CSE543 - Introduction to Computer and Network Security Module: - PowerPoint PPT Presentation

�������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 CSE543 - Introduction to Computer and Network Security Page 1

Anatomy of Control-Flow Exploits • Two steps in control-flow exploitation • First -- attacker gets control of program flow (return address, function pointer) Stack (buffer), heap, format string vulnerability, … ‣ • Second -- attacker uses control of program flow to launch attacks E.g., Code injection ‣ Adversary injects malcode into victim • E.g., onto stack or into other data region • How is code injection done? ‣ 2 CSE543 - Introduction to Computer and Network Security Page 2

Code Injection • Advantage • Adversary can install any code they want • What code do adversaries want? Defenses ‣ NX bit - set memory as non-executable (stack) • W (xor) X - set memory as either writeable or • executable, but not both What can adversary do to circumvent these • defenses and still execute useful code (for them)? 3 CSE543 - Introduction to Computer and Network Security Page 3

Return-Oriented Programming • Arbitrary exploitation without code injection 4 CSE543 - Introduction to Computer and Network Security Page 4

Return-Oriented Programming 5 CSE543 - Introduction to Computer and Network Security Page 5

ROP Thesis 6 CSE543 - Introduction to Computer and Network Security Page 6

Return-to-libc 7 CSE543 - Introduction to Computer and Network Security Page 7

ROP vs return-to-libc 8 CSE543 - Introduction to Computer and Network Security Page 8

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = 9

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 10

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 11

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 12

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 13

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 14

ROP Example • Use ESP as program counter – E.g., Store 5 at address 0x8048000 (without introducing new code) Code Stack pop %eax G1: G1 Return Address ret 5 pop %ebx G2: G2 jmp G2 ret buf 0x8048000 movl %eax, (%ebx) G3: ret G3 jump G3 . . . Memory Registers %eax = 5 0x8048000 = 5 %ebx = 0x8048000 15

Machine Instructions 16 CSE543 - Introduction to Computer and Network Security Page 16

ROP Execution 17 CSE543 - Introduction to Computer and Network Security Page 17

Building ROP Functionality 18 CSE543 - Introduction to Computer and Network Security Page 18

Building ROP Functionality 19 CSE543 - Introduction to Computer and Network Security Page 19

Building ROP Functionality 20 CSE543 - Introduction to Computer and Network Security Page 20

Creating Programs 21 CSE543 - Introduction to Computer and Network Security Page 21

Finding Gadgets 22 CSE543 - Introduction to Computer and Network Security Page 22

ROP Conclusions 23 CSE543 - Introduction to Computer and Network Security Page 23

Control-Flow Integrity • Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow ‣ sequences • Build a model from source code that describes legal control flows E.g., control-flow graph ‣ • Enforce the model on program execution Instrument indirect control transfers ‣ Jumps, calls, returns, ... • • Challenges Building accurate model ‣ Efficient enforcement ‣ 24 CSE543 - Introduction to Computer and Network Security Page 24

Software Control Flow Integrity 
 Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 25 25

Our Mechanism F A F B call fp return 26 26-1

Our Mechanism F A F B call fp return CFG excerpt B 1 A call B ret A call+1 26 26-2

Our Mechanism F A F B nop IMM 1 if(*fp != nop IMM 1 ) halt call fp return CFG excerpt B 1 A call B ret A call+1 26 26-3

Our Mechanism F A F B nop IMM 1 if(*fp != nop IMM 1 ) halt if(**esp != nop IMM 2 ) halt call fp return nop IMM 2 CFG excerpt B 1 A call NB: Need to ensure bit patterns for nops B ret A call+1 appear nowhere else in code memory 26 26-4

More Complex CFGs CFG excerpt Maybe statically all we know is that F A can call any int int function B 1 A call F A C 1 succ(A call ) = {B 1 , C 1 } F B call fp F C 27 27-1

More Complex CFGs CFG excerpt Maybe statically all we know is that F A can call any int int function B 1 A call F A C 1 succ(A call ) = {B 1 , C 1 } F B nop IMM 1 if(*fp != nop IMM 1 ) halt call fp F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 27 27-2

Imprecise Return Information Q: What if F B can return CFG excerpt F A to many functions ? A call+1 B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } F D return call F B 28 28-1

Imprecise Return Information Q: What if F B can return CFG excerpt F A to many functions ? A call+1 B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 F D if(**esp != nop IMM 2 ) halt return call F B nop IMM 2 28 28-2

Imprecise Return Information Q: What if F B can return CFG excerpt F A to many functions ? A call+1 A: Imprecise CFG B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 F D if(**esp != nop IMM 2 ) halt return call F B nop IMM 2 28 28-3

Imprecise Return Information Q: What if F B can return CFG excerpt F A to many functions ? A call+1 A: Imprecise CFG B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 CFG Integrity: F D if(**esp != nop IMM 2 ) halt Changes to the return PC are only to valid successor call F B PCs, per succ(). nop IMM 2 28 28-4

No “Zig-Zag” Imprecision CFG excerpt B 1 A call C 1 E call 29 29-1

No “Zig-Zag” Imprecision CFG excerpt B 1 A call C 1 E call 29 29-2

No “Zig-Zag” Imprecision Solution I: Allow the imprecision CFG excerpt B 1 A call C 1 E call 29 29-3

No “Zig-Zag” Imprecision Solution I: Allow the imprecision Solution II: Duplicate code to remove zig-zags CFG excerpt CFG excerpt B 1 B 1 A call A call C 1 C 1A E call E call C 1E 29 29-4

CFG Imprecision • Best reduced by a technique developed in the “HyperSafe” system “HyperSafe: A Lightweight Approach to Provide ‣ Lifetime Hypervisor Control-Flow Integrity” IEEE Symposium on Security and Privacy, 2010 • On indirect call (forward edge) ‣ Check the proposed target against the set of legal targets from the CFG • On return (backward edge) Check the proposed return location against the set of ‣ legal return locations from the CFG • Tricky to make that efficient (see the paper) 30 CSE543 - Introduction to Computer and Network Security Page 30

Shadow Stack • What should be the target of a return instruction? Return to caller ‣ ‣ But, need a way to protect return value • Shadow stack ‣ Stack that can only be accessed by trusted code (e.g., software fault isolation) ‣ Off limits to overflows 31 CSE543 - Introduction to Computer and Network Security Page 31