17 September 2015 Buffer Overflow Attack with Multiple Fault Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi Homma, Yu-ichi Hayashi and Takafumi Aoki Tohoku University, Japan GSIS, TOHOKU UNIVERSITY
Embedded devices become attractive Increase attractions to attack embedded systems Many devices connect to networks (Internet-of-Things) Worth paying high cost, e.g., attacks to cryptographic hardware Fault injection attacks Inject fault (s) in cryptographic operation, and obtain secret key from faulty output (s) Fault injection into microcontrollers often brings bit inversion or instruction skip [Agoyan 2010], [Endo 2014] It is possible to apply fault injection techniques to general-purpose software 2/27
Fault injection attacks to general-purpose software Previous works Execute arbitrary code in Java Virtual Machine by inverting bits [Govindavajhala 2003], [Bouffard 2011] Cause effect like buffer overflow (BOF) using instruction skip [Fouque 2012] Not only cryptographic software Fault injection attacks are also threat to general-purpose software 3/27
This work Propose buffer overflow attack with multiple fault injection Instruction skips are not considered in most software Can invalidate countermeasures by secure coding Overcome typical software countermeasure and perform general buffer overflow (BOF) attack Propose effective countermeasure and prove its validity Attacks to hardware Attacks to software DoS attacks, Side-channel attacks, + BOF attacks, Fault injection attacks Injection attacks 4/27
Outline Background Buffer overflow attacks Proposed attack & experiment Countermeasure Conclusion 5/27
What are BOF attacks? Buffer overflow (BOF) Invalid memory overwrite caused by input that exceeds assigned memory size Commonly happen when using flexible languages that can finely handle a memory region, such as C/C++ strcpy() , scanf() , gets() are dangerous BOF attacks Use BOF vulnerability to execute malicious operations Abnormal stop of OS or applications Gaining administrator rights 6/27
How to perform BOF attack (e.g., strcpy()) int main(int argc, char *argv[]) { void sub_function(char *data) { sub_function(data); char buf[20]; ① ② return 0; strcpy(buf, data); ③ } return; } ③ String-copy operation ② Memory allocation ① Function call 0x0000 Input data buf [20] empty Stack Pointer Stack Pointer Stack Pointer Return Address Return Address Return Address 0xFFFF 7/27
How to perform BOF attack (e.g., strcpy()) int main(int argc, char *argv[]) { void sub_function(char *data) { sub_function(data); char buf[20]; ① ② return 0; strcpy(buf, data); ③ } return; } ③ String-copy operation ② Memory allocation ① Function call 0x0000 buf [20] Data Attack Stack Pointer Stack Pointer Stack Pointer Code Return Address Return Address Return Address 0xFFFF Shell Code 8/27
Countermeasure against BOF attacks Name Method Layer ASLR Change stack address for OS (Address Space Layout every execution. (Operating System) Randomization) SG Add random numbers and check them at the end of function. Compiler (Stack Guard) DEP (Data Execution Prohibit execution of all code Prevention), OS, CPU, Compiler in the stack. ES (Exec Shield) ISL Use function that can limit input Program (Input Size Limitation) size. Input Size Limitation (ISL) Only need standard C library Simply change function to use strcpy(dest, src) → strncpy(dest, src, size) 9/27
Outline Background Buffer Overflow Attacks Proposed attack & Experiment Countermeasure Conclusion 10/27
Concept of the proposed attack Assumption Feeding glitchy clock signal into CPU enables instruction skip(s). Glitchy clock signal Skip multiple and arbitrary instructions Attack method Skip a few instructions while input attack code, and invalidate boundary check to make buffers overflowed Take control of CPU like common attacks 11/27
BOF using instruction skips Target function START strncpy(dst, src, size) cnt -- 1 Limit input size up to size Yes 2 cnt < 0 Target instructions No ① Subtract (update) instruction Copy 1 character Continue the loop without update No → Increase input size by 1 character null ? Yes ② Branch instruction END Continue the loop unconditionally → Over the assigned size Simplified flow of strncpy() 12/27
