Upload
branden-gonzalez
View
51
Download
1
Tags:
Embed Size (px)
DESCRIPTION
CS457 – Introduction to Information Systems Security Software 4. Elias Athanasopoulos [email protected]. Defending ROP. Randomization Address Space Layout Randomization (ASLR) Fine -grained Randomization (Smashing the gadgets, Binary Stirring) Control Flow Integrity (CFI) - PowerPoint PPT Presentation
Citation preview
Elias Athanasopoulos 2
Defending ROP
Randomization- Address Space Layout Randomization (ASLR)- Fine-grained Randomization (Smashing the
gadgets, Binary Stirring)Control Flow Integrity (CFI)Run-time Detection
- Based on H/W features (kBouncer)
CS-457
Elias Athanasopoulos 3
Control-flow Graph
CS-457
Direct call of sort()
Indirect call of lt()/gt()
All ret instructions are indirect branches!
Can you spot other indirect
branches?
Elias Athanasopoulos 4
Enforcing CFI(1) Things we don’t care about
CS-457
Direct call of sort()
Direct calls: cannot controlled by attacker
(fixed targets)
Do nothing!
Do nothing!
Elias Athanasopoulos 5
Enforcing CFI(2) Forward Edges
CS-457
Indirect call of lt()/gt()
R: targetLegitimate targets: lt(),gt()
CFI: make sure only legitimate targets are exercised
Attack: redirect R to a Gadget
Attach label to indirect call: l7
Check label on function entry points
Result: R is coupled only withlegitimate targets, lt(),gt()
- The call in sort() can only reach lt(),gt()- lt(),gt() can only be reached by the call in sort()
Elias Athanasopoulos 6
Implementation Example
CS-457
Elias Athanasopoulos 7
Enforcing CFI(3) Backward Edges
CS-457
All ret instructions are indirect branches!
Call site (instruction after a call)
(1) Add labels to call sites(2) check if we return from
the correct returns
Call site (instruction after a call)
Elias Athanasopoulos 8
Ideal CFI
CS-457
Two problems:1) CFG discovery (especially in legacy apps)2) Performance in checks
Elias Athanasopoulos 9
Coarse-grained (loose) CFI
CS-457
Two labels only:1) One for ensuring an indirect call enters a
function entry point2) One for ensuring a ret returns to a call site
Elias Athanasopoulos 10
Gadgets under coarse-grained CFI
CS-457
Elias Athanasopoulos 11
Linking Gadgets under CFI
CS-457
Elias Athanasopoulos 12
Exploitation under CFI
CS-457
Elias Athanasopoulos 13
Run-time ROP detection (kBouncer)
CS-457
Elias Athanasopoulos 14
Last Branch Record (LBR)
16 pairs of H/W registersUsed for debuggingThey store the last occurred branchesCan be configured to store only indirect
branches
CS-457
Elias Athanasopoulos 15
kBouncer
CS-457
Elias Athanasopoulos 16
Normal vs ROP
CS-457
Elias Athanasopoulos 17
kBouncer Checks
call-ret pairing- Coarse-grained CFI
Heuristics- Up to 20 instructions is considered a gadget- 6 gadgets in a row is considered an attack
CS-457
Elias Athanasopoulos 18
kBouncer Heuristics
CS-457
Elias Athanasopoulos 19
Bypassing kBouncer
CS-457
Elias Athanasopoulos 20
kBouncer bypass PoC
CS-457
Elias Athanasopoulos 21
Other Software Vulnerabilities
Use-after-free and dangling pointers Integer overflows
CS-457
Elias Athanasopoulos 22
Use-after-free
CS-457
P1
P2
Object A
t0: P1 and P2 point to A
t1: P1 is freed
Free space
NULL
P2 still points to, it is a dangling pointer
New Object
t2: attacker allocates space
New Object
t3: P2 now points to a new Object!
New Object
1) New object is of different type2) P2->foo() can execute attacker’s code in the new object
Elias Athanasopoulos 23
Integer Overflows
off_t j, pg_start = /* from user space */;size_t i, page_count = . . . ;int num_entries = . . . ;
if (pg_start + page_count > num_entries)return –EINVAL;
. . .for (i = 0, j = pg_start; i<page_count; i++,j++)
/* write to some address with offset j */;
CS-457
Elias Athanasopoulos 24
Integer Overflows (fix)off_t j, pg_start = /* from user space */;size_t i, page_count = . . . ;int num_entries = . . . ;
if ((pg_start + page_count > num_entries) || (pg_start + page_count < pg_start))return –EINVAL;
. . .for (i = 0, j = pg_start; i<page_count; i++,j++)
/* write to some address with offset j */;
CS-457