cmpsc 497 execution integrity
play

CMPSC 497 Execution Integrity Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Execution Integrity Trent Jaeger Systems and


  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Execution Integrity Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Exploit Vulnerabilities • How do you exploit a memory error vulnerability? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  3. Memory Error Exploits • First and most common way to take control of a process • Write to control memory Call the victim with inputs necessary to overflow buffer or ‣ exploit data pointer To overwrite the value of a pointer to code (e.g., return ‣ address) or data that impacts control (e.g., conditional) • Direct the process execution to exploit code Inject code (if possible) or reuse existing code ‣ Use compromised pointer to jump to the chosen code ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  4. Determine what to attack • Local variable that is a char buffer BEFORE picture of stack 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 Called buf ‣ 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 ... printf("BEFORE picture of stack\n"); 0xbfa3b85f: 0x0 for ( i=((unsigned) buf-8); i<((unsigned) ((char *)&ct)+8); i++ ) 0xbfa3b860: 0x0 printf("%p: 0x%x\n", (void *)i, *(unsigned char *) i); 0xbfa3b861: 0x0 0xbfa3b862: 0x0 /* run overflow */ 0xbfa3b863: 0x0 for ( i=1; i<tmp; i++ ){ 0xbfa3b864: 0x0 printf("i = %d; tmp= %d; ct = %d; &tmp = %p\n", i, tmp, ct, (void *)&tmp); 0xbfa3b865: 0x0 strcpy(p, inputs[i]); 0xbfa3b866: 0x0 0xbfa3b867: 0x0 /* print stack after the fact */ 0xbfa3b868: 0xa8 printf("AFTER iteration %d\n", i); 0xbfa3b869: 0xb8 ebp for ( j=((unsigned) buf-8); j<((unsigned) ((char *)&ct)+8); j++ ) 0xbfa3b86a: 0xa3 printf("%p: 0x%x\n", (void *)j, *(unsigned char *) j); 0xbfa3b86b: 0xbf p += strlen(inputs[i]); 0xbfa3b86c: 0x71 if ( i+1 != tmp ) 0xbfa3b86d: 0x84 rtn addr *p++ = ' '; 0xbfa3b86e: 0x4 } 0xbfa3b86f: 0x8 printf("buf = %s\n", buf); 0xbfa3b870: 0x3 printf("victim: %p\n", (void *)&victim); 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 return 0; 0xbfa3b873: 0x0 } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  5. Configure Attack • Configure following Distance to from buffer to target (return address) ‣ Where to write? • Location of start of attacker-chosen code ‣ Where to direct? • What to write on stack ‣ How to invoke – if need arguments and/or multiple steps? • How to craft the attack ‣ How to produce and send the malicious buffer to the victim? • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  6. Find Return Address BEFORE picture of stack • x86 Architecture 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 0xbfa3b857: 0x0 Build 32-bit code for Linux environment ‣ buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • Remember integers are represented in 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 “ little endian ” format 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 • Take address 0x8048471 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 See trace at right ‣ 0xbfa3b866: 0x0 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 • How do you know it’s a return 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf address? 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 Run objdump –dl on the victim, and you ‣ 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct will see this is the address after a call instr 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  7. Overwrite Return Address BEFORE picture of stack • Build victim for debugging 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 0xbfa3b857: 0x0 You may have source code ‣ buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 But can debug binary with more powerful ‣ 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 tools 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 • Run the victim under gdb to determine 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 addresses and relative offsets 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 0xbfa3b867: 0x0 Even with ASLR on, the offsets will be the ‣ 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp same 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr Craft buffer to write up to the target ‣ 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  8. Objdump to Find Code Ptrs BEFORE picture of stack • A return address should point to the 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 instruction after a ‘call’ 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • May also want to compromise a 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 function pointer - an address in code 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  9. Direct to Adversary Code BEFORE picture of stack • How do you know what to change the 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 return address to? 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • Can use ‘objdump’ again to find the 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 desired instruction(s) 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 Can call code you want to run that’s ‣ 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 already there 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 Can call a library function that’s available ‣ 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 Need to fix stack with arguments to function • 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr Can create and invoke a ROP gadget chain ‣ 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 Need to craft the entire stack you want • 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  10. Objdump to Find Attack Code BEFORE picture of stack • May want to find particular statements 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 or PLT entries 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 0xbfa3b866: 0x0 What is “system” good for? ‣ 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp • Or jump directly to executable 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 statement with desired effect 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  11. Exploits • Run code determined by attacker • Old way Include attack code in malicious buffer value ‣ Prevented by modern defenses: NX and ‣ randomized stack base • Modern way Return-to-libc attack ‣ Configure the stack to run code in the ‣ victim’s code segment Return-oriented programming • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  12. Prevent Overflows • Besides using safe string functions (not all buffers are for strings), how would you prevent adversaries from causing overflows? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  13. Prevent Overflows • Besides using safe string functions (not all buffers are for strings), how would you prevent adversaries from causing overflows? Ensure that all writes using a pointer to buffer memory are ‣ within that buffer memory (spatial memory safety) Ensuring all pointers point to allocated memory (or NULL) is • called temporal memory safety Two ways to achieve spatial memory safety: ‣ Bounds checks • Fat pointers with bounds information • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  14. Check Bounds • How would you check bounds naively? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  15. Check Bounds • How would you check bounds naively? Presumably, you need to know the start and end of a ‣ buffer • Then, you need to check bounds – how and when? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

Recommend


More recommend