov 4(%eax),%eax 0x080483f0 <+12>: mov %eax,4(%esp) 0x080483f4 <+16>: lea -64(%ebp),%eax 0x080483f7 <+19>: mov %eax,(%esp) argv[1] 0x080483fa <+22>: call 0x8048300 <strcpy@plt> 0x080483ff <+27>: leave buf %esp 0x08048400 <+28>: ret 7 7

  8. StackGuard [Cowen etal. 1998] Idea: … arg 2 • prologue introduces a arg 1 canary word between return return addr addr and locals caller’s ebp %ebp callee-save • epilogue checks canary CANARY before function returns locals Wrong Canary => Overflow %esp 8

  9. gcc Stack-Smashing Protector (ProPolice) Dump of assembler code for function main: Compiled with v4.6.1: 0x08048440 <+0>: push %ebp gcc -fstack-protector -O1 … 0x08048441 <+1>: mov %esp,%ebp 0x08048443 <+3>: sub $76,%esp 0x08048446 <+6>: mov %gs:20,%eax return addr 0x0804844c <+12>: mov %eax,-4(%ebp) 0x0804844f <+15>: xor %eax,%eax caller’s ebp 0x08048451 <+17>: mov 12(%ebp),%eax CANARY 0x08048454 <+20>: mov 4(%eax),%eax 0x08048457 <+23>: mov %eax,4(%esp) 0x0804845b <+27>: lea -68(%ebp),%eax 0x0804845e <+30>: mov %eax,(%esp) 0x08048461 <+33>: call 0x8048350 <strcpy@plt> 0x08048466 <+38>: mov -4(%ebp),%edx 0x08048469 <+41>: xor %gs:20,%edx buf (64 bytes) 0x08048470 <+48>: je 0x8048477 <main+55> 0x08048472 <+50>: call 0x8048340 <__stack_chk_fail@plt> 0x08048477 <+55>: leave 9 0x08048478 <+56>: ret

  10. Canary should be HARD to Forge • Terminator Canary – 4 bytes: 0,CR,LF,-1 (low->high) – terminate strcpy() , gets() , … • Random Canary – 4 random bytes chosen at load time – stored in a guarded page – need good randomness 10

  11. Ideas for defeating stack canaries? • Use targeted write, e.g., format string • Overwrite data pointer first return addr • Overwrite function pointer loaded and caller’s ebp used from higher up the stack CANARY • memcpy buffer overflow with fixed canary • Canary leak buf (64 bytes)

  12. Bypass: Data Pointer Subterfuge Overwrite a data pointer first … return addr int *ptr; caller’s ebp CANARY char buf[64]; ptr memcpy(buf, user1); *ptr = user2; buf (64 bytes) 12

  13. Overwrite function pointer higher up void contrived(const char *user, void (*fun)(char *)) { char buf[64]; strcpy(buf, user); fun fun(buf); user } return addr • Overflow buffer to overwrite fun on the stack caller’s ebp CANARY • Tricky! Compiler can load fun into a register before strcpy (this can happen with optimization) • Works better with structs with function buf pointers (e.g., OpenSSL) or C++ classes (64 bytes)

  14. memcpy/memmove with fixed canary • Fixed canary values like 00 0d 0a ff (0, CR, NL, -1) are designed to terminate string operations like strcpy and gets • However, they are trivial to bypass with memcpy vulnerabilities

  15. Canary leak I: two vulnerabilities • Exploit one vulnerability to read the value of the canary • Exploit a second to perform a buffer overflow on the stack, overwriting the canary with the correct value

  16. Canary leak II: pre-fork servers • Some servers fork worker processes to handle connections • In the main server process – Establish listening socket – Fork all the workers; if any die, fork a new one • In the worker process (in a loop) – Accept a connection on the listening socket – Process request

  17. Canary leak II: pre-fork servers • This design interacts poorly with stack canaries • Since each worker is forked from the main process, it initially has exactly the same memory layout and contents, including stack canary values! • Attacker can often learn the canary a byte at a time by overflowing just a single byte of the canary, trying values 00 through ff until it doesn’t crash; then move on to the next byte

  18. What is “Canary”? Wikipedia : “the historic practice of using canaries in coal mines, since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system.” 18

  19. DATA EXECUTION PREVENTION (DEP) / NO EXECUTE (NX)/ EXECUTE DISABLED (XD)/ EXECUTE NEVER (XN) 19

  20. How to defeat exploits? shellcode padding &buf computation + control DEP Canary 20

  22. Memory permissions • Set (or clear) a bit in a page table entry to prevent code from being executed • Enforced by hardware: Trying to fetch an instruction from a page marked as non-executable causes a processor fault

  23. Data Execution Prevention shellcode padding &buf Mark stack as CRASH non-executable using NX bit (still a Denial-of-Service attack!) 23

  24. W ^ X shellcode padding &buf Each memory page is CRASH exclusively either writable or executable. (still a Denial-of-Service attack!) 24

  25. Actually a pretty old idea • MIPS R2000 (from 1986) has per-page readable, writable, executable bits • Intel 80386 (from 1985) does not. Mapped pages are always readable and executable • Intel 80286 (from 1982) introduced 16-bit “protected mode” where code, data, and stack segments can be separated • The 386 has a 32-bit “protected mode” but most OSes set code, data, and stack segments to be the entire virtual address space

