just in time code reuse
play

Just-in-Time Code Reuse The more things change, the more they stay - PowerPoint PPT Presentation

Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & C. Liebchen 2 A. Dmitrienko 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science 2 CASED/Technische Universitt University


  1. Basics of Fine-grained ASLR Application ¡Run ¡1 Application ¡Run ¡2 Library ¡(e.g., ¡ user32.dll) Library ¡(e.g., ¡ user32.dll) Instruction RET Sequence 3 Instruction RET Sequence 1 Instruction RET Sequence 1 Instruction RET Sequence 2 Instruction RET Sequence 2 Instruction RET Sequence 3  Different ¡fine-­‑grained ¡ASLR ¡approaches ¡have ¡been ¡proposed ¡recently  ORP ¡[Pappas ¡et ¡al., ¡IEEE ¡Security ¡& ¡Privacy ¡2012]  ILR ¡[Hiser ¡et ¡al., ¡IEEE ¡Security ¡& ¡Privacy ¡2012]  STIR ¡[Wartell ¡et ¡al., ¡ACM ¡CCS ¡2012]  XIFER ¡[Davi ¡et ¡al., ¡ASIACCS ¡2013]  All ¡mi&gate ¡single ¡memory ¡disclosure ¡a0acks 10 Thursday, August 1, 13 10

  2. Inner Basic Block Randomization [Pappas et al., IEEE S&P 2012] • Instruction Reordering Original Randomized MOV EBX, &ptr MOV EAX, &string Thursday, August 1, 13 11

  3. Inner Basic Block Randomization [Pappas et al., IEEE S&P 2012] • Instruction Reordering Original Randomized MOV EBX, &ptr MOV EAX, &string MOV EAX, &string MOV EBX, &ptr Thursday, August 1, 13 11

  4. Inner Basic Block Randomization [Pappas et al., IEEE S&P 2012] • Instruction Reordering Original Randomized MOV EBX, &ptr MOV EAX, &string MOV EAX, &string MOV EBX, &ptr • Instruction Substitution Original Randomized MOV EBX, $0 Thursday, August 1, 13 11

  5. Inner Basic Block Randomization [Pappas et al., IEEE S&P 2012] • Instruction Reordering Original Randomized MOV EBX, &ptr MOV EAX, &string MOV EAX, &string MOV EBX, &ptr • Instruction Substitution Original Randomized MOV EBX, $0 XOR EBX,EBX Thursday, August 1, 13 11

  6. Inner Basic Block Randomization [Pappas et al., IEEE S&P 2012] • Instruction Reordering Original Randomized MOV EBX, &ptr MOV EAX, &string MOV EAX, &string MOV EBX, &ptr • Instruction Substitution Original Randomized MOV EBX, $0 XOR EBX,EBX • Register Re-Allocation (in case another register is free to use) Original Randomized MOV EAX, &ptr CALL *EAX Thursday, August 1, 13 11

  7. Inner Basic Block Randomization [Pappas et al., IEEE S&P 2012] • Instruction Reordering Original Randomized MOV EBX, &ptr MOV EAX, &string MOV EAX, &string MOV EBX, &ptr • Instruction Substitution Original Randomized MOV EBX, $0 XOR EBX,EBX • Register Re-Allocation (in case another register is free to use) Original Randomized MOV EAX, &ptr MOV EBX, &ptr CALL *EAX CALL *EBX Thursday, August 1, 13 11

  8. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Thursday, August 1, 13 12

  9. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 BBL_2 BBL_3 Thursday, August 1, 13 12

  10. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 0x10FF: ADD EAX, ECX RET Thursday, August 1, 13 12

  11. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 0x10FF: ADD EAX, ECX RET Thursday, August 1, 13 12

  12. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX RET BBL_3 0x10FF: ADD EAX, ECX RET Thursday, August 1, 13 12

  13. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX 0x1000: CALL 0x10FF BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: RET BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: RET Thursday, August 1, 13 12

  14. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX 0x1000: CALL 0x10FF BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: RET BBL_3 BBL_1 0x10FF: ADD EAX, ECX MOV EBX, EAX 0x10FF: RET CALL 0x10A0 Thursday, August 1, 13 12

