The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Intelligent Things, Vehicles and Factories: Intel Workshop on Cyberphysical and Mobile Security 2014, Darmstadt, June 11 The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014 Lucas Davi Intel CRI-SC, CASED/TU Darmstadt Joint Work with Daniel Lehmann, Ahmad-Reza Sadeghi (TU Darmstadt) Fabian Monrose (UNC Chapel Hill)

Motivation Sophisticated, complex Created by various of different developers Native Code Large attack surface for control-flow attacks (runtime attacks) [Úlfar Erlingsson, Low-level Software Security: Attacks and Defenses, TR 2007] 2

Return-Oriented Programming (ROP) Re t u r n o r ien ted Pro g ra mm ing 3

ROP Attack Technique: Overview Program Code Sequence 1 asm_ins RET SP Corrupt Control Structures Program Stack Return Address 3 Value 2 Value 1 Return Address 2 Return Address 1 REG1: Sequence 2 POP REG1 POP REG2 RET Sequence 3 asm_ins RET Value 1 REG2: Value 2... 4

ROP Attack History - Selected ROP without Returns Checkoway et al. (CCS) 2011 2013 JIT-ROP Snow et al. IEEE S&P Real-World ROP-based Exploits 5

6 No Code Restrictions Existing ROP attacks can leverage and jump to any code mapped into the program s address space

Control-Flow Integrity (CFI) Restricting indirect control-flow targets to a pre-defined control-flow graph 7

CFI Label Checking [Abadi et al., CCS 2005 & TISSEC 2009] BBL A label_a ENTRY asm_ins, EXIT A CFI CHECK EXIT(A) -> label_b? C B BBL B label_b ENTRY asm_ins, EXIT 8

CFI: Benefits and Limitations Fine-grained protection Security of CFI can be formally defined and anaylzed Requires side information Induces performance overhead 9

Coarse-Grained CFI Making CFI practical for real-world deployment ROPecker [NDSS 14] ROPGuard [Microsoft EMET] kbouncer [USENIX Sec 13] CFI for COTS Binaries [USENIX Sec 13] 10

Coarse-Grained CFI Proposals CFI Wrapper kbouncer [USENIX Sec 13] HOOK Win API / Critical Function Application ROPecker [NDSS 14] HOOK Paging CFI for COTS Binaries [USENIX Sec 13] CCFIR [IEEE S&P 13] POP ROPGuard [Windows EMET] PUSH Last Branch Record (LBR) Stack 11

12 Deployed CFI Policies

CFI Policy 1: Call-Preceded Sequence Fine-Grained CFI Returns need to target their original caller (shadow stack) Coarse-Grained CFI Return instructions are only allowed to target a valid call site, i.e., a call-preceded instruction Application Function A asm_ins CALL LIB_function asm_ins Function B asm_ins CALL open asm_ins CALL write asm_ins Library LIB_function asm_ins... RET 13

CFI Policy 2: Chain of Short Sequences Report a ROP attack after N sequences each consisting of less than S instructions ROP Sequence 1 3 ROP Sequence 3 2 ROP Sequence 4 to (N-1) <= S Threshold Setting kbouncer: (N=8; S <= 20) ROPecker: (N=11; S <= 6) ROP Sequence 2 4 Time Report ROP Attack ROP Sequence N 3 14

The claim is that coarse-grained CFI policies are sufficient to thwart real-world and Turing-complete ROP attacks

Our Contributions 1 Systematic security analysis of coarse-grained CFI solutions (kbouncer, ROPecker, ROPGuard/EMET, CFI for COTS) 2 Turing-complete gadget set based on a single and default Windows library (kernel32.dll) 3 Transformation of 2 real-world ROP exploits 16

Taking the Most Restrictive Setting in Coarse-Grained CFI CFI Policy kbouncer ROPecker ROPGuard EMET CFI Policy 1 Call-Preceded Instruction CFI Policy 2 Chain of Short Sequences CFI for COTS Binaries Combined CFI Policy Time of CFI Check WinAPI 2 Pages Sliding Window / Critical Functions WinAPI/ Critical Functions Any Time Any Time 17 No Restriction CFI Policy Note that there are also other CFI policies (e.g., for indirect jumps/calls). We have considered these policies in our security analysis, but omit them at this place and only focus on the core CFI policies