  26. Physical Address Extension • Intel added an extension to increase the size of allowable physical memory beyond 4 GB • PAE changed the page table format, added a third level of translation, and added the execute disable bit (but the OS has to enable both PAE and NX support) • x86-64 uses the PAE format and thus supports NX

  27. ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) 27

  28. Address Space addr of buf addr of buf Layout (0xffffd5d8) (0xffffd5d8) Randomization caller’s ebp caller’s ebp buf[63] 0xffffd618 0xffffe428 buf buf Shellcode Shellcode R a n d o m i z e ! 0xffffd5d8 0xffffe3f8 buf[0] Oops… 0xffffd5d8 28

  29. ASLR Traditional exploits need precise addresses – stack-based overflows: location of shell code – return-to-libc: library addresses (we’ll talk about this next time) • Problem: program’s memory layout is fixed – stack, heap, libraries etc. • Solution: randomize addresses of each region! 29

  30. Image source: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

  31. Running cat Twice • Run 1 • Run 2 31

  32. Bits of randomness (32-bit x86) • Depends on the OS, but roughly – Program code and data: 0 bits (fixed addresses) – Heap: 13 bits (2^13 possible start locations) – Stack: 19 bits (2^19 possible start locations) – Libraries: 8 bits (2^8 possible start locations) • With position-independent executables (PIE) – Program code and data: 8 bits – Others the same • 64-bit has much more randomness

  33. Support for ASLR added over time • Initially by the PaX team for Linux • All major OSes support it for applications • Kernel ASLR now supported by major OSes

  34. Is DEP + ASLR a panacea? • Not really • Next time: DEP bypass via code reuse attacks • How can we bypass ASLR?

  35. Image source: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation shellcode (aka payload)

652 views • 36 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in Memory Errors* * Victor van der Veen,

517 views • 39 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if statements use expressions that are conceptually either true or false . These expressions are called relational expressions or Boolean expressions

570 views • 28 slides
SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow Hijacking (CFH) Microsoft: 70% of bugs are memory corruptions Control and Data Planes are interleaved Memory corruption Control-Flow

576 views • 34 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Flow Control: boolean expressions, if selec5on statements

Flow Control: boolean expressions, if selec5on statements

CS 101 Lecture 25 Flow Control: boolean expressions, if selec5on statements (Alice In Ac5on, Ch 4) Slides Credit: Joel Adams, Alice in Action Flow Control Flow: sequence of

391 views • 15 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
A CTIVE M EASUREMENT F OR N EUROSCIENCE LCCC Focus Period on Large-Scale and Distributed

A CTIVE M EASUREMENT F OR N EUROSCIENCE LCCC Focus Period on Large-Scale and Distributed

(Towards) A CTIVE M EASUREMENT F OR N EUROSCIENCE LCCC Focus Period on Large-Scale and Distributed Optimization June 2017 Ross Boczar PhD Student boczar@berkeley.edu B erkeley C enter for C omputational Ben Eric I maging Recht

616 views • 48 slides
Lectures and the transition to university David Pritchard (david.pritchard@strath.ac.uk)

Lectures and the transition to university David Pritchard (david.pritchard@strath.ac.uk)

Lectures and the transition to university David Pritchard (david.pritchard@strath.ac.uk) University of Birmingham, 25 March 2015 Acknowledgements: the roughly 2000 first-year students whove helped me to find out what doesnt work. This is

401 views • 22 slides
Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic

Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic

Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic Analyses Caitlin Sadowski Jaeheon Yi July 20, 2009 University of California at Santa Cruz Monday, July 20, 2009 1 Some

570 views • 28 slides
Write gcc in C++ Ian Lance Taylor Google June 17, 2008 C++ Write gcc in C++ Ian Lance Taylor

Write gcc in C++ Ian Lance Taylor Google June 17, 2008 C++ Write gcc in C++ Ian Lance Taylor

Write gcc in C++ Ian Lance Taylor Google Write gcc in C++ Ian Lance Taylor Google June 17, 2008 C++ Write gcc in C++ Ian Lance Taylor Google C++ is a standardized, well known, popular language. C++ is nearly a superset of C90 used

1.87k views • 17 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
This paper examines one of the key ways governments of developing countries can entrench a

This paper examines one of the key ways governments of developing countries can entrench a

This paper examines one of the key ways governments of developing countries can entrench a technological culture on her people in rural or semi rural settings. It will discuss the importance of technological governance through the

818 views • 63 slides
Which Material Design Is Commonsense . . . Possible Under Additive Commonsense . . . How

Which Material Design Is Commonsense . . . Possible Under Additive Commonsense . . . How

Additive . . . It Is Important to . . . How Complexity Is . . . Open Problem Which Material Design Is Commonsense . . . Possible Under Additive Commonsense . . . How Accurate Is Any . . . Manufacturing: How to Combine . . . Our Result A

370 views • 16 slides
Service Dogs for Dysautonomia! A service dog is defined in the ADA as any dog that has been

Service Dogs for Dysautonomia! A service dog is defined in the ADA as any dog that has been

Service Dogs for Dysautonomia! A service dog is defined in the ADA as any dog that has been Individually task trained to mitigate an individuals disability. Different countries have different requirements, however in the USA the

822 views • 36 slides

More recommend