The solution • The favored method of interacting with the OS is through API calls because of the relative stability across OS revisions. [as in kernel32.dll] (not system calls) • Discover the virtual addresses of API Functions used in the attacker-supplied program (S (Step ep ❸ ) • Proposed code page harvesting gives unfettered access to a large amount of application code. This offers a unique opportunity for automatically discovering a diverse set of API function pointers. (S (Step ep ❷ ) University of Cyprus EPL 682: Advanced Security Topics 43
C. Gadget Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 44
far we have automatically mapped a Thus fa significant portion of the vulnerable application’s code layout and collected API function pointers required by the exploit writer’s designated program. University of Cyprus EPL 682: Advanced Security Topics 45
Challenge University of Cyprus EPL 682: Advanced Security Topics 46
Lies in accumulating a set of concrete gadgets to use as building blocks for the just-in-time code reuse payload & Fine-grained exploit mitigations may metamorphose instructions on each execution. University of Cyprus EPL 682: Advanced Security Topics 47
The solution • In Step ❹ they efficiently collect sequences of instructions by adapting the Galileo algorithm proposed by Shacham to it iterat ate over the harvested code pages from Step ❷ and populate an ov instruction prefix tree structure. • Using criteria for useful gadgets University of Cyprus EPL 682: Advanced Security Topics 48
Algorithm 2 VerifyGadget Automatically match a sequence of instructions to a gadget’s semantic definition. 49
University of Cyprus EPL 682: Advanced Security Topics 50
D. Just-In-Time Compilation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 51
Challenge University of Cyprus EPL 682: Advanced Security Topics 52
Lies in using the dynamically discovered API function pointers and collection of concrete gadgets to satisfy the exploit writer’s target program (Step ❶ ), then generate a payload to execute (Step ❻ ) University of Cyprus EPL 682: Advanced Security Topics 53
The solution • A dynamic compilation is required to ensure we can use a plethora of gadget types to build the final payload • The JIT Gadget Compiler proposed is like a traditional compiler, except that compilation is embedded directly within an exploit script with a subset of concrete instructions available for code generation • Next, they perform a lazy search over all possible gadget combinations that implement a program statement, as well as a search over all schedules and register combinations. • The final payload is serialized to a structure accessible from the script, and control is returned to the exploit writer’s code (Step ❻ ) University of Cyprus EPL 682: Advanced Security Topics 54
E. Implementation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 55
University of Cyprus EPL 682: Advanced Security Topics 56
Evaluation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 57
A. On Code Page Harvesting JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 58
To perform the evaluation, they used memory snapshots created using a custom library. The snapshots contain all process memory, metadata indicating if a page is marked as executable code, and auxiliary information on which pages belong to the application or a shared library. University of Cyprus EPL 682: Advanced Security Topics 59
University of Cyprus EPL 682: Advanced Security Topics 60
University of Cyprus EPL 682: Advanced Security Topics 61
B. On Gadget Coverage JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 62
They were ab able to to f find al all th the g gad adgets ts required in their proof of concept exploit. They found that we could generate a payload from 78% of the initial code pages, and 67% of the initial starting points additionally yielded a StackPivotG , which is required for many exploits. University of Cyprus EPL 682: Advanced Security Topics 63
University of Cyprus EPL 682: Advanced Security Topics 64
To reinforce the point that gadget discovery is not hindered by fine-grained mitigation techniques, they conducted an experiment using the in-place binary code randomizer. The framework discovers slightly more gadgets in the randomized libraries than the original unmodified DLLs. University of Cyprus EPL 682: Advanced Security Topics 65
C. On API Function Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 66
By calling VirtualProtect is the most direct way to undermine non-executable memory They found that within the Internet Explorer 8 process memory (including all libraries), there were only 15 15 distinct call sites to VirtualProtect . They found that call sites for LoadLibrary and GetProcAddress functions were readily available within the Internet Explorer memory– 391 391 instances of GetProcAddress and 340 340 instances of LoadLibrary . University of Cyprus EPL 682: Advanced Security Topics 67
D. On Runtime Performance JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 68
JIT-ROP was able to locate a pivot within 10 pages, all required APIs in 19 pages, and the requisite gadgets for a payload within 50 pages—a total running time of 22.5 seconds. University of Cyprus EPL 682: Advanced Security Topics 69
University of Cyprus EPL 682: Advanced Security Topics 70
The proposed framework runs incr credibly fa fast when natively compiled—code pages are traversed, gadgets are collected, APIs are resolved, and a payload is compiled in a fraction of a second. University of Cyprus EPL 682: Advanced Security Topics 71
Potential Mitigations Suggestions University of Cyprus EPL 682: Advanced Security Topics 72
Suggestions that would render this attack ineffective • Re-randomize code pages at a high rate; the disclosed pages might be re-randomized before the just-in-time pay-load executes (randomization costs problem) • Fortify defenses that hinder the first stage (i.e. the entry point) of a runtime attack • Apply an Instruction set randomization (ISR), which mitigates code injection attacks by encrypting the binary’s code pages with a random key and decrypting them on-the-fly. • To prevent control-flow attacks is the enforcement of control- flow integrity (CFI), which mitigates runtime attacks regardless of whether the program suffers from vulnerabilities. University of Cyprus EPL 682: Advanced Security Topics 73
Conclusion University of Cyprus EPL 682: Advanced Security Topics 74
