Practical taint analysis for protecting buggy binaries

Transcription

1 Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <[email protected]>

2 Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2

3 Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2 SHELLCODE!@#$%^&*()_&buf

4 Address Space Layout Randomisation (ASLR) buf[16] GET / HTTP/1.100baseretnarg1arg2 SHELLCODE!@#$%^&*()_????

5 Stack Canaries buf[16] GET / HTTP/1.100 baseretnarg1

6 Stack Canaries buf[16] GET / HTTP/1.100 baseretnarg1 SHELLCODE!@#$%^&*()_!@#%&buf

7 buf[16] Non-executable data (DEP / NX) GET / HTTP/1.100baseretnarg1arg2 SHELLCODE!@#$%^&*()_&buf

8 Fortify Source char buf[16]; memcpy(buf, r->buf, r->len); GET / HTTP/1.100baseretnarg1arg2 sh;stacksmasheraaaaaaaaaaaaaaaaa

9 Fortify Source char buf[16]; memcpy(buf, r->buf, r->len); GET / HTTP/1.100baseretnarg1arg2 char buf[16]; memcpy_chk(buf, r->buf, r->len, 16); sh;stacksmasheraaaaaaaaaaaaaaaaa

10 *** buffer overflow detected ***: /my/fortified/binary terminated ======= Backtrace: ========= /lib/i386-linux-gnu/i686/cmov/libc.so.6( fortify_fail+0x50)[0xb774a4d0] /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe040a)[0xb774940a] /my/fortified/binary[0x ] /lib/i386-linux-gnu/i686/cmov/libc.so.6( libc_start_main+0xe6)[0xb767fe46] /my/fortified/binary[0x ] ======= Memory map: ======== r-xp fe: /my/fortified/binary a000 rw-p fe: /my/fortified/binary rw-p :00 0 [heap] b764b000-b r-xp fe: /lib/i386-linux-gnu/libgcc_s.so.1 b b rw-p 0001b000 fe: /lib/i386-linux-gnu/libgcc_s.so.1 b b rw-p : Aborted

11

12 buf[16] Return Oriented Programming (ROP) GET / HTTP/1.100baseretnarg1arg2 sh;stacksmasher...rop1rop2var1 pointer to useful code

13 Some exploits still work with all these defense measures. Example: nginx buffer underrun (CVE )

14 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->uri_start

15 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->uri_start r->ctx[33] r->uri.data / u

16 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->ctx[33] r->uri.data /?.. u

17 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->ctx[33] r->uri.data xyz/ ctxp0000/?.. u

18 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->ctx[33] r->uri.data xyz/ badp0000bad_ctx0

19 typedef struct { ngx_buf_t ngx_chain_t ngx_chain_t ngx_chain_t unsigned unsigned unsigned ngx_pool_t ngx_int_t ngx_bufs_t ngx_buf_tag_t ngx_output_chain_filter_pt void } ngx_output_chain_ctx_t; *buf; *in; *free; *busy; sendfile; need_in_memory; need_in_temp; *pool; allocated; bufs; tag; output_filter; *filter_ctx;

20 typedef struct { ngx_buf_t ngx_chain_t ngx_chain_t ngx_chain_t unsigned unsigned unsigned ngx_pool_t ngx_int_t ngx_bufs_t ngx_buf_tag_t ngx_output_chain_filter_pt void } ngx_output_chain_ctx_t; *buf; *in; *free; *busy; sendfile; need_in_memory; need_in_temp; *pool; allocated; bufs; tag; output_filter; *filter_ctx; function pointer

21

22 805ba93: mov (%ecx),%ebx ; copy filename movl $0x3,0x10(%ecx) mov %ecx,(%esp) call *0x2c(%ecx)

23 805ba93: mov (%ecx),%ebx ; copy filename movl $0x3,0x10(%ecx) mov %ecx,(%esp) call : mov *0x2c(%ecx) %eax,0x4(%esp) ; push argv mov %ebx,(%esp) ; push filename call *0x14(%ebx)

24 805ba93: mov (%ecx),%ebx ; copy filename movl $0x3,0x10(%ecx) mov %ecx,(%esp) call : mov *0x2c(%ecx) %eax,0x4(%esp) ; push argv mov %ebx,(%esp) ; push filename call *0x14(%ebx) 804b274: <execve@plt> ; get shell

25 - defeats address randomisation (through info leak)

26 - defeats address randomisation (through info leak) - defeats non-executable data protection

27 - defeats address randomisation (through info leak) - defeats non-executable data protection - not a standard copy function (no fortify protections)

28 - defeats address randomisation (through info leak) - defeats non-executable data protection - not a standard copy function (no fortify protections) - not return oriented, so stack smash protection does not matter

29 But the situation is even worse

30 But the situation is even worse - needs to be enabled at compile time, and there is a lot of old code out there

31 But the situation is even worse - needs to be enabled at compile time, and there is a lot of old code out there - many packages do not apply these defence mechanisms even today

32 But the situation is even worse - needs to be enabled at compile time, and there is a lot of old code out there - many packages do not apply these defence mechanisms even today - implementation flaws

33 Can we do more?

34 Can we do more? >> DEP prevents untrusted data from being run as code

35 Can we do more? >> DEP prevents untrusted data from being run as code << ROP replaces untrusted code with pointers to original code.

