data is flowing in the wind a review of data flow
play

Data is Flowing in the Wind: A Review of Data-Flow Integrity - PowerPoint PPT Presentation

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program


  1. Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Díez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es

  2. Rationale

  3. Rationale Program Control-Data Defences for Control-Data

  4. Rationale Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  5. Rationale Maybe I should switch to attack non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  6. Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  7. Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Non-Control-Data Attacks Are Realistic Threats. Chen et al. Usenix Sec’05 Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  8. Control Data VS Non-Control-Data Attacks

  9. Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program

  10. Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program

  11. Control Data VS Non-Control-Data Attacks Code reuse Code injection Control-Data Attacks Modify the control-flow of a program

  12. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Modify the control-flow of a program

  13. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  14. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  15. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  16. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data What data do they target? Code injection → decision making data, user input etc. Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  17. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15

  18. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data

  19. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data Passwords & private System call Randomised values keys parameters

  20. A sample non-control-data attack

  21. A sample non-control-data attack struct passwd { uid_t pw_uid; ... } *pw; ... int uid = getuid(); pw->pq_uid = uid; // save current uid // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15

  22. A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15

  23. A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } Circumvents Control Flow Integrity? From wu-ftpd web server. Hu et al. Usenix Sec’15

  24. Data-Flow Stitching Hu et al. Usenix Sec’15

  25. Data-Flow Stitching Hu et al. Usenix Sec’15 s truct passwd { uid_t pw_uid; ... } *pw; … int uid = getuid(); pw->pq_uid = uid; // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  26. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  27. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  28. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  29. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  30. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw … seteuid(pw->pw_uid); } &uid Stack address of seteuid’s arg time

  31. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time

  32. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time

  33. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack 0 address of seteuid’s arg time

  34. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time

  35. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time

  36. Data-Oriented Programming (DOP) Hu et al. Oakland’16

Recommend


More recommend