Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Similar documents

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Return-oriented programming without returns

Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation

Evaluating a ROP Defense Mechanism. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University

Abysssec Research. 1) Advisory information. 2) Vulnerable version

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Attacking x86 Windows Binaries by Jump Oriented Programming

Software Fingerprinting for Automated Malicious Code Analysis

Bypassing Memory Protections: The Future of Exploitation

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Hotpatching and the Rise of Third-Party Patches

Automating Mimicry Attacks Using Static Binary Analysis

Software Vulnerabilities

Introduction. Figure 1 Schema of DarunGrim2

Computer Organization and Architecture

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Stack Overflows. Mitchell Adair

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Instruction Set Architecture

Off-by-One exploitation tutorial

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Transparent ROP Detection using CPU Performance Counters. 他山之石, 可以攻玉 Stones from other hills may serve to polish jade

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

esrever gnireenigne tfosorcim seiranib

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Buffer Overflows. Security 2011

Reverse Engineering and Computer Security

Counterfeit Object-oriented Programming

Fighting malware on your own

Assembly Language: Function Calls" Jennifer Rexford!

Identification and Removal of

64-Bit NASM Notes. Invoking 64-Bit NASM

Return-oriented Programming: Exploitation without Code Injection

風水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Practical taint analysis for protecting buggy binaries

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

derop: Removing Return-Oriented Programming from Malware

1. General function and functionality of the malware

Out Of Control: Overcoming Control-Flow Integrity

Gadge Me If You Can Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM

Harnessing Intelligence from Malware Repositories

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

For a 64-bit system. I - Presentation Of The Shellcode

Administration. Instruction scheduling. Modern processors. Examples. Simplified architecture model. CS 412 Introduction to Compilers

ILR: Where d My Gadgets Go?

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Intel 8086 architecture

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Computer Organization and Components

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

SoK: Eternal War in Memory

Platform-independent static binary code analysis using a metaassembly

Jakstab: A Static Analysis Platform for Binaries

Hydra. Advanced x86 polymorphic engine. Incorporates existing techniques and introduces new ones in one package. All but one feature OS-independent

CPU performance monitoring using the Time-Stamp Counter register

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Instruction Set Architecture (ISA)

Overview. CISC Developments. RISC Designs. CISC Designs. VAX: Addressing Modes. Digital VAX

Windows XP SP3 Registry Handling Buffer Overflow

High-speed image processing algorithms using MMX hardware

Custom Penetration Testing

MSc Computer Science Dissertation

How to Sandbox IIS Automatically without 0 False Positive and Negative

G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries

Violating Database - Enforced Security Mechanisms

Machine-Level Programming II: Arithmetic & Control

X86-64 Architecture Guide

Systems Design & Programming Data Movement Instructions. Intel Assembly

Android Security Extensions

8085 INSTRUCTION SET

An introduction to the Return Oriented Programming. Why and How

Bypassing Browser Memory Protections in Windows Vista

Static detection of C++ vtable escape vulnerabilities in binary code

Compilers I - Chapter 4: Generating Better Code

Disassembly of False Positives for Microsoft Word under SCRAP

Binary Code Extraction and Interface Identification for Security Applications

l C-Programming l A real computer language l Data Representation l Everything goes down to bits and bytes l Machine representation Language

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

A single register, called the accumulator, stores the. operand before the operation, and stores the result. Add y # add y from memory to the acc

Anti-exploit tools: The next wave of enterprise security

Vigilante: End-to-End Containment of Internet Worms

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Transcription:

USENIX Security Symposium 2014, San Diego, CA, USA Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Lucas Davi Intel Collaborative Research Institute for Secure Computing @ TU Darmstadt, Germany Joint Work with Daniel Lehmann, Ahmad-Reza Sadeghi (TU Darmstadt) Fabian Monrose (UNC Chapel Hill)

Open Question: Practical and secure mitigation of code reuse attacks Turing-completeness of return-oriented programming 2

Hot Research Topic: Practical (coarse-grained) Control Flow Integrity (CFI) Recently, many solutions proposed CCFIR [IEEE S&P 13] MS BlueHat Prize ROPecker [NDSS 14] MS BlueHat Prize CFI for COTS Binaries [USENIX Sec 13] kbouncer [USENIX Sec 13] ROPGuard [Microsoft EMET] 3 EMET http://technet.microsoft.com/ en-us/security/jj653751

This Talk: Negative result all current (published) coarse-grained CFI solutions can be bypassed 4

Our Contributions Systematic Security Analysis Pointing out the conceptual weaknesses of coarse-grained CFI solutions including Microsoft s EMET Systematic Security Analysis Generic Attack Real World Exploits 5

Our Contributions Our Attack is Generic Only CFI policies considered, not specific CFI solutions, bypassing even the Über-CFI that combines all CFI policies The only work showing Turing-completeness Systematic Security Analysis Generic Attack Real World Exploits 6

Our Contributions Concrete Attack Instantiations under Strong Adversary Model Very small code base: 840kb Systematic Security Analysis Generic Attack Real World Exploits 7