  15. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX 0x1000: CALL 0x10FF BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX RET RET BBL_3 BBL_1 0x10FF: ADD EAX, ECX MOV EBX, EAX 0x10FF: RET CALL 0x10A0 Thursday, August 1, 13 12

  16. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX 0x1000: CALL 0x10FF BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX RET RET BBL_3 BBL_1 0x10FF: ADD EAX, ECX MOV EBX, EAX 0x10FF: RET CALL 0x10A0 JMP 0x1000 Thursday, August 1, 13 12

  17. Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX 0x1000: MOV (ESP), EAX CALL 0x10FF RET BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX RET RET BBL_3 BBL_1 0x10FF: ADD EAX, ECX MOV EBX, EAX 0x10FF: RET CALL 0x10A0 JMP 0x1000 Thursday, August 1, 13 12

  18. Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX RET ADD EAX, ECX 0x10FF: RET Thursday, August 1, 13 13

  19. Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX MOV (ESP), EAX 0x1000: CALL 0x10FF MOV (ESP), EAX RET 0x12A0: RET RET 0x1F00: ADD EAX, ECX 0x10FF: CALL 0x3000 0x2000: RET MOV EBX, EAX 0x2500: ADD EAX, ECX 0x3000: Thursday, August 1, 13 13

  20. Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX MOV (ESP), EAX 0x1000: CALL 0x10FF MOV (ESP), EAX RET 0x12A0: RET RET 0x1F00: ADD EAX, ECX 0x10FF: CALL 0x3000 0x2000: RET MOV EBX, EAX 0x2500: 0x2500 -> 0x2000 ADD EAX, ECX 0x3000: 0x2000 -> 0x1000 0x1000 -> 0x12A0 0x3000 -> 0x1F00 Execution is driven by a fall-through map and a binary translation framework (Strata) Thursday, August 1, 13 13

  21. ¡Does ¡Fine-­‑Grained ¡ASLR ¡Provide ¡a ¡ Viable ¡Defense ¡in ¡the ¡Long ¡Run? ¡ Thursday, August 1, 13 14

  22. Contributions 15 Thursday, August 1, 13 15

  23. Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 15 Thursday, August 1, 13 15

  24. Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 15 Thursday, August 1, 13 15

  25. Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed A prototype exploit framework that 3 demonstrates one instantiation of our idea, called JIT-ROP 15 Thursday, August 1, 13 15

  26. Assumptions Adversary Defender 16 Thursday, August 1, 13 16

  27. Assumptions Adversary Defender Non-Executable Stack and Heap 16 Thursday, August 1, 13 16

  28. Assumptions Adversary Fine-Grained ASLR Defender Non-Executable Stack and Heap 16 Thursday, August 1, 13 16

  29. Assumptions Adversary Memory Disclosure Vulnerability Fine-Grained ASLR Defender Non-Executable Stack and Heap 16 Thursday, August 1, 13 16

  30. Assumptions Control-Flow Vulnerability Adversary Memory Disclosure Vulnerability Fine-Grained ASLR Defender Non-Executable Stack and Heap 16 Thursday, August 1, 13 16

  31. Workflow of Just-In-Time Code Reuse Adversary 17 Thursday, August 1, 13 17

  32. Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer 17 Thursday, August 1, 13 17

  33. Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) 17 Thursday, August 1, 13 17

  34. Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application 17 Thursday, August 1, 13 17

  35. Workflow of Just-In-Time Code Reuse JIT -ROP Framework Adversary Leak Code Pointer Map Memory Exploit Description (High-Level Language) Vulnerable Application 17 Thursday, August 1, 13 17

  36. Workflow of Just-In-Time Code Reuse JIT -ROP Framework Adversary Leak Code Pointer Find ROP Map Sequences Memory Exploit (Gadgets) Description (High-Level Language) Vulnerable Application 17 Thursday, August 1, 13 17

  37. Workflow of Just-In-Time Code Reuse JIT -ROP Framework Adversary Leak Code Pointer Find ROP Map Sequences Memory Exploit (Gadgets) Description (High-Level Language) Find API Functions Vulnerable Application 17 Thursday, August 1, 13 17

  38. Workflow of Just-In-Time Code Reuse JIT -ROP Framework Adversary Leak Code Pointer Find ROP Map Sequences Memory Exploit (Gadgets) Description (High-Level Language) Find API Compile ROP Program Functions Vulnerable Application 17 Thursday, August 1, 13 17

