abusing performance optimization weaknesses to bypass aslr
play

Abusing Performance Optimization Weaknesses to Bypass ASLR - PowerPoint PPT Presentation

Sep 21, 2022 •144 likes •661 views

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei Wang Chengyu Song Long Lu Taesoo Kim Wenke Lee Georgia Tech Information Security Center (Rough) System Attack Trends Executing existing code

  1. Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei Wang Chengyu Song Long Lu Taesoo Kim Wenke Lee Georgia Tech Information Security Center

  2. (Rough) System Attack Trends Executing existing code Executing injected code out of original program order • Ret/Jmp/Call to Stack • Ret/Jmp/Call to libc • Ret/Jmp/Call to Heap • Ret/Jmp/Call to “gadgets” In general, to launch such attacks, one needs to know the addresses of stack, heap objects, code gadgets, etc.

  3. Address Space Layout Randomization (ASLR) • Intuition: introducing diversity into the memory layout of computer systems will defeat many easily replicated attacks [1]

  4. A Brief History of ASLR iOS 4.3 MS Vista Android Stack PaX Mac OS X Leopard Linux Kernel 4.0 Randomization Project 10.5 2.6.12 1998/1999 2001 2005 2007 2011

  5. Bypassing ASLR • Abusing non-randomized data structures – Executables compiled without the PIE flag – VirtualAlloc and MapViewOfFile are not randomized [2] – SharedUserData is located at fixed address[3]

  7. Exploiting vulnerabilities to leak addresses – Type Confusion – Heap Overflow – Use-after-free – Integer Overflow – Format String – Uninitialized Memory Read

  8. Today, we will talk about ... ● Performance oriented designs that are at odds with ASLR

  10. Hash Table ● Hash Table ○ map keys to values ○ keys are hashed to find proper buckets bucket# = hash(key) % arraySize

  11. Hash Table ● Collision Resolution ○ # of buckets are limited! ○ Open addressing: find the next available bucket ■ Linear probing ■ Quadratic probing ■ Double hashing

  12. Hash Table and ASLR? ● Built-in hash tables ○ JavaScript, Java, Python, Ruby, … ○ Sometimes they use memory addresses as a key for objects #

  13. Hash Table and ASLR? ● Memory addresses as a key ○ (Always) unique identifier for an object ○ Fast / Easy to implement ● Alternatives ○ Random numbers ⇒ collision free? ○ Static counters ⇒ thread safe?

  14. Hash Table and ASLR? Q. Can you read the key? A. If the language allows, yes x = object() id(x) hash(x) Q. Is this a security breach? A. It depends

  15. Address Information in Script Languages ● Usually running scripts from the shell means you have everything. ● What if it is running in restricted environments? ○ Sandboxed environments ○ Many script languages have sandbox-like extensions for

  16. Hash Table and ASLR? Q. Can you still read the key even if it is not allowed? A. Partially, via timing attacks

  17. Attacking ASLR with Hash Tables Can you read Can you infer Is the key the key? the key? a memory address? Python yes - yes Ruby yes - yes Julia yes - yes PHP yes - no Java (JVM) yes - no Java (DVM) yes - yes JavaScript (WebKit) no yes yes JavaScript (V8) no yes no

  18. Examples - Directly Reading a Key x = object() x = object() id(x) x.object_id hash(x) type x end Object x = new Object(); object_id(x) x.hashCode();

  19. Hash Table in WebKit JavaScript ● Name object ○ Adding (unique) private properties to any object ○ New (experimental) features for ES6 Harmony ○ How is it unique? ■ using memory addresses

  20. // Source/WTF/wtf/text/StringImpl.h enum CreateEmptyUniqueTag { CreateEmptyUnique }; StringImpl(CreateEmptyUniqueTag) : m_refCount(s_refCountIncrement) , m_length(0) , m_data16(reinterpret_cast< const UChar*>(1)) { ASSERT(m_data16); unsigned hash = static_cast<uint32_t>(reinterpret_cast<uintptr_t>( this )); hash <<= s_flagCount; if (!hash) hash = 1 << s_flagCount; m_hashAndFlags = hash | BufferInternal; STRING_STATS_ADD_16BIT_STRING(m_length); }

  21. How to Infer a Key in WebKit Javascript ● Requirements ○ Collision resolution should follow a certain order ⇒ double hashing ○ A hash algorithm must be deterministic ⇒ yes ○ Hash tables must be (partially) controllable ⇒ Number / String

  22. How to Infer a Key in WebKit Javascript ● Requirements (in WebKit JavaScript) ○ Collision resolution should follow a certain order ⇒ Double hashing ○ A hash algorithm must be deterministic ⇒ Yes ○ Hash tables must be (partially) controllable ⇒ Number / String

