Defeat userland exploits on Linux -...

Memory protectionsGlibc and GCC security patches

Conclusion

Defeat userland exploits on Linux

Arnaud Maillet (arnaud.maillet@ensimag.fr)

SecurIMAG - the Ensimag IT security clubENSIMAG - Computer Science and Mathematics

Grenoble INP University

SecurIMAG talks, September 2011

Arnaud Maillet SecurIMAG - Defeat userland exploits on Linux

Conclusion

Outline

1 Memory protectionsNon-eXecutable MemoryFull RELROPIE

2 Glibc and GCC security patchesCanaryFortify sourceHeap protector

Conclusion

Non-eXecutable MemoryFull RELROPIE

Outline

Conclusion

Non-eXecutable Memory

Reminder : Stack Overflow

Conclusion

Stack Overflow basic exploitation technics, firstly introduced byAleph1 in 1996 ( Smashing the stack for fun and profit )

Shellcode on the stack ( environment variables, stackbuffer )

Shellcode on the heap

Shellcode everywhere

Prerequisites : these sections should be eXecutable!

Conclusion

Most modern CPUs protect against executing non-executablememory regions (heap, stack, etc).

Hardware-based (via PAE mode) :

Partial Emulation (via segment limits):

Conclusion

Non-Executable Memory and recent kernel :

Conclusion

Example : 19-another-smallbug PCTF ( IDA Pseudo-code )

Conclusion

ROP : mmap an rwx area, copy a shellcode and jump ( StalkR’sexploit )

Conclusion

Outline

Conclusion

Full RELRO

Full RELRO is a generic mitigation technique to avoidGOT-overwrite-style memory corruption attacks.

compiler command line: gcc -Wl,-z,relro,-z,now

the entire Global Offset Table is (re)mapped as read-only

avoid format string and 4-byte write attacks

With partial RELRO, the GOT is not read-only.

Conclusion

Full RELRO

Reminder: understand the Global Offset Table with an example

Conclusion

Full RELRO

Display the GOT of our program :

Conclusion

Full RELRO

Full RELRO running processes on Ubuntu Maverick 10.10:

No RELRO : 1 processusPartial RELRO : 91 processusFull RELRO : 20 processus

Conclusion

Full RELRO

Full RELRO running processes on Fedora 15:

Conclusion

Full RELRO

Full RELRO running processes on Debian GNU/Linux 6.0Squeeze:

Conclusion

Full RELRO

Training : GOT-overwrite-style memory corruption attacks

Ivanlef0u’s challenge AMENRAChallenge 6 : format string / no ASLR / stack +x / partialRELRO

Challenge 7 : format string / partial ASLR / stack +x /partial RELRO

Challenge 8 : format string / partial ASLR / stack -x / partialRELRO

Conclusion

Outline

Conclusion

Position Independent Executables :

gcc command line : -pie

protects against ”return-to-text” ( ROP )

large (5-10%) performance penalty

often used for a select number of security-critical packages( openssh, apache, bind9, openldap, postfix, cup,postgresql, samba, dhcp3, squid ... )

Conclusion

In real life :

Ubuntu Desktop 10.10: 23% of running processes arecompiled with PIE

Fedora 15 : 50% of running processes are compiled withPIE

Debian Squeeze (6.0) : 35% of running processes arecompiled with PIE

Conclusion

CanaryFortify sourceHeap protector

Outline

Conclusion

Canary

Firstly introduced in Stack-Smashing Protector (SSP)

GCC patch, command line : -fstack-protector-all

reordering of local variables to place buffers after pointersto avoid the corruption of pointers

random canary to prevent EIP overwrite

Conclusion

Canary

Stack-Smashing Protector (SSP)

Conclusion

Canary

Assembly Canary Code

Conclusion

Canary

Exploiting canaries remotely in network daemon ( AdamZabrocki aka pi3 ) :

Childs and the mother share the same canary.

Conclusion

Canary

In this configuration it’s possible to find the canary with lessthan 1024 tests :

Conclusion

Canary

A stupid brute force would lead to 232 combinations(4294967296 combinations) :

Conclusion

Canary

In real life :

Ubuntu Desktop 10.10: 75% of running processes have acanary

Ubuntu Server 10.04: 85% of running processes have acanary

Fedora 15 : 95% of running processes have a canary

Debian Squeeze (6.0) : 20% of running processes have acanary

Conclusion

Outline

Conclusion

Build your programs with ”-D FORTIFY SOURCE=2”

expand unbounded calls to ”sprintf”, ”strcpy” into their ”n”length-limited cousins.stop format string ”%n” attacks when the format string is ina writable memory segment.require checking various important function return codesand arguments (e.g. system, write, open).require explicit file mask when creating new files.

Conclusion

Bypass FORTIFY SOURCE using Format strings

Captain Planet - A Eulogy of Format strings

Uncommon format string : ”%49150u %4849$hn%1$*269158540$x %1$*13996$x %1073741824$d”4-byte NULL write to disable FORTIFY SOURCE :

args type[ ATTACKER OFFSET ] = 0x00000000;

Conclusion

Memory leak in FORTIFY SOURCE

Dan Rosenberg - Fun with FORTIFY SOURCE

An overflow attempt can engender a sensitive memory leak.