  39. Workflow of Just-In-Time Code Reuse JIT -ROP Framework Adversary Leak Code Pointer Find ROP Map Sequences Memory Exploit (Gadgets) Description (High-Level Language) Find API Compile ROP Program Functions Vulnerable Application 17 Thursday, August 1, 13 17

  40. Challenges 18 Thursday, August 1, 13 18

  41. Challenges Map memory without crashing 18 Thursday, August 1, 13 18

  42. Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime 18 Thursday, August 1, 13 18

  43. Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated 18 Thursday, August 1, 13 18

  44. Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated Demonstrate efficient, practical exploit 18 Thursday, August 1, 13 18

  45. ⇒ Our Approach Map Memory JIT Compile Find API Calls Find Gadgets observation: single leaked function pointer an entire code page is present 19 Thursday, August 1, 13 19

  46. ⇒ Our Approach Map Memory JIT Compile Find API Calls Find Gadgets observation: single leaked function pointer an entire code page is present f295afcad42b43 638b2bbf6381ff 72efc88bda4cc0 0732bba1575ccb eb7c025e6b8ad3 0c283baa9f03e4 7464fc814176cd 546bcee28e4232 initial code page 19 Thursday, August 1, 13 19

  47. ⇒ Our Approach Map Memory JIT Compile Find API Calls Find Gadgets observation: single leaked function pointer an entire code page is present ... push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx ... initial code page 19 Thursday, August 1, 13 19

  48. ⇒ Our Approach Map Memory JIT Compile Find API Calls Find Gadgets observation: single leaked function pointer an entire code page is present ... push 0x1 ... push 0x1 ... call [-0xFEED] call [-0xFEED] push 0x1 ... mov ebx, eax call [-0xFEED] mov ebx, eax push 0x1 jmp +0xBEEF mov ebx, eax call [-0xFEED] dec ecx jmp +0xBEEF jmp +0xBEEF mov ebx, eax xor ebx, ebx dec ecx jmp +0xBEEF ... xor ebx, ebx dec ecx dec ecx ... xor ebx, ebx xor ebx, ebx ... ... initial code page 19 Thursday, August 1, 13 19

  49. ⇒ Our Approach Map Memory JIT Compile Find API Calls Find Gadgets observation: single leaked function pointer an entire code page is present ... ... ... ... push 0x1 push 0x1 push 0x1 call call call [-0xFEED] ... push 0x1 ... [-0xFEED] [-0xFEED] mov ebx, eax mov ebx, eax push 0x1 mov ebx, eax ... jmp +0xBEEF jmp +0xBEEF jmp +0xBEEF call [-0xFEED] dec ecx call [-0xFEED] push 0x1 dec ecx dec ecx ... mov ebx, eax call [-0xFEED] mov ebx, eax push 0x1 jmp +0xBEEF mov ebx, eax call [-0xFEED] dec ecx jmp +0xBEEF jmp +0xBEEF mov ebx, eax xor ebx, ebx dec ecx jmp +0xBEEF ... xor ebx, ebx dec ecx dec ecx ... xor ebx, ebx xor ebx, ebx ... ... ... ... push 0x1 push 0x1 ... push 0x1 call ... call call [-0xFEED] [-0xFEED] [-0xFEED] mov ebx, eax mov ebx, eax mov ebx, eax jmp +0xBEEF jmp +0xBEEF jmp +0xBEEF dec ecx dec ecx initial code page dec ecx 19 Thursday, August 1, 13 19

  50. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets 20 Thursday, August 1, 13 20

  51. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets Desired Payload URLDownloadToFile (“http://...”, “bot.exe”); WinExec (“bot.exe”); ExitProcess (1); 20 Thursday, August 1, 13 20

  52. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets Desired Payload URLDownloadToFile (“http://...”, “bot.exe”); WinExec (“bot.exe”); ExitProcess (1); 20 Thursday, August 1, 13 20

  53. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets Vulnerable ¡Application Desired Payload Code ¡Page ¡Previously ¡Found URLDownloadToFile (“http://...”, “bot.exe”); WinExec (“bot.exe”); Sleep(...) ExitProcess (1); FindWindow(...)  needed ¡APIs ¡o\en ¡not ¡referenced ¡by ¡program GetActiveWindow(...) 20 Thursday, August 1, 13 20

