outline
play

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) - PDF document

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure Software Systems Day 6: Memory safety defenses and counter-attacks Announcements break Stephen McCamant University of Minnesota, Computer Science &


  1. Outline W ✟ X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure Software Systems Day 6: Memory safety defenses and counter-attacks Announcements break Stephen McCamant University of Minnesota, Computer Science & Engineering ROP shellcoding exercise Basic idea Non-writable code, ❳ ✦ ✿ ❲ Traditional shellcode must go in a memory area that is E.g., read-only .text section writable, so the shellcode can be inserted Has been standard for a while, especially on Unix executable, so the shellcode can be executed Lets OS efficiently share code with multiple program But benign code usually does not need this instances combination W xor X, really ✿ ✭ ❲ ❫ ❳ ✮ Non-executable data, ❲ ✦ ✿ ❳ Implementing ❲ ✟ ❳ Page protection implemented by CPU Prohibit execution of static data, stack, heap Some architectures (e.g. SPARC) long supported ❲ ✟ ❳ x86 historically did not Not a problem for most programs One bit controls both read and execute Incompatible with some GCC features no one uses Partial stop-gap “code segment limit” Non-executable stack opt-in on Linux, but now Eventual obvious solution: add new bit near-universal NX (AMD), XD (Intel), XN (ARM) One important exception Counterattack: code reuse Remaining important use of self-modifying code: Attacker can’t execute new code just-in-time (JIT) compilers So, take advantage of instructions already in binary E.g., all modern JavaScript engines There are usually a lot of them Allow code to re-enable execution per-block ♠♣r♦t❡❝t , ❱✐rt✉❛❧Pr♦t❡❝t And no need to obey original structure Now a favorite target of attackers

  2. Classic return-to-libc (1997) Chained return-to-libc Shellcode often wants a sequence of actions, e.g. Overwrite stack with copies of: Restore privileges Pointer to libc’s s②st❡♠ function Allow execution of memory area Pointer to ✧✴❜✐♥✴s❤✧ string (also in libc) Overwrite system file, etc. The s②st❡♠ function is especially convenient Can put multiple fake frames on the stack Distinctive feature: return to entry point Basic idea present in 1997, further refinements Outline Pop culture analogy: ransom note trope W ✟ X (DEP) Return-oriented programming (ROP) Announcements break ROP shellcoding exercise Basic new idea ret2pop (Nergal, M¨ uller) Treat the stack like a new instruction set Take advantage of shellcode pointer already present “Opcodes” are pointers to existing code on stack Rewrite intervening stack to treat the shellcode Generalizes return-to-libc with more programmability pointer like a return address Academic introduction and source of name: Hovav A long sequence of chained returns, one pop Shacham, ACM CCS 2007 ret2pop (Nergal, M¨ uller) Gadgets Basic code unit in ROP Any existing instruction sequence that ends in a return Found by (possibly automated) search

  3. Another partial example Overlapping x86 instructions push %esi mov $0x56,%dh sbb $0xff,%al inc %eax or %al,%dh movzbl 0x1c(%esi),%edx incl 0x8(%eax) ... 0f b6 56 1c ff 40 08 c6 Variable length instructions can start at any byte Usually only one intended stream Where gadgets come from Building instructions String together gadgets into manageable units of Possibilities: functionality Entirely intended instructions Examples: Entirely unaligned bytes Loads and stores Fall through from unaligned to intended Arithmetic Standard x86 return is only one byte, 0xc3 Unconditional jumps Must work around limitations of available gadgets Hardest case: conditional branch Further advances in ROP Existing jCC instructions not useful Can also use other indirect jumps, overlapping not But carry flag CF is required Three steps: Automation in gadget finding and compilers 1. Do operation that sets CF In practice: minimal ROP code to allow transfer to 2. Transfer CF to general-purpose register other shellcode 3. Add variable amount to ✪❡s♣ Outline Office hours W ✟ X (DEP) Me: Mondays 1-2pm, TBA, or email for appointment Return-oriented programming (ROP) Saugata: Mondays 4-5pm, Thursdays 10-11am Announcements break Zoom links coming soon to Canvas page ROP shellcoding exercise

  4. Project 1 status Important of attacks and shellcoding Badly Coded developers implementing last few features Constructing attacks will be important for the project Keeping looking at yesterday’s lab if you didn’t finish, Expect code release over weekend, full instructions by next lecture we’ll come back to this next week Initial due date (attacks and first report) will be 10/9 Outline Setup W ✟ X (DEP) Key motivation for ROP is to disable ❲ ✟ ❳ Can be done with a single syscall, similar to ❡①❡❝✈❡ Return-oriented programming (ROP) shellcode Your exercise for today: put together such shellcode Announcements break from a limited gadget set ROP shellcoding exercise Puzzle/planning aspect: order to avoid overwriting

Recommend


More recommend