Conclusion

Memory leak in FORTIFY SOURCE

A crafted argv[0] is used to read the application’s addressspace

Conclusion

FORTIFY SOURCE in Linux

Integration of FORTIFY SOURCE :

Ubuntu :

Debian Lenny ( 2009 ) - Several security-critical packagesFedora 8 ( 2007 ) - The author of this feature is a redhatdeveloper

Conclusion

Outline

Conclusion

Glibc security checks

Since glibc 2.3.4, ptmalloc2/3 provides different securitychecks:

The ”unlink” patch :

Conclusion

Glibc security checks

The House of Lore patch:

Technics introduced by blackngel require considerable efforts

Conclusion

Protect your heap from heap overflow.

Allocator security designed :

Jemalloc on FreeBSD

Guard Malloc for Mac OS X

DistriNet memory allocator

OpenBSD malloc

Conclusion

Today, userland exploitation on Linux has become much moredifficult than 15 years ago.

That’s why, concepts like ret2libc, ROP, GOT-overwrite-stylememory corruption attacks have been developed.

Under certain conditions it is possible to bypass one or twoprotection(s), but it becomes almost impossible with all theprotections.

Appendix Bibliography

Bibliography I

Aleph. OneSmashing the stack for fun and profitPhrack #49 http://www.phrack.org

blackngel.Malloc Des-MaleficarumPhrack #66 http://www.phrack.org

blackngel.The House Of Lore Reloaded ptmalloc v2 & v3: Analysis &CorruptionPhrack #67 http://www.phrack.org

Bibliography II

Adam. ZabrockiScraps of notes on remote stack overflow exploitationPhrack #67 http://www.phrack.org

Wolfram. Gloger.ptmalloc2 & ptmalloc3 homepage.http://www.malloc.de/en/

Yves. Younan.dnmalloc homepage.http://www.fort-knox.org/taxonomy/term/3

Bibliography III

Jakub. Jelinek.Fortify Source patch.http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

Captain. Planet.A eulogy of format stringPhrack #67 http://www.phrack.org

Dan. Rosenberg.Fun with FORTIFY SOURCEhttp://drosenbe.blogspot.com/2010/04/fun-with-fortifysource.html

Bibliography IV

Canonical. Ubuntu.Ubuntu Security Featureshttps://wiki.ubuntu.com/Security/Features

Debian. Security DevelopersDebian Hardeninghttp://wiki.debian.org/Hardening

Fedora. Security DevelopersFedora Security Featureshttp://fedoraproject.org/wiki/Security/Features

Bibliography V

Checksec. Trapkitchecksec.shhttp://tk-blog.blogspot.com/2009/02/checksec.html

blog. StalkR19 - Another small bug - PCTFhttp://blog.stalkr.net/2011/04/pctf-2011-19-another-small-bug.html

Emilien. GiraultComprendre le role des sections PLT et GOT dans l’editionde liens dynamiquehttp://www.segmentationfault.fr/linux/role-plt-got-ld-so/

Bibliography VI

Relro. TrapkitRELRO - A (not so well known) Memory CorruptionMitigation Techniquehttp://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

blog. xorlLinux GLibC Stack Canary Valueshttp://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/

Defeat userland exploits on Linux -...

Documents

Userland - Hisham · Userland Hisham Muhammad creating an integrated dataﬂow environment for end-users h@hisham.hm @hisham_hm LIVE 2019 - Athens, Greece

Userland Hooking in Windows

p62 0x0c Win32 Portable Userland Rootkit by Kdm

The State of Linux Containers...SERVICE Userland (OS) KERNEL KERNEL Userland (OS) Userland (OS) Userland (OS) SERVICE SERVICE SERVER HOST KERNEL SERVICE SERVICE SERVICE Traditional

LinuxIdentity magazine - Ubuntu 10.10 Maverick Meerkat

PIONEER, Delhi, 10.10

Porting dummyet to Linux and Windows (and userland)info.iet.unipi.it/~luigi/doc/20100514-bsdcan10port.pdfPorting dummyet to Linux and Windows (and userland) ... (e.g. C99 initializers

Marketing maverick

Example 10.10

Maverick 1974

Maverick corporate

10.10 - Composite Bridges

Ubuntu 10.10 Maverick Meerkat

Miniature ground temperature data logger measurements 2000 ... · 1 10.10 09.10 2663 coarse blocks 2 10.10 09.10 2668 coarse blocks 3 10.10 09.10 2650 coarse blocks 4 10.10 09.10

Service & Parts Manual · Service & Parts Manual Convotherm Combination Oven-Steamer MODELS: Electric 10.10 and 6.20 OEB-10.10 OES-10.10 OEB-6.20 …

Porting dummyet to Linux and Windows (and userland) dummyet to Linux and Windows (and userland) ... (e.g. C99 initializers in MSVC). ... Porting dummyet to Linux and Windows (and userland)

LCA14: LCA14-417: mmap, allocators & sharing buffers: userland perspective

Maverick plaquette

Maverick cata

Starz 10.10 1215pm