Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis - - PowerPoint PPT Presentation

q exploit hardening made easy
SMART_READER_LITE
LIVE PREVIEW

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis - - PowerPoint PPT Presentation

Feb 09, 2024 249 likes •839 views

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

slide-1
SLIDE 1

Q: Exploit Hardening Made Easy

Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University

8/15/2011 1

slide-2
SLIDE 2

Downloading Exploits

8/15/2011 2

Windows 7 Evil Ed I found a control flow hijack exploit

  • nline!

Exploit

slide-3
SLIDE 3

8/15/2011 3

slide-4
SLIDE 4

Downloading Exploits

8/15/2011 4

Windows 7 Evil Ed Why didn’t the exploit work?

slide-5
SLIDE 5

Causes of Broken Exploits

8/15/2011 5

  • 1. Exploit used OS/binary-

specific tricks/features

  • 2. OS Defenses
slide-6
SLIDE 6

OS Defenses

8/15/2011 6

  • Modern OS defenses are

designed to make exploiting difficult

– ASLR: Address Space Layout Randomization – DEP: Data Execution Prevention – Do not guarantee control flow integrity

  • How difficult?
slide-7
SLIDE 7

8/15/2011 7

Exploit hardening: Modifying exploits to bypass defenses

slide-8
SLIDE 8

Overview

  • Background: Defenses and Return Oriented

Programming (ROP)

  • Q: ROP + Hardening

– Automatic ROP – Automatic Hardening

  • Evaluation
  • Limitations
  • Conclusion

8/15/2011 8

slide-9
SLIDE 9

Simple Exploit

8/15/2011 9

Computation

Shellcode

Exploit Control

Pointer Padding

slide-10
SLIDE 10

Data Execution Prevention (DEP)

8/15/2011 10

Shellcode

Exploit

Pointer Padding

DEP: Buffers cannot be writable and executable

User input is non-executable Crash

slide-11
SLIDE 11

Bypassing DEP

8/15/2011 11

  • Goal: Specify exploit computation even

when DEP is enabled

  • Return Oriented Programming [S07]

– Use existing instructions from program in special order to encode computation

slide-12
SLIDE 12

Return Oriented Programming

8/15/2011 12

Example: How can we write to memory without shellcode?

slide-13
SLIDE 13

Return Oriented Programming

8/15/2011 13

addr1 pop %eax ret addr2 pop %ebx ret addr3 movl %eax, (%ebx) ret

Exploit

nextaddr addr3 address addr2 eax ebx stack value

Gadgets

slide-14
SLIDE 14

Address Space Layout Randomization (ASLR)

8/15/2011 14

ASLR disabled

Exploit Gadgets Gadgets Exploit

Crash

ASLR enabled

ASLR: Addresses are unpredictable

slide-15
SLIDE 15

Return Oriented Programming + ASLR

8/15/2011 15

  • Bad news: Randomized

code can’t be used for ROP

  • Good news: ASLR

implementations leave small amounts of code unrandomized

Evil Ed

slide-16
SLIDE 16

ASLR in Linux (Example)

8/15/2011 16

Randomized Stack Heap Unrandomized Executable

Program Image

Libc

slide-17
SLIDE 17

Consequences

8/15/2011 17

  • Challenge: Program image is often the only

unrandomized code

– Small – Program-specific

  • Prior work on ROP assumes unrandomized

large code bases; can’t simply reuse

  • We developed new automated ROP

techniques for targeting the program image

slide-18
SLIDE 18

Overview

  • Background: Defenses and Return Oriented

Programming (ROP)

  • Q: ROP + Hardening

– Automatic ROP – Automatic Hardening

  • Evaluation
  • Limitations
  • Conclusion

8/15/2011 18

slide-19
SLIDE 19

Automatic ROP Overview

8/15/2011 19

Source P Computation Instructions from P

slide-20
SLIDE 20

ROP Overview

8/15/2011 20

Source P Computation Arrangement Discovery Assignment

slide-21
SLIDE 21

Gadget Discovery

8/15/2011 21

  • Gadget Discovery: Does instruction sequence

do something we can use for our computation?