In this paper, they introduce a novel framework that undermines fine-grained randomization techniques by using a just-in-time code reuse strategy. They repeatedly abuse a memory disclosure to map an application’s memory layout on-the-fly. It dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets—all within a script environment at the time an exploit is launched. University of Cyprus EPL 682: Advanced Security Topics 75
Moving on University of Cyprus EPL 682: Advanced Security Topics 76
Ha Hacking ng Blind nd Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh University of Cyprus EPL 682: Advanced Security Topics 77
Abstract University of Cyprus EPL 682: Advanced Security Topics 78
Re Retur urn n Orient nted Prog ogrammi mming ng (RO ROP) The attacker knows the location of useful gadgets, because binary and distribution are available University of Cyprus EPL 682: Advanced Security Topics 79
What if the binary remains unknown to the attacker? University of Cyprus EPL 682: Advanced Security Topics 80
It is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash . University of Cyprus EPL 682: Advanced Security Topics 81
Solu So lutio ion Blind ROP (BROP) attack remotely fi finds enough ROP gadgets to perform a write system call and tr transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. University of Cyprus EPL 682: Advanced Security Topics 82
• The source code is available • Usually proprietary software for everyone that none has access to see the source code • Open Source is most within reach • Hacking this software is also possible, but harder • Attackers can audit the code to find vulnerabilities • Attackers can use fuzz testing and reverse engineering University of Cyprus EPL 682: Advanced Security Topics 83
Si Simples est p possible vu e vulner erability: y: St Stack ck b buffer Overf er Overflows bugs such as these go unnoticed in proprietary software, where the source (and binary) has not been under the heavy scrutiny of the public and security specialists University of Cyprus EPL 682: Advanced Security Topics 84
Challenge University of Cyprus EPL 682: Advanced Security Topics 85
Lies in developing a methodology for exploiting these vulnerabilities when information about the target binary is limited University of Cyprus EPL 682: Advanced Security Topics 86
One advantage attack ckers oft ften have Many servers restart their worker processes after a crash for robustness University of Cyprus EPL 682: Advanced Security Topics 87
They present a new attack, Blind Return Oriented Programming (BROP), that takes advantage of these situations to build exploits for proprietary services for which both the binary and source are unknown. University of Cyprus EPL 682: Advanced Security Topics 88
BROP attack assumptions • A server application with stack vulnerability • One that is restarted after a crash • Runs 64-bit Linux with ASLR, non-executable (NX) memory, and stack canaries enabled University of Cyprus EPL 682: Advanced Security Topics 89
Position Independent Executables ( PIE ) are an output of the hardened package build process. A PIE binary and all of its dependencies are loaded into random locations within virtual memory each time the application is executed. University of Cyprus EPL 682: Advanced Security Topics 90
The attack is enabled by two new techniques 1. Generalized stack reading: this generalizes a known technique, used to leak canaries, to also leak saved return addresses in order to defeat ASLR on 64-bit even when Position Independent Executables (PIE) are used 2. Blind ROP: this technique remotely locates ROP gadgets Both techniques share the idea of using a single stack vulnerability to leak information based on whether a server process crashes or not. The stack reading technique overwrites the stack byte-by-byte with possible guess values, until the correct one is found and the server does not crash. University of Cyprus EPL 682: Advanced Security Topics 91
The Blind ROP attack remotely finds enough gadgets to perform the write system call, after which the server’s binary can be transferred from memory to the attacker’s socket. At this point, canaries, ASLR and NX have been defeated and the exploit can proceed using known techniques. University of Cyprus EPL 682: Advanced Security Topics 92
The BROP attack enables robust, general-purpose exploits for three new scenarios: 1. Hacking proprietary closed-binary services One may notice a crash when using a remote service or discover one through remote fuzz testing. 2. Hacking a vulnerability in an open-source library thought to be used in a proprietary closed-binary service A popular SSL library for example may have a stack vulnerability and one may speculate that it is being used by a proprietary service. 3. Hacking an open-source server for which the binary is unknown This applies to manually compiled installations or source-based distributions such as Gentoo University of Cyprus EPL 682: Advanced Security Topics 93
Br Braille makes BROP attacks highly automated University of Cyprus EPL 682: Advanced Security Topics 94
Their overall contribution 1. A technique to defeat ASLR on servers ( generalized stack reading ). 2. A technique to remotely find ROP gadgets ( BROP ) so that software can be attacked when the binary is unknown. 3. Braille: a tool that automatically constructs an exploit given input on how to trigger a stack overflow on a server 4. The first public exploit for nginx’s recent vulnerability, that is generic, 64-bit, and defeats (full/PIE) ASLR, canaries and NX. University of Cyprus EPL 682: Advanced Security Topics 95
Their overall contribution 5. Suggestions for defending against BROP attacks. In summary, ASLR must be applied to all executable segments (PIE) and re-randomization must occur after each crash (at odds with fork-only servers). Holding the binary from the attacker or purposefully altering it may not be an effective security countermeasure. University of Cyprus EPL 682: Advanced Security Topics 96
Historical Overview University of Cyprus EPL 682: Advanced Security Topics 97
Exploitation defenses practices through time § Shellcode, return address, stack Canary § Structured exception handlers (SEH) NX bit § Redirect execution to existing shared-library functions, chaining together short instruction ASLR sequences ending with ret (gadgets, ROP) § Memory disclosure problem ? University of Cyprus EPL 682: Advanced Security Topics 98
ROP Tutorial University of Cyprus EPL 682: Advanced Security Topics 99
University of Cyprus EPL 682: Advanced Security Topics 100
Recommend
More recommend