Experimental setup Smart card (AVR ATmega163) Equipments SASEBO-W (Side-channel Attack Standard Evaluation BOard) Smart card (AVR ATmega163) Clock glitch PC generator Communicate (on FPGA) with PC Conditions Microcontroller AVR ATmega163 (8 bit) Clock frequency of microcontroller Up to 8 MHz Compiler avr gcc (4.3.3) (Not optimized by -o0) FPGA Xilinx XC6SLX150-FGG484 Attack condition Program is known 13/27
Experimental outline Procedure Invalidate the countermeasure of strncpy() and perform BOF attack Overwrite return address to call function in the program Control flow PC Smart card 1. User input ( 32 byte ) 2. Handle input data 1 ’. Fault injection command Store 19 byte into char msg[20] by using 3. Memory dump strncpy() Time 14/27
Result char msg[20] No fault, “A...A” (20 byte) Stack Pointer + Return Address 5 faults, “A...A (0x38) (0x04) (0x04) (0x08)” (24 byte) void hello_world() { memcpy ((char*)0x120, “hello world!”, 12); } Function maliciously called by BOF attack (The address is got by the object dump of the program) 15/27
Result char msg[20] No fault, “A...A” (20 byte) Stack Pointer + Return Address 5 faults, “A...A (0x38) (0x04) (0x04) (0x08)” (24 byte) 16/27
Possibility of proposed attack Target functions START User functions that have iteration Loop 1 2 strncpy(), fgets(), strncmp(), Load data from memory memcpy() 3 CERT/CC Top 10 Secure Coding Practices [1] Store data into memory No1: Validate input. Attack conditions continue end Physically accessible judgement end (fault injection) END Program is known Vulnerable structure (BOF attack) 17/27 [1] https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
Example of attack scenario Malicious firmware update in M2M network master 1. Sign update program by private key Internet 2. Check validity of the program by public key node Send malicious update program, and perform BOF attack Directly call update function Machine To Machine (M2M) sensor network 18/27
Outline Background Buffer Overflow Attacks Proposed attack & Experiment Countermeasure Conclusion 19/27
How to protect branch instruction Locate branch instruction at the bottom of loop “Skip branch → The loop is finished” START START cnt -- Copy 1 character Yes Yes cnt < 0 null ? No No Copy 1 character cnt -- No No null ? cnt < 0 Yes Yes END END 20/27
How to protect branch instruction Locate branch instruction at the bottom of loop “Skip branch → The loop is finished” START START cnt -- Copy 1 character Yes null ? No Copy 1 character cnt -- No null ? Yes END END 21/27
How to protect update instruction Associate loop counter with store address “Skip update → Data is stored into same address” INIT: str = init str = init INIT: 0 finish size end = size + str cnt init + size = init + size end finish init init str str init init+size a b c d e - - a b c d e - - Skip the update Skip the update BOF a b c d e f - a b c d f - - 22/27
Application to AVR microcontroller 1 my_strncpy: 1 strncpy: 2 INIT: 2 INIT: 3 movw r30, r22 3 movw r30, r22 4 movw r26, r24 4 movw r26, r24 5 add r20, r26 5 LOOP: 6 adc r21, r27 6 subi r20, 0x01 7 rjmp CMP 7 sbci r21, 0x00 8 LOOP: 8 brcs END 9 ld r0, Z+ 9 ld r0, Z+ 10 st X, r0 10 st X+, r0 11 adiw r26, 0x01 11 and r0, r0 12 and r0, r0 12 brne LOOP 13 breq Z_CMP 13 rjmp Z_CMP 14 CMP: … 15 cp r26, r20 Protected instructions 16 cpc r27, r21 Update instructions 17 brlo LOOP 18 ret Branch instruction 23/27 …
Security evaluation my_strncpy: # 20 inst Assumptions of attackers INIT: movw r30, r22 1. Skip multiple and arbitrary instructions movw r26, r24 add r20, r26 1 2. Use BOF adc r21, r27 2 3. All flags are reset when my_strncpy() rjmp CMP is called LOOP: ld r0, Z+ st X, r0 Evaluation method adiw r26, 0x01 and r0, r0 Examine all the possible instruction breq Z_CMP skips (2 20 patterns) CMP: cp r26, r20 3 Consider all the combinations of four cpc r27, r21 4 instructions by above assumptions brlo LOOP ret 24/27 …
Recommend
More recommend