View
22
Download
0
Category
Tags:
Preview:
DESCRIPTION
Diversity Algorithms for Worrisome Software and Networks (DAWSON). James Just, Nathan Li, Mark Cornwell Global InfoTek, Inc. Jeff Rowe, Tufan Demir UC Davis R. Sekar SUNY Stony Brook 15 December 2005. DAWSON Overview. Explores Biologically Inspired Diversity - PowerPoint PPT Presentation
Citation preview
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Diversity Algorithms for Worrisome Software and Networks
(DAWSON)
James Just, Nathan Li, Mark CornwellGlobal InfoTek, Inc.
Jeff Rowe, Tufan DemirUC Davis
R. SekarSUNY Stony Brook15 December 2005
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution DAWSON Overview
• Explores Biologically Inspired Diversity
• Automatically generates a large number of program variants– Variants differ in terms of memory layout
• Targets memory errors such as buffer overflows
• Implemented on Microsoft Windows
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Agenda
• Introduction
• Development Update
• Testing Update
• Analytic Update
• Conclusions
Diversity System Functional Architecture
Original Program
Modified PE File, Loader & System Calls
PRNG*
Translation
Wrapper
User Inputs
OtherSystem
Resources
Transformed In-memory
program
Normal user inputs work
Modifications transform original
stored program
OptionalAnnotation
File
Attacker (memory error exploits)
Some attacks fail because
vulnerability is not at assumed
address
Other attacks fail because
injected commands are wrong*Pseudo-Random Number Generator
Address randomization does not remove vulnerability but makes effect of attack unpredictable
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address ResolutionMulti-Layer Defense
Strategy
Layer 1 - Prevent Remote Exploit of Memory ErrorsLayer 1 - Prevent Remote Exploit of Memory Errors
Layer 2 - Prevent Injected Code from Properly ExecutingLayer 2 - Prevent Injected Code from Properly Executing
Layer 3 - Prevent Bypass of Layer 2Layer 3 - Prevent Bypass of Layer 2
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
USER.EXE USER.DLL SYS.DLL
Layer 1
Layer 2
CharacterizingDAWSON’s
Multi-Layer Defenses
Randomizebase of main and thread stack
Rebase DLLRandomize
Code Location
Non-Bypass-ability*
STACK HEAP
Randomizeheap base
Randomizeheap allocs
IAT Permutation
PEB/SEH Masking*
SYS.SYS
Writable memory Executable memoryKernel
memory
Exploit
PayloadLayer 3
Payload
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Development Update
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
DAWSON Development Phases
• Phase 1: First 6 months:– Diversity approaches
– Code transformation techniques
• Phase 2: Second 6 months– Windows randomization integration
– Application protection
• Phase 3:Third 6 months– Host protection
– Performance and memory efficiency
– Extensive tests
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution DAWSON on a Host
Randomized User Address Space
Randomization andProtection Layer:
OS: User address space layout creator
Remote Monitor & Controller (e.g.,
Blackboard)
Messages
Local Host Randomization Configuration
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
DAWSON Changes (Since July '05)
• Primary Stack Randomization– Native API Augmentation– Coming – Kernel driver integration
• System DLLs Base Randomization (Rebasing)– Kernel Mode Driver
• PEB/SEH protection– Debugging API
• 6 New Exploits• Extensive Testing
– Test in small– Test in large– Red team exercise
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution DLL Rebasing Issues
• Rebasing system DLLs like ntdll and kernel32– Solution: use kernel-mode driver to rebase at boot-time
• Cost Vs Benefit– Significant benefits: can