Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Execution Integrity Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1
Exploit Vulnerabilities • How do you exploit a memory error vulnerability? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3
Memory Error Exploits • First and most common way to take control of a process • Write to control memory Call the victim with inputs necessary to overflow buffer or ‣ exploit data pointer To overwrite the value of a pointer to code (e.g., return ‣ address) or data that impacts control (e.g., conditional) • Direct the process execution to exploit code Inject code (if possible) or reuse existing code ‣ Use compromised pointer to jump to the chosen code ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4
Determine what to attack • Local variable that is a char buffer BEFORE picture of stack 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 Called buf ‣ 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 ... printf("BEFORE picture of stack\n"); 0xbfa3b85f: 0x0 for ( i=((unsigned) buf-8); i<((unsigned) ((char *)&ct)+8); i++ ) 0xbfa3b860: 0x0 printf("%p: 0x%x\n", (void *)i, *(unsigned char *) i); 0xbfa3b861: 0x0 0xbfa3b862: 0x0 /* run overflow */ 0xbfa3b863: 0x0 for ( i=1; i<tmp; i++ ){ 0xbfa3b864: 0x0 printf("i = %d; tmp= %d; ct = %d; &tmp = %p\n", i, tmp, ct, (void *)&tmp); 0xbfa3b865: 0x0 strcpy(p, inputs[i]); 0xbfa3b866: 0x0 0xbfa3b867: 0x0 /* print stack after the fact */ 0xbfa3b868: 0xa8 printf("AFTER iteration %d\n", i); 0xbfa3b869: 0xb8 ebp for ( j=((unsigned) buf-8); j<((unsigned) ((char *)&ct)+8); j++ ) 0xbfa3b86a: 0xa3 printf("%p: 0x%x\n", (void *)j, *(unsigned char *) j); 0xbfa3b86b: 0xbf p += strlen(inputs[i]); 0xbfa3b86c: 0x71 if ( i+1 != tmp ) 0xbfa3b86d: 0x84 rtn addr *p++ = ' '; 0xbfa3b86e: 0x4 } 0xbfa3b86f: 0x8 printf("buf = %s\n", buf); 0xbfa3b870: 0x3 printf("victim: %p\n", (void *)&victim); 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 return 0; 0xbfa3b873: 0x0 } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5
Configure Attack • Configure following Distance to from buffer to target (return address) ‣ Where to write? • Location of start of attacker-chosen code ‣ Where to direct? • What to write on stack ‣ How to invoke – if need arguments and/or multiple steps? • How to craft the attack ‣ How to produce and send the malicious buffer to the victim? • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6
Find Return Address BEFORE picture of stack • x86 Architecture 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 0xbfa3b857: 0x0 Build 32-bit code for Linux environment ‣ buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • Remember integers are represented in 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 “ little endian ” format 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 • Take address 0x8048471 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 See trace at right ‣ 0xbfa3b866: 0x0 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 • How do you know it’s a return 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf address? 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 Run objdump –dl on the victim, and you ‣ 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct will see this is the address after a call instr 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7
Overwrite Return Address BEFORE picture of stack • Build victim for debugging 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 0xbfa3b857: 0x0 You may have source code ‣ buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 But can debug binary with more powerful ‣ 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 tools 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 • Run the victim under gdb to determine 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 addresses and relative offsets 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 0xbfa3b867: 0x0 Even with ASLR on, the offsets will be the ‣ 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp same 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr Craft buffer to write up to the target ‣ 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8
Objdump to Find Code Ptrs BEFORE picture of stack • A return address should point to the 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 instruction after a ‘call’ 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • May also want to compromise a 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 function pointer - an address in code 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9
Direct to Adversary Code BEFORE picture of stack • How do you know what to change the 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 return address to? 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • Can use ‘objdump’ again to find the 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 desired instruction(s) 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 Can call code you want to run that’s ‣ 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 already there 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 Can call a library function that’s available ‣ 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 Need to fix stack with arguments to function • 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr Can create and invoke a ROP gadget chain ‣ 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 Need to craft the entire stack you want • 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10
Objdump to Find Attack Code BEFORE picture of stack • May want to find particular statements 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 or PLT entries 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 What is “system” good for? ‣ 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp • Or jump directly to executable 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 statement with desired effect 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11
Exploits • Run code determined by attacker • Old way Include attack code in malicious buffer value ‣ Prevented by modern defenses: NX and ‣ randomized stack base • Modern way Return-to-libc attack ‣ Configure the stack to run code in the ‣ victim’s code segment Return-oriented programming • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12
Prevent Overflows • Besides using safe string functions (not all buffers are for strings), how would you prevent adversaries from causing overflows? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14
Prevent Overflows • Besides using safe string functions (not all buffers are for strings), how would you prevent adversaries from causing overflows? Ensure that all writes using a pointer to buffer memory are ‣ within that buffer memory (spatial memory safety) Ensuring all pointers point to allocated memory (or NULL) is • called temporal memory safety Two ways to achieve spatial memory safety: ‣ Bounds checks • Fat pointers with bounds information • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15
Check Bounds • How would you check bounds naively? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16
Check Bounds • How would you check bounds naively? Presumably, you need to know the start and end of a ‣ buffer • Then, you need to check bounds – how and when? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17
Recommend
More recommend