  54. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets Vulnerable ¡Application Desired Payload Code ¡Page ¡Previously ¡Found URLDownloadToFile (“http://...”, “bot.exe”); WinExec (“bot.exe”); Sleep(...) LoadLibrary(“library.dll”); LoadLibrary(“library.dll”); ExitProcess (1); LoadLibrary(“library.dll”); FindWindow(...) GetProcAddress(“func1”) GetProcAddress(“func1”) GetProcAddress(“func1”)  needed ¡APIs ¡o\en ¡not ¡referenced ¡by ¡program  dynamic ¡library ¡and ¡func&on ¡loading ¡is ¡common GetActiveWindow(...) GetProcAddress(“func2”) GetProcAddress(“func2”) GetProcAddress(“func2”)  solu&on: ¡scan ¡for ¡ LoadLibrary ¡and ¡ GetProcAddress ¡references ¡instead 20 Thursday, August 1, 13 20

  55. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets Vulnerable ¡Application With Dynamic Loading Desired Payload LoadLibrary (“urlmon.dll”); Code ¡Page ¡Previously ¡Found URLDownloadToFile (“http://...”, “bot.exe”); GetProcAddress (@, “ URLDownloadT oFile ”); WinExec (“bot.exe”); Sleep(...) @ (“http://...”, “bot.exe”); LoadLibrary(“library.dll”); LoadLibrary(“library.dll”); ExitProcess (1); LoadLibrary(“library.dll”); LoadLibrary (“kernel32.dll”); GetProcAddress (@, “ WinExec ”); FindWindow(...) GetProcAddress(“func1”) GetProcAddress(“func1”) GetProcAddress(“func1”) @ (“bot.exe”);  needed ¡APIs ¡o\en ¡not ¡referenced ¡by ¡program ...  dynamic ¡library ¡and ¡func&on ¡loading ¡is ¡common GetActiveWindow(...) GetProcAddress(“func2”) GetProcAddress(“func2”) GetProcAddress(“func2”)  solu&on: ¡scan ¡for ¡ LoadLibrary ¡and ¡ GetProcAddress ¡references ¡instead 20 Thursday, August 1, 13 20

  56. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets 21 Thursday, August 1, 13 21

  57. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets code pages ... ... push 0x1 ... push 0x1 call push 0x1 call ... [-0xFEED] call [-0xFEED] push 0x1 mov ebx, [-0xFEED] call [-0xFEED] mov ebx, eax mov ebx, eax mov ebx, eax jmp jmp +0xBEEF eax jmp dec ecx jmp xor ebx, ebx ... gadgets found 21 Thursday, August 1, 13 21

  58. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets code pages code sequences ... ... mov ebx, eax ret push 0x1 ... push 0x1 call push 0x1 call ... [-0xFEED] call pop eax mov [ecx], eax ret [-0xFEED] push 0x1 mov ebx, [-0xFEED] call [-0xFEED] mov ebx, eax mov ebx, eax mov ebx, eax jmp jmp +0xBEEF pop eax mov ebx, edx ret eax jmp dec ecx jmp xor ebx, ebx ... mov eax, 0x14 ret Galileo Algorithm ... [Schacham, ACM CCS 2007] gadgets found 21 Thursday, August 1, 13 21

  59. Our Approach Map Memory JIT Compile Find API Calls Find Gadgets gadget types code pages code sequences ... MovRegG ... mov ebx, eax ret push 0x1 ... push 0x1 call push 0x1 JumpG call ... [-0xFEED] call pop eax mov [ecx], eax ret [-0xFEED] push 0x1 mov ebx, [-0xFEED] call [-0xFEED] mov ebx, ArithmeticG eax mov ebx, eax mov ebx, eax jmp jmp +0xBEEF pop eax mov ebx, edx ret eax jmp dec ecx LoadRegG jmp xor ebx, ebx ... ... mov eax, 0x14 ret Galileo Algorithm ... [Schacham, ACM CCS 2007] gadgets found 21 Thursday, August 1, 13 21

Recommend


More recommend