  • Fast randomized test for every program

location (thousands or millions)

Source P

sbb %eax, %eax; neg %eax; ret

slide-22
SLIDE 22

Randomized Testing

8/15/2011 22

sbb %eax, %eax; neg %eax; ret EAX 0x0298a7bc CF 0x1 ESP 0x81e4f104 EAX 0x1 ESP 0x81e4f108 EBX 0x0298a7bc OutReg <- InReg Semantic Definition For Move Before After

If 10 random runs satisfy a semantic definition, then Q probably found a gadget of that type

slide-23
SLIDE 23

Q’s Gadget Types

8/15/2011 23

Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret StoreMemG M[Addr + Offset] <- In

mov %dl, 0x13(%eax); ret

ArithmeticLoadG Out +<- M[Addr + Offset]

add 0x1376dbe4(%ebx), %ecx; (…); ret

ArithmeticStoreG M[Addr + Offset] +<- In

add %al, 0x5de474c0(%ebp); ret

slide-24
SLIDE 24

Q’s Gadget Types

8/15/2011 24

Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret StoreMemG M[Addr + Offset] <- In

mov %dl, 0x13(%eax); ret

ArithmeticLoadG Out +<- M[Addr + Offset]

add 0x1376dbe4(%ebx), %ecx; (…); ret

ArithmeticStoreG M[Addr + Offset] +<- In

add %al, 0x5de474c0(%ebp); ret

slide-25
SLIDE 25

Q’s Gadget Types

8/15/2011 25

Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret StoreMemG M[Addr + Offset] <- In

mov %dl, 0x13(%eax); ret

ArithmeticLoadG Out +<- M[Addr + Offset]

add 0x1376dbe4(%ebx), %ecx; (…); ret

ArithmeticStoreG M[Addr + Offset] +<- In

add %al, 0x5de474c0(%ebp); ret

slide-26
SLIDE 26

Randomized Testing

8/15/2011 26

  • Randomized testing tells us we likely found a

gadget

– Fast; filters out many candidates – Enables more expensive second stage

  • Second stage: SMT-based gadget discovery

– Gadget discovery is program verification

slide-27
SLIDE 27

SMT-Based Gadget Discovery

sbb %eax, %eax neg %eax; ret EAX <- CF

Weakest Precondition

F F

SMT Validity Check Valid (Gadget) Invalid (not Gadget)

[D76]

slide-28
SLIDE 28

SMT-Based Gadget Discovery

8/15/2011 28

  • Q is better at finding gadgets than I am!

imul $1, %eax, %ebx ret

Move %eax to %ebx

lea (%ebx,%ecx,1), %eax ret

Store %ebx+%ecx in %eax

sbb %eax, %eax; neg %eax ret

Move carry flag to %eax

slide-29
SLIDE 29

ROP Overview

8/15/2011 29

Source P Computation Arrangement Discovery Assignment

slide-30
SLIDE 30

Gadget Arrangement

8/15/2011 30

  • Gadget Arrangement: How can

gadget types be combined to implement a computation?

  • Alternate view: Compile user

computation for gadget type architecture

  • Example:

M[0xcafecafe] := 0xdeadbeef

slide-31
SLIDE 31

Arrangement: Storing to Memory

8/15/2011 31

StoreMem, u32 LoadConst deadbeef LoadConst cafecafe

T1 T2 T3 Value Address

slide-32
SLIDE 32

Gadget Arrangement

8/15/2011 32

How can we write to memory without StoreMem?

slide-33
SLIDE 33

Arrangement: Storing to Memory

8/15/2011 33

ArithmeticStore, u32, Bitwise And LoadConst LoadConst cafecafe

T1 T2 T3 Value Address

Writes zero to M[cafecafe]

slide-34
SLIDE 34

Arrangement: Storing to Memory

8/15/2011 34

ArithmeticStore, u32, Plus LoadConst deadbeef LoadConst cafecafe

T1 T2 T3 Value Address

Adds deadbeef to M[cafecafe]. 0 + deadbeef = deadbeef

slide-35
SLIDE 35

Gadget Arrangement

8/15/2011 35

  • Gadgets types are often

unavailable

– Synthesize alternatives on the fly

  • Flexible arrangement rules are

necessary for small code bases

slide-36
SLIDE 36

ROP Overview

8/15/2011 36

Source P Computation Arrangement Discovery Assignment

slide-37
SLIDE 37

Assignment

8/15/2011 37

  • Gadget Assignment: Assign concrete

gadgets found in source program to arrangements

  • Assignments must be compatible
slide-38
SLIDE 38

Assignment: Register Mismatch

8/15/2011 38

StoreMem, u32 LoadConst deadbeef LoadConst cafecafe

pop %eax ret pop %ebx ret mov %eax, (%ecx) ret

CONFLICT %ebx and %ecx mismatch

slide-39
SLIDE 39

Gadget Assignment

8/15/2011 39

  • Need to search over

– Gadgets – Schedules

  • We developed dynamic programming

approach to find assignment

  • Easy to print payload bytes with

assignment

slide-40
SLIDE 40

Overview

  • Background: Defenses and Return Oriented

Programming (ROP)