Our Analysis Methodology and Assumptions Assumptions Attacker can bypass ASLR, see our JIT-ROP paper [IEEE S&P 2013] Attacker has only access to one standard shared Windows library Methodology Common Library kernel32.dll Search for Gadgets Provide filters on Reg, Ins, Opnd, Length Sequence Finder (IDA Pro) Sequence Filter (D Program) Gadget Generation (manual) List of Call- Preceded Sequences Sequence Subset 1 Sequence Subset n MOV ESP LNOP LOAD ADD CALL XOR STORE 18

(Excerpt of) Turing-Complete Gadget Set in CFI-Protected kernel32.dll Gadget Type LOAD Register LOAD/STORE Memory Arithmetic/ Logical Branches CALL-Preceded Sequence ending in a RET instruction EBP := pop ebp ESI := pop esi; pop ebp EDI := pop edi; leave ECX := pop ecx; leave EBX := pop edi; pop esi; pop ebx; pop ebp EAX := mov eax,edi; pop edi; leave EDX := mov eax,[ebp-8]; mov edx,[ebp-4]; pop edi; leave LD(EAX) := mov eax, [ebp+8]; pop ebp ST(EAX) := mov [esi],eax; xor eax,eax; pop esi; pop ebp ST(ESI) := mov [ebp-20h],esi ST(EDI) := mov [ebp-20h],edi ADD/SUB := sub eax,esi; pop esi; pop ebp XOR := xor eax,edi; pop edi; pop esi; pop ebp unconditional branch 1 := leave unconditional branch 2 := add esp,0ch; pop ebp conditional LD(EAX) := neg eax; sbb eax,eax; and eax,[ebp-4]; leave 19

Long NOP Gadget Purpose Bypass behavioral-based heuristics on sequence length kbouncer: A sequence of more than 20 instructions after each 7th short sequence Challenge Longer sequences involve side-effects Approach Leverage a Long NOP sequence that (1) does not affect many registers and (2) performs many controlled memory writes 20

21 ROP Gadget 2 (RET 1) New Value Saved eax (ebx) Saved esi Saved edi LNOP (RET 8) Pattern (ebp) DATA_ADDR (edi) DATA_ADDR (esi) Pre-LNOP (RET 7) STORE EAX (RET 6) STORE EDI (RET 5) EDI_ADDR (ebp) EAX_ADDR (esi) POP ESI,EBP (RET 4) STORE ESI (RET 3) ESI_ADDR (ebp) POP EBP (RET 2) ROP Gadget 1 (RET 1) Stack DATA_ADDR 36 Bytes Memory 14 Memory Writes (esi,edi) 3 other instructions POP edi POP esi MOV ebx,eax POP ebx POP ebp RET ROP Sequence 8 (LNOP) POP esi POP edi POP ebp RET ROP Sequence 7 (Pre-LNOP)

Real-World Exploitation Adobe Reader 9.1 CVE-2010-0188 MPlayer Lite r33064 m3u Buffer Overflow Exploit Both detected by Microsoft EMET and coarse-grained CFI Common Library kernel32.dll Exploit Transformation Successful Exploit Details in Paper 22

Recent Independent Work Several related attacks have been proposed independently from our work: Overcoming Control-Flow Integrity [Göktas et al., IEEE S&P 2014] ROP is still dangerous [Carlini et al., USENIX Security 2014] Evaluating the Effectiveness of Current Anti-ROP Defenses [Schuster et al., RAID 2014] Size Does Matter [Göktas et al., USENIX Security 2014] -> No details yet published Differences We show ROP attacks that simultaneously bypass CFI Policy 1 and 2 (return restrictions & behavioral heuristics) independent on when CFI checks are performed For the first time, we present a Turing-complete gadget under the presence of combined coarse-grained CFI policy using a single default 1MB library 23

Hardware-Assisted CFI [Davi et al., DAC 2014] Static Analysis Application Static Software- Based Instrumentation Runtime Enforcement CFIBR label Hardware-Based CFI Checks CFIRET label CALL Target valid function beginning RET Target a call site at a currently executing function JMP - Heuristics CFI Wrapper Application CFI Label State Anomaly Detector 24

Conclusion and Future Work Coarse-Grained CFI policies are too weak Realistic ROP attacks are still possible under weak adversarial assumptions Ongoing Work Fine-Grained HW-based CFI leveraging SW/HW co-design 25