Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Díez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es
Rationale
Rationale Program Control-Data Defences for Control-Data
Rationale Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data
Rationale Maybe I should switch to attack non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data
Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data
Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Non-Control-Data Attacks Are Realistic Threats. Chen et al. Usenix Sec’05 Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data
Control Data VS Non-Control-Data Attacks
Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program
Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program
Control Data VS Non-Control-Data Attacks Code reuse Code injection Control-Data Attacks Modify the control-flow of a program
Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Modify the control-flow of a program
Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program
Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program
Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program
Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data What data do they target? Code injection → decision making data, user input etc. Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program
Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15
Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data
Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data Passwords & private System call Randomised values keys parameters
A sample non-control-data attack
A sample non-control-data attack struct passwd { uid_t pw_uid; ... } *pw; ... int uid = getuid(); pw->pq_uid = uid; // save current uid // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15
A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15
A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } Circumvents Control Flow Integrity? From wu-ftpd web server. Hu et al. Usenix Sec’15
Data-Flow Stitching Hu et al. Usenix Sec’15
Data-Flow Stitching Hu et al. Usenix Sec’15 s truct passwd { uid_t pw_uid; ... } *pw; … int uid = getuid(); pw->pq_uid = uid; // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw … seteuid(pw->pw_uid); } &uid Stack address of seteuid’s arg time
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack 0 address of seteuid’s arg time
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time
Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time
Data-Oriented Programming (DOP) Hu et al. Oakland’16
Recommend
More recommend