  • Q: ROP + Hardening

– Automatic ROP – Automatic Hardening

  • Evaluation
  • Limitations
  • Conclusion

8/15/2011 40

slide-41
SLIDE 41

Exploit Hardening

8/15/2011 41

Old Exploit (stopped by DEP+ASLR) ROP Payload Hardened Exploit (bypasses DEP+ASLR)

slide-42
SLIDE 42

Trace-based Analysis

8/15/2011 42

  • Record P on the old exploit

Branch 2 Branch 3 Branch 1

Stop at vulnerability condition

slide-43
SLIDE 43

Reasoning about Executions

Symbolic Execution

Logical Formula For All Inputs On Path

8/15/2011 43

[SAB10]

slide-44
SLIDE 44

Exploit Constraints

8/15/2011 44

Path Exploit

slide-45
SLIDE 45

Exploit Constraints

8/15/2011 45

Exploit Gadgets

M[ESP] = &gadget1 M[ESP+off1] = &gadget2 M[ESP+off2] = &gadget3 How do we ensure the ROP payload gets in the exploit?

Exploit Constraints SMT Exploit Path Constraints

slide-46
SLIDE 46

Demo!

8/15/2011 46

slide-47
SLIDE 47

Overview

  • Background: Defenses and Return Oriented

Programming (ROP)

  • Q: ROP + Hardening

– Automatic ROP – Automatic Hardening

  • Evaluation
  • Limitations
  • Conclusion

8/15/2011 47

slide-48
SLIDE 48

Evaluation Questions

8/15/2011 48

  • 1. Can Q harden exploits for

real binary programs?

  • 2. How much unrandomized

code is sufficient to create ROP payloads?

slide-49
SLIDE 49

Real Exploits

8/15/2011 49

  • Q was able to automatically harden nine

exploits downloaded from exploit-db.com

Name Total Time OS Free CD to MP3 Converter 130s Windows 7 Fatplayer 133s Windows 7 A-PDF Converter 378s Windows 7 A-PDF Converter (SEH exploit) 357s Windows 7 MP3 CD Converter Pro 158s Windows 7 rsync 65s Linux

  • pendchub

225s Linux gv 237s Linux Proftpd 44s Linux

slide-50
SLIDE 50

ROP Probability

8/15/2011 50

  • Given program size, what is the

probability Q can create a payload?

– Measure over all programs in /usr/bin

  • Depends on target computation

– Call functions statically or dynamically linked by the program (blue on next slide) – Call any function in libc (red; harder)

  • system, execv, connect, mprotect, …
slide-51
SLIDE 51

ROP Probability

8/15/2011 51

Probability that attack works

Call linked functions in 80%

  • f programs >= true (20KB)

Call libc functions in 80% of programs >= nslookup (100KB)

Program Size (bytes)

slide-52
SLIDE 52

Overview

  • Background: Defenses and Return Oriented

Programming (ROP)

  • Q: ROP + Hardening

– Automatic ROP – Automatic Hardening

  • Evaluation
  • Limitations
  • Conclusion

8/15/2011 52

slide-53
SLIDE 53

Limitations

8/15/2011 53

  • Single path (trace-based) analysis

– restrictive; prevents finding exploits

  • Q’s gadgets types are not Turing-complete

– Calling system(“/bin/sh”) or mprotect() usually enough – Comparison with related work

  • Q cannot find conditional gadgets

– Potential automation of interesting work on ROP without Returns [CDSSW10]

slide-54
SLIDE 54

Overview

  • Background: Defenses and Return Oriented

Programming (ROP)

  • Q: ROP + Hardening

– Automatic ROP – Automatic Hardening

  • Evaluation
  • Limitations
  • Conclusion

8/15/2011 54

slide-55
SLIDE 55

Conclusion

8/15/2011 55

  • We built Q, a system that automatically

hardens exploits to bypass defenses

– Challenge: Reusing small amounts of code

  • Q automatically hardened nine real exploits

found in the wild against latest OS defenses

  • Takeaway: Unrandomized code is dangerous

– 20KB makes DEP+ASLR ineffective

slide-56
SLIDE 56

Thanks! 

8/15/2011 56

  • Questions?
  • Check out some of the gadgets Q can find at

http://plaid.cylab.cmu.edu:8080/~ed/gadgets Edward J. Schwartz edmcman@cmu.edu http://www.ece.cmu.edu/~ejschwar

slide-57
SLIDE 57

Sizes of Gadget Sources

8/15/2011 58

File size (bytes) Ratio

slide-58
SLIDE 58

Types of Gadgets

8/15/2011 59

Number of StoreMem Number of ArithStore