ROP Adversary Model/Assumption Data Area ROP Payload 3 Application Shared Libraries Code Area MEMORY Application Address Space 4 Adversary can write ROP payload in the data area (stack/heap) 1 Adversary can hijack control-flow (buffer overflow) 2 Adversary knows the memory layout (memory disclosure) See our JIT-ROP attack Snow et al, IEEE S&P 2013 & BlackHat USA Adversary can construct gadgets MOV ADD 8 Gadget Space (e.g., Shared Libraries) ESP CALL LNOP XOR LOAD STORE

Generic ROP Defense: Control-Flow Integrity (CFI) Restricting indirect control-flow targets to a pre-defined control-flow graph 9

Original CFI Label Checking [Abadi et al., CCS 2005 & TISSEC 2009] BBL A label_a ENTRY asm_ins, EXIT C A B BBL B label_b ENTRY asm_ins, EXIT CFI CHECK EXIT(A) -> label_b? 10

Original CFI: Benefits and Limitations 11

Coarse-Grained CFI: Aims at practical CFI for real-world deployment 12

General Idea 3 1 2 5 Reducing number of labels 1 1 2 1 4 6 2 2 13

Coarse-Grained CFI Proposals kbouncer [USENIX Sec 13] HOOK Win API / Critical Function Binary Instrumentation Application ROPecker [NDSS 14] HOOK Paging CFI for COTS Binaries [USENIX Sec 13] CCFIR [IEEE S&P 13] POP ROPGuard [Microsoft EMET] PUSH Last Branch Record (LBR) 14 Stack

Main Coarse-Grained CFI Policies CFI Policy 1: Call-Preceded Sequences Returns need to target a callpreceded instruction Application CALL A asm_ins asm_ins CALL B asm_ins CALL C asm_ins RET CFI Policy 2: Behavioral- Based Heuristics Prohibit Threshold a chain Setting of N short sequences kbouncer: each (N=8; S<=20) consisting of ROPecker: less than(n=11; S instructions S<=6) 1 2 N < S < S < S > S < S 15

Most Restrictive Coarse-Grained CFI CFI Policy kbouncer ROPecker ROPGuard EMET CFI Policy 1 Call-Preceded Sequences CFI Policy 2 Behavioral-Based Heuristics CFI for COTS Binaries Über-CFI Time of CFI Check WinAPI 2 Pages Sliding Window / Critical Functions WinAPI/ Critical Functions Indirect Branch Any Time No Restriction CFI Policy 16 Here only the core policies shown. However, we consider all other deployed policies in our analysis.

Our Methodology Common Library kernel32.dll Sequence Finder (IDA Pro) Sequence Filter (D Program) Search for Gadgets Provide filters on Reg, Ins, Opnd, Length Gadget Generation (manual) List of Call- Preceded Sequences Sequence Subset 1 Sequence Subset n MOV ESP LNOP LOAD ADD CALL XOR STORE 17

(Excerpt of) Turing-Complete Gadget Set in Gadget Type CFI-Protected kernel32.dll CALL-Preceded Sequence ending in a RET instruction LOAD Register LOAD/STORE Memory Arithmetic/ Logical Branches 18 EBP := pop ebp ESI := pop esi; pop ebp EDI := pop edi; leave ECX := pop ecx; leave EBX := pop edi; pop esi; pop ebx; pop ebp EAX := mov eax,edi; pop edi; leave EDX := mov eax,[ebp-8]; mov edx,[ebp-4]; pop edi; leave LD(EAX) := mov eax,[ebp+8]; pop ebp ST(EAX) := mov [esi],eax; xor eax,eax; pop esi; pop ebp ST(ESI) := mov [ebp-20h],esi ST(EDI) := mov [ebp-20h],edi ADD/SUB := sub eax,esi; pop esi; pop ebp XOR := xor eax,edi; pop edi; pop esi; pop ebp unconditional branch 1 := leave unconditional branch 2 := add esp,0ch; pop ebp conditional LD(EAX) := neg eax; sbb eax,eax; and eax,[ebp-4];.leave

Long NOP Gadget ROP Gadget 1 Store Registers Prepare Long NOP Long NOP Reset Registers ESI EDI EBX Stack ESI EDI Static Constants Arbitrary Data Area (36 Bytes) ROP Gadget 2 19

Real-World Exploitation Adobe Reader 9.1 CVE-2010-0188 MPlayer Lite r33064 m3u Buffer Overflow Exploit Both detected by Microsoft EMET and coarse-grained CFI Common Library kernel32.dll Exploit Transformation Successful Exploit Details in Paper 20

Lessons Learned Fundamental problems of coarse-grained CFI 1. Too many call sites available Turing-complete gadget set possible on small code base Restrict returns to valid/hot call sites (shadow stack) 2. Heuristics are ad-hoc and ineffective Our generic Long NOP evades heuristics and handles all side effects Adjusted sequence length leads to high false positive 3. Too many indirect jump and call targets 21 Resolving indirect jumps and calls is non-trivial Original CFI: Vulcan framework remains blackbox Compromise: Compiler support

Summary Summary and Future Work We systematically analyze the security of all recently proposed practical defenses against code reuse attacks We show Turing-completeness of ROP even over less than 1MB code base And, we provide real-world exploits Our ongoing work: fine-grained CFI Hardware/Software Co-design [DAC 2014]; collaboration with Intel Software Solutions; collaboration with Microsoft Future work CFI for dynamic code or JIT-enabled applications Improved code randomization schemes 22

Thank you! For more information see www.trust.cased.de 23