1 ¡
The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout randomization (ASLR) 2 ¡
Data execution prevention (DEP) Hardware-enforced DEP Marks all memory locations in a process as non- executable unless the location explicitly contains executable code(NX bit term) Software-enforced DEP Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. 3 ¡
Stack smashing protection (SSP) Prevents changes to return addresses: detecting the change of the return address before the function returns preventing the write to the return address Checks the canary word is intact before jumping to the address The return address is read-only (invariant)while the function is active 4 ¡
Address space layout randomization (ASLR) Randomly arranging the positions The base of the executable Position of libraries Heap and stack Only guessing with brute force Program crashes at wrong guessing 5 ¡
Attacks Guessing attacks Brute force attacks Information leakage An information leak occurs when system data or debugging information leaves the program through an output stream or logging function. Control flow hijacking Return-to-libc ROP JOP 6 ¡
Contributions Evaluate fast, state-of-the-art CFI techniques and show that they do not protect against advanced ROP exploits Develop a methodology for performing code-reuse attacks against CFI-protected software Demonstrate the chaining of gadgets using function calls to perform useful actions, i.e., call-oriented programming (COP) Construct a working exploit for Internet Explorer 8 on Windows 7 with DEP and ASLR on, and assuming CCFIR is in place; Assess the availability of gadgets required to launch such attacks against other popular software on Windows 7, such as Internet Explorer 9, Acrobat Reader XI, the Microsoft Office 2013 suite of programs, and Firefox 24. 7 ¡
Control flow integrity (Ideal CFI) CFI thwarts control-hijacking attacks by keeping control flow in the control-flow graph (CFG) All programs usually contain two types of control-flow transfers: direct and indirect For every control-flow transfer is assigned a ID and checks are inserted before control-flow instructions to ensure that only valid targets are allowed. 8 ¡
Control flow integrity (Ideal CFI) There are two major challenges for the adoption of CFI in its ideal form. it requires a complete and precise CFG of the protected application in order to accurately identify all indirect transfer targets and assign IDs. it incurs a non-negligible performance overhead caused by the introduced checks before indirect control-flow instructions 9 ¡
Compact Control Flow Integrity and Randomization (CCFIR) Distinguishes between calls and returns, and prevents unauthorized returns into sensitive functions Directing indirect control transfers through a dedicated “Springboard section” that encodes target restrictions via code alignment 10 ¡
CFI approaches 11 ¡
Gadgets in CFI Two types of gadgets: Call – site gadgets(CS) Blocks of instructions right after a call instruction that terminate with a return instruction. Entry – point gadgets (EP) Blocks of instructions starting at a function’s entry point and ending with an indirect call or jump Begin at an allowable control-transfer pointer. Their length is large and may contain instructions unrelated to the ones performing the desire functionality. In larger gadgets may include code branches within them. Generally we prioritize gadgets based on their size, examining smaller ones first. 12 ¡
Locating the Gadgets There is two – stage attacks. Learn information about the layout of the target 1. application. Use that information to locate the gadget in the 2. payload. ASLR becomes a key component in modern systems. CFI checking for the three different targets supported. Each entry is 8 or 16 bytes long and their location within the spring board is randomized at load time. In CCFIR the attacker has to identify the location of the appropriate entries in the springboard. 13 ¡
Calling Functions Options under CFI : Through Indirect Calls : Indirect call instructions are always to jump to a certain function. Calling through Gadgets : Look for gadgets that include an indirect or fixed functions call in their body 14 ¡
Linking Gadgets We cannot link the gadgets available to us in arbitrary ways, since not all control flows are permitted. Different ways to link the gadgets. Transfer control to CS gadget and set up the stack to chain multiple gadgets of the same type together. Receive control with a call instruction, we can only link EP gadgets. 15 ¡
Moving from EP – to CS – gadget linking. Moving from CS – to EP – gadget linking. Link CS gadget to a CS – IC gadget, where we control the operand of an indirect call. Use that to redirect control to an EP gadget. Gadget uses data: one of its instructions uses the data before it is set. 16 ¡
Gadget set data : any data un registers or memory that are set by the gadget before exiting. Calling a function in a gadget chain depends on our ability to set up its arguments on the stack. Achieve it by linking available gadgets to move arguments from the controlled buffer to the appropriate registers or memory location. From Code – reuse to Code - injection Goal is to link the gadgets and bypass DEP. Find a vulnerable function and put our injection code to the stack. 17 ¡
Proof-of-Concept Exploitation System protected with CCFIR (strictest of the loose CFI frameworks) Generic exploit, applicable to similar frameworks (bin- CFI) Heap overflow in Internet Explorer, gives control to an indirect jump. The vulnerability is triggered by accessing the span and width attributes of a column, in an HTML table, through JavaScript . ¡ 18 ¡
<html> <body> <table style="table-layout:fixed" > <col id="132" width="41" span="1" >  </col> </table> <script> function over_trigger() { var obj_col = document.getElementById("132"); obj_col.width = "42765"; obj_col.span = 1000; } setTimeout("over_trigger();",1); </script> </body> </html> Overwrite a virtual function table (VFT) pointer in a button, leading to the control of an indirect jump instruction. Overwrite the size of a string object (add reference to the object and manipulate size, for memory disclosure). Trigger it multiple times, as long as the process does not crush. 19 ¡
Gadgets Location in CCFIR CCFIR replaces the function pointers in the binary with pointers to the function stubs. Replaces indirect calls with direct jump to the springboard. Information flow is enforced by aligning the call and return stubs, and by checking that the function’s address and the return address follow the alignment (emulate 2 IDs). Only for non-sensitive functions. Returns from sensitive functions are omitted. 20 ¡
Gadgets Location in CCFIR CCFIR checks indirect control-flow transfers through its springboard section (special memory layout) call function stub return address stub placed in springboard. 21 ¡
To succesfully Perform the Explotation Heap Feng Shui à Positioning the vulnerable buffer, the string object and button object, in the right order in the heap. 1 st buffer overflow: string object’s size property is overwritten to build the memory disclosure 2 nd buffer overflow: the button object’s VTF pointer is overwritten. Heap Spraying à injects multiple instances of a specially crafted buffer in memory. Copies of the buffer are allocated at reliable addresses. One is written to the VTF pointer of the button. The buffer guides the chaining of gadgets, from the initial indirect transfer instruction to code injection. 22 ¡
Memory Disclosure Constraints to bypass: ASLR is used need to find the base address of modules of interest (DLLs containing the gadgets) CCFIR springboard for indirect transfers need to find the addresses of function call and return stubs, for the used gadgets. If not, CFI check fails. 23 ¡
Memory Disclosure ¡ Find base address gadgets from mshtml.dll and ieframe.dll mshtml.dll: revealed by the VFT pointer within the button. pointer at constant relative offset from string the object. pointer at a constant known offset in mshtml.dll (base) ieframe.dll: read the address of a function that is contained in ieframe.dll and imported in mshtml.dll . button object, fixed relative distance to the string object. after knowing string’s address, relative distance from string to the imported address 24 ¡
Recommend
More recommend