  23. How to Infer the Key in WebKit Javascript Number(3) Name(“inferMe”) # String(“Hello”) Keys / hashes are unknown Keys / hashes are known

  24. Abusing Collision Resolution ● Linear Probing ○ If there’s a collision, simply try the next slot ○ Given key k & i th trial bucket# ⇐ (hash(k)+i ) % tableSize

  25. Abusing Collision Resolution bucket# ⇐ Hash(Number( 1 )) % 8 = 1 bucket# ⇐ Hash(Number( 9 )) % 8 = 1 bucket# ⇐ Hash(Number( 17 )) % 8 = 1

  26. Abusing Collision Resolution ● Search timing differences ○ Assume the table is filled up ○ Except bucket # 0

  27. Abusing Collision Resolution ● Time differences b/w worst and best cases bucket# ⇐ Hash(Number( 1 )) % 8 = 1 ⇒ Slow … ...

  28. Abusing Collision Resolution ● Time differences b/w worst and best cases bucket# ⇐ Hash(Number( 0 )) % 8 = 0 ⇒ Fast … ...

  29. Abusing Collision Resolution ● If you catch this timing difference, ⇒ learn something about hash (key) ⇒ one bit information at a time ● Is this doable in JavaScript? ○ JS timer is mili-seconds ⇒ repeat thousand times ○ Table size is too big ⇒ repeat a lot again ⇒ Calibration !

  30. Abusing Collision Resolution ● Weak key ○ A key that the second hash function returns small integer numbers ■ To avoid fuzziness of double-hashing ○ Can be found with high probabilities ⇒ Repeat the Name object creation until we find the weak key

  31. Abusing Collision Resolution ● Prototype implementations ○ Ported WebKit’s hash functions to JavaScript ○ Pre-built an inversion table ■ h -1 (String/Number) ⇒ bucket # ○ Currently leaking 12-bits ■ Possible up to 23-bits ■ Need better mathematical properties.

  32. // Source/WTF/wtf/text/StringImpl.h enum CreateEmptyUniqueTag { CreateEmptyUnique }; StringImpl(CreateEmptyUniqueTag) : m_refCount(s_refCountIncrement) , m_length(0) , m_data16(reinterpret_cast< const UChar*>(1)) { ASSERT(m_data16); unsigned hash = static_cast<uint32_t>(reinterpret_cast<uintptr_t>( this )); WTFLogAlways("Address : 0x%08x\n", hash); hash <<= s_flagCount; if (!hash) hash = 1 << s_flagCount; m_hashAndFlags = hash | BufferInternal; STRING_STATS_ADD_16BIT_STRING(m_length); }

  33. DEMO

  34. ● Reported and patched in WebKit ● Related work ○ DoS attacks on hash tables [7,8] ○ Timing attacks on hash tables (Firefox) [9]

  35. Countermeasures ● Non-deterministic hashing for controllable objects ○ Universal Hashing ● Simply not using addresses ○ Random values ■ Possible collisions ? ○ XOR masking ■ Two-time pads?

  36. // php-src/ext/spl/php_spl.c PHPAPI void php_spl_object_hash(zval *obj, char *result TSRMLS_DC) /* {{{*/ { intptr_t hash_handle, hash_handlers; char *hex; Random mask init if (!SPL_G(hash_mask_init)) { if (!BG(mt_rand_is_seeded)) { php_mt_srand(GENERATE_SEED() TSRMLS_CC); } SPL_G(hash_mask_handle) = (intptr_t)(php_mt_rand(TSRMLS_C) >> 1); SPL_G(hash_mask_handlers) = (intptr_t)(php_mt_rand(TSRMLS_C) >> 1); SPL_G(hash_mask_init) = 1; } Two-time pads! hash_handle = SPL_G(hash_mask_handle)^(intptr_t)Z_OBJ_HANDLE_P(obj); hash_handlers = SPL_G(hash_mask_handlers)^(intptr_t)Z_OBJ_HT_P(obj); spprintf(&hex, 32, "%016lx%016lx", hash_handle, hash_handlers); strlcpy(result, hex, 33); efree(hex); }

  38. History of ASLR adoption in Android • Why ASLR on Android? – Prevent exploitations of native code in apps • Adopted incrementally – Performance concerns on early Android devices (enabling PIE ➔ load latency / memory overheads) – Android 4.1 implemented full ASLR enforcements

  39. (actual) ASLR enforcements in Android related to performance prioritized design

  40. Performance Prioritized Designs of Android • Multi-layered architectures – Android Applications run in a Dalvik VM – with additional runtime libraries ➔ Slow app launch time Application Android Runtime Library Dalvik VM

  41. Zygote: the process creation module

  42. Zygote: the process creation module

  43. Zygote weakens ASLR effectiveness ① ② ③ • All apps have the same memory layouts for shared libraries loaded by the Zygote process • Weakens Android ASLR security

  44. Attacking the ASLR weakness • Fully working exploits (with an ideal ASLR) must – Exploit an Information leak vulnerability – Exploit a control-flow hijack vulnerability ➔ should be achieved in the same app !

