return address integrity
play

Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. - PowerPoint PPT Presentation

RAI : Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias Payer 2 1 2 3 4 Sandia National Laboratories is a multimission laboratory managed and operated by National


  1. μRAI : Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias Payer 2 1 2 3 4 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned 1 subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

  2. Current State of Security [1] [2] [3] Target: Embedded and IoT devices Running Microcontroller Systems (MCUS) Attack: Control-flow Hijacking [1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/ [2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/ [3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical 2

  3. MCUS Challenges Desktop MCUS ✓ Large virtual memory  Small physical memory … … (GBs) (MBs Flash, KBs RAM) 0x08055555 0x08999555 … Stack (code) Flash … … … … ✓ Basic defenses  Basic defenses 0x08000000 … Code (e.g., ASLR) (e.g., ASLR) Memory 0x08777222 0x08022222 Heap … 0x02050000 Stack … ✓ Smaller code Larger code … (Data) 0x08555111 0x08011111 Data RAM Heap … … Code ✓ DEP  DEP 0x08111000 0x08000000 0x02000000 Data (Disabled → Fixable) 3

  4. MCUS Defenses for Return Addresses (Conceptual) Special hardware required Without extra hardware Safe Stack Overhead Shadow Shadow + Stack Stack High Software Runtime Overhead + + Fault MPU TEE Isolation 10% Randomized CFI μ RAI Safe Stack Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 4

  5. MCUS Defenses for Return Addresses (Related Work) Special hardware required Without extra hardware Overhead CFI CaRE (Shadow stack) High Runtime Overhead [RAID17] RECFISH ACES [ECRTS19] [SEC18] 10% LR 2 [NDSS16] SCFP [EuroS&P18] Minion EPOXY C-FLAT μ Armor uXOM Symbiote [NDSS18] LiteHAX (SafeStack ) [CCS16] μ RAI [SEC19] [RAID11] [EuroS&P19] [ICCAD18] [S&P17] Limited Security Guarantees Usage Integrity Location Security Return Address Integrity + Low runtime overhead + No special hardware 5

  6. Return Address Integrity (RAI) • Every attack requires corrupting a return addresses by overwriting it • Main limitation of defenses → return addresses are in writable memory RAI Property: • Example: Information hiding 1. Ensure the return address is never writable except by an authorized instruction 2. Return addresses are never pushed to the stack or any writable memory by an adversary • Key solution is to prevent an attacker from corrupting return addresses 6

  7. Threat Model & μ RAI Protection μ RAI Normal application main main Unprivileged • Reads from memory • Writes to memory • Knows the code layout Func1 Func2 Func1 Func2 • Targets backward-edges Corrupt Func3 Func3 return address Func4 Func4 Privileged Func5 Func6 MPU, VTOR Func5 Func6 MPU, VTOR Corrupt return address Func7 Func7 or corrupt sensitive Memory Mapped IO (MMIO) : Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI) 7

  8. μ RAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Low runtime overhead Relative jump target lookup routine 8

  9. μ RAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Low runtime overhead Relative jump target lookup routine 9

  10. μ RAI and the State Register • State Register (SR): • Can be any general-purpose register → exclusively used by μ RAI • Never spilled → cannot be overwritten through a memory corruption • Does not contain a return address → encoded values to resolve the return location • Example call graph: 1 • Each edge → call SR Func2 reads the SR to resolve main Func1 Func2 the correct return location • How encode SR? 2 SR • An XOR chain 10

  11. μ RAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … • Function Keys (FKs): Hard-coded keys used to encode the SR 11

  12. μ RAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Function IDs (FIDs): Possible values of the SR for the function 12

  13. μ RAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Function Lookup Table (FLT): List of FIDs for the function 13

  14. μ RAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Encode the SR and call Func2 14

  15. μ RAI: Transformation SR [Recursive] SR [Encoded] C ⊕ key1 0 Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Func2 reads the SR and executes the corresponding direct jump 15

  16. μ RAI: Transformation SR [Recursive] SR [Encoded] C ⊕ key1 0 Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Func2 returns correctly and the SR is decoded 16

  17. μ RAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • The previous SR value is restored 17

  18. μ RAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • The same happens for other calls. Func1 can then return correctly 18

  19. μ RAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Low runtime overhead Relative jump target lookup routine 19

Recommend


More recommend