36 Can we do more? >> DEP prevents untrusted data from being run as code << ROP replaces untrusted code with pointers to original code. >> Can we prevent untrusted pointers from being used as jump addresses?

37 Taint analysis 0805be be be d8 4b a0 2e K be90 94 be a ef be ad de a4 be x bea0 ac be f e 2f a4 be /bin/sh beb d e SAMETHINGWED 0805bec0 4f e e 4b 59 OEVERYNIGHTPINKY 0805bed e be ef 1f NARF bee0 ff fa ff f & bef bf

38 Taint tracking (1/2): - remember whether data is trusted or not - untrusted data is 'tainted' - when data is copied, its taint is copied along - taint is ORed for arithmetic operations

39 Taint tracking (2/2): When the code jumps to an address in memory, the source of this address is checked for taint. eg.: - RET - CALL *%eax - JMP *0x1c(%ebx)

40

41 Taint tracking photo: useful, but slow as hell

42 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

43 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

44 Emulator process-level emulator

45 Emulator process-level emulator fast x86 -> x86 jit compiler

46 Emulator process-level emulator fast x86 -> x86 jit compiler keeps register state the same

47 Emulator t_eax = t_eax t_ecx eax = eax + ecx eax = eax + ebx original code jit code

48 Emulator process-level emulator fast x86 -> x86 jit compiler keeps register state the same translates big chunks of code all at once

49 Emulator compile jit code

50 Emulator run jit code compile jit code

51 Emulator indirect jump run jit code find jump address compile jit code

52 Emulator indirect jump lookup miss run jit code find jump address compile jit code

53 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

54 Linux stack heap/libs User executable

55 Memory layout (linux) linux kernel USER

56 Memory layout (minemu) linux kernel USER minemu TAINT

57 Memory layout (minemu) linux kernel USER minemu TAINT

58 Memory layout (minemu) linux kernel USER write to x minemu TAINT

59 Memory layout (minemu) linux kernel USER write to x minemu TAINT x+const

60 Memory layout (minemu) linux kernel USER taint data to user memory minemu TAINT user data to taint memory

61 Memory layout (minemu) linux kernel USER taint data to user memory minemu TAINT user data to taint memory

62 Addressing shadow memory mov EAX, (EDX)

63 Addressing shadow memory mov EAX, (EDX) address: EDX

64 Addressing shadow memory mov EAX, (EDX) address: EDX taint: EDX+const

65 Addressing shadow memory mov EAX, (EDX+EBX*4)

66 Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4

67 Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+const

68 Addressing shadow memory push ESI

69 Addressing shadow memory push ESI address: ESP

70 Addressing shadow memory push ESI address: ESP taint: ESP+const

71 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

72 Taint propagation in SSE registers xmm5 xmm6 xmm7 scratch register T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) 128-bit

73 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 scratch register T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) 128-bit

74 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 scratch register T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi)

75 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 T(x) T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) vector insert

76 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 T(x) T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) or

77 Effectiveness Application Type of vulnerability Security advisory Snort Stack overflow CVE Cyrus imapd Stack overflow CVE Samba Heap overflow CVE Memcached Heap overflow CVE Nginx Buffer underrun CVE Proftpd 1.3.3a Stack overflow CVE Samba Heap overflow CVE Telnetd 1.6 Heap overflow CVE Ncompress Stack overflow CVE Iwconfig V.26 Stack overflow CVE Aspell Stack overflow CVE Htget 0.93 Stack overflow CVE Socat 1.4 Format string CVE Aeon 0.2a Stack overflow CVE Exim 4.41 Stack overflow EDB-ID#796 Htget 0.93 Stack overflow Tipxd Format string OSVDB-ID#12346

78 Performance HTTP HTTPS

79 Performance SPECINT h264ref 462.libquantum 458.sjeng 456.hmmer 445.gobmk 429.mcf 403.gcc 401.bzip2 400.perlbench 2.4x overall overall 483.xalancbmk 473.astar 471.omnetpp gzip OpenSSH (scp+sshd) PostgreSQL (pgbench) MediaWiki (HTTPS)

80 Limitations

81 Limitations Doesn't prevent memory corruption, only acts when the untrusted data is used for arbitrary code execution.

82 Limitations Tainted pointer dereferences tainted_pointer->some_field = useful_untainted_value;

83 Limitations Tainted pointer dereferences tainted_pointer->some_field = useful_untainted_value; propagation can lead to false positives: dispatch_table[ checked_input]();

84 Limitations Taint whitewashing out = latin1_to_ascii[ in];

85 Limitations Format string attacks: printf( "%65534s %123$hn"); // Propagates taint in glibc printf( "FillerFiller...%123$hn"); // Does not :-(

86 Limitations Does not protect against non-control-flow exploits

87 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }

88 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }

89 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }

90 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }

91 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }

92 PROBLEM.php?-s

93 in some cases we can add validation hooks. mysql_query() can be hooked to check for taint outside of literals in SQL queries.

94 in some cases we can add validation hooks. mysql_query() can be hooked to check for taint outside of literals in SQL queries. _IO_vfprintf() in glibc can be hooked to check format strings for taint.

95 Demo bash

96 Minemu git clone

97 Minemu git clone any questions?

98

99 Memory layout (64 bit) USER USER TAINT USER TAINT TAINT USER TAINT

100 Memory layout (64 bit) alternative TAINT gs segment USER data/code/stack segment