  45. Attacking the ASLR weakness • Zygote’s ASLR weakness allows for – Remote Coordinated Attacks • Information leak in Chrome + control-flow hijack in VLC • Reduce the vulnerability searching spaces – Local Trojan Attacks • Obtain the memory layout by having the trojan app installed

  46. Remote Coordinated Attack Chrome Malicious JavaScript Exploit the information leak vulnerability ➔ (CVE-2013-0912) ① ② ③ ④ Attacker’s web server Crafted video file VLC player Exploit the control-flow hijack vulnerability ➔ with leaked memory layout information Victim’s Android

Recommend

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions

Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions

Westerham Bypass Presentation for town meeting on 25 th February Context to Bypass discussions Squerryes has been asked by WTC to review feasibility of bypass. It is at a very early stage. Bypass has been on the agenda for circa 40 plus

97 views • 8 slides
Performance Monitoring and Measurement: Strengths and Weaknesses Burt S. Barnow George

Performance Monitoring and Measurement: Strengths and Weaknesses Burt S. Barnow George

The U.S. Experience with Performance Monitoring and Measurement: Strengths and Weaknesses Burt S. Barnow George Washington University Prepared for the Conference on More Effective Workforce Programs through Comparative Performance Monitoring

516 views • 12 slides
Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001

Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001

Mini-Gastric Bypass Whats in a Name? Mini gastric bypass (MGB) since 1997 Rutledge 2001 One-anastomosis gastric bypass (OAGB) Garcia-Caballero in 2004 Single-anastomosis gastric bypass (SAGB) Lee 2014 Omega loop

814 views • 48 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Can We Improve Internet Performance? An Expedited Internet Bypass Protocol Dr. Ing. Nirmala

Can We Improve Internet Performance? An Expedited Internet Bypass Protocol Dr. Ing. Nirmala

Can We Improve Internet Performance? An Expedited Internet Bypass Protocol Dr. Ing. Nirmala Shenoy Professor , ISchool, School of Information Director , Lab for Networking and Security 1 Golisano College of Computing and Information Sciences

942 views • 29 slides
PERFORMANCE OF PERFORMANCE OF OPTIMIZATION OPTIMIZATION ALGORITHMS ALGORITHMS FOR DERIVING

PERFORMANCE OF PERFORMANCE OF OPTIMIZATION OPTIMIZATION ALGORITHMS ALGORITHMS FOR DERIVING

PERFORMANCE OF PERFORMANCE OF OPTIMIZATION OPTIMIZATION ALGORITHMS ALGORITHMS FOR DERIVING MATERIAL DATA FROM BENCH SCALE TESTS Patrick Lauer University of Wuppertal lauer@uni-wuppertal.de Content 1. Content 2. Introduction 3. Method

490 views • 31 slides
PERFORMANCE OPTIMIZATION IN RED PERFORMANCE OPTIMIZATION IN RED HAT OPENSTACK PLATFORM HAT

PERFORMANCE OPTIMIZATION IN RED PERFORMANCE OPTIMIZATION IN RED HAT OPENSTACK PLATFORM HAT

PERFORMANCE OPTIMIZATION IN RED PERFORMANCE OPTIMIZATION IN RED HAT OPENSTACK PLATFORM HAT OPENSTACK PLATFORM LUNCH &amp; LEARN LUNCH &amp; LEARN Razique Mahroua Red Hat Training - Services Content Architect ABOUT ME ABOUT ME Course author

881 views • 68 slides
Web Performance Optimization: Analytics Wim Leers Promotor: Prof. dr. Jan Van den Bussche Web

Web Performance Optimization: Analytics Wim Leers Promotor: Prof. dr. Jan Van den Bussche Web

Web Performance Optimization: Analytics Wim Leers Promotor: Prof. dr. Jan Van den Bussche Web Performance Optimization Speed matters! Source: http://www.useit.com/alertbox/response-times.html, Jakob Nielsen, June 21, 2010 Web Performance

755 views • 59 slides
US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental

US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental

US 81 Bypass of Chickasha US 81 Bypass of Chickasha Environmental Assessment Environmental Assessment Public Meeting Public Meeting March 14, 2013 US 81 Bypass Environmental Assessment Introductions ODOT FHWA SAIC US 81 Bypass

964 views • 48 slides
WELCOME BERRY BYPASS COMMUNITY MEETING 6 DECEMBER 2011 Berry bypass RMS Steve Zhivanovich

WELCOME BERRY BYPASS COMMUNITY MEETING 6 DECEMBER 2011 Berry bypass RMS Steve Zhivanovich

Berry bypass WELCOME BERRY BYPASS COMMUNITY MEETING 6 DECEMBER 2011 Berry bypass RMS Steve Zhivanovich Project director Ron de Rooy Project manager Carla Brookes Project communications Michael Sheridan Design Joy Duncan

372 views • 24 slides
the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

Userspace networking: beyond the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel integration Benot Ganne, bganne@cisco.com 30/01/2020 1 Why a native network driver? Why userspace networking?

773 views • 8 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 /

Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 /

Five weaknesses of ASPIC+ Leila Amgoud amgoud@irit.fr Amgoud (IRIT) Weaknesses of APSIC+ 1 / 12 Motivation Argumentation = an activity of reason aimed to increase (or decrease) the acceptability of a controversial standpoint by putting

975 views • 38 slides
Worksite Visit 9 November 2018 SA TRBA Bypass of Couvin Video TRBA Bypass of Couvin SA

Worksite Visit 9 November 2018 SA TRBA Bypass of Couvin Video TRBA Bypass of Couvin SA

Countournement de Couvin Worksite Visit 9 November 2018 SA TRBA Bypass of Couvin Video TRBA Bypass of Couvin SA TRBA Bypass of Couvin 2 nd phase Section between La Platinerie and French border (5100 13700) 200

243 views • 23 slides
1 Tuning MATLAB for Better Performance Tutorial Overview General advice about optimization

1 Tuning MATLAB for Better Performance Tutorial Overview General advice about optimization

1 Tuning MATLAB for Better Performance Tutorial Overview General advice about optimization A typical workflow for performance optimization MATLAB's performance measurement tools Common performance issues in MATLAB and how to solve

656 views • 29 slides
To determine the level of fitness of students. To identify strengths and weaknesses for

To determine the level of fitness of students. To identify strengths and weaknesses for

To determine the level of fitness of students. To identify strengths and weaknesses for development/improvement To provide a baseline data for selection of physical activities for enhancement of health and skill performance. To

552 views • 38 slides
Turbine Bypass System ISO 9001 Certified E n g i n e e r e d S o l u t i o n s

Turbine Bypass System ISO 9001 Certified E n g i n e e r e d S o l u t i o n s

Turbine Bypass System ISO 9001 Certified E n g i n e e r e d S o l u t i o n s Valvtechnologies, Inc. Turbine Bypass System STAY ON-LINE The steam turbine bypass system will allow the operator to keep the gas turbine and the heat recovery

203 views • 4 slides
Outline Performance Optimization of Component-based Data Intensive Motivation Applications

Outline Performance Optimization of Component-based Data Intensive Motivation Applications

Outline Performance Optimization of Component-based Data Intensive Motivation Applications Approach Optimization Group Instances Alan Sussman Optimization Transparent Copies Michael Beynon Ongoing Work Tahsin Kurc

76 views • 6 slides
How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness

How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness

How UNAIDS works Strengths and weaknesses in the governance of UNAIDS Strengths Inclusiveness of decision making Involvement of civil society, PLWH Things can change Strengths and weaknesses in the governance of UNAIDS Weaknesses

209 views • 7 slides
Performance Optimization Project 2 Lab Schedule Activities Assignments Due Today

Performance Optimization Project 2 Lab Schedule Activities Assignments Due Today

Computer Systems and Networks ECPE 170 University of the Pacific Performance Optimization Project 2 Lab Schedule Activities Assignments Due Today Today Lab 7 Performance Lab 5 due by 11:59pm Optimization

832 views • 22 slides
On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec)

1.05k views • 62 slides
ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec Erik Bosman @brainsmoke Kaveh Razavi @gober Ben Gras @bjg Stephan van Schaik ASLR Address Space Layout Randomiza on Widely deployed

1.75k views • 137 slides
Goals of Program Optimization (1 of 2) Goal: Improve program performance within some constraints

Goals of Program Optimization (1 of 2) Goal: Improve program performance within some constraints

CS 426 Topic 9: Optimization Basics Goals of Program Optimization (1 of 2) Goal: Improve program performance within some constraints Ask Three Key Questions for Every Optimization 1. Is it legal? 2. Is it profitable? 3. Is it compile-time cost

413 views • 17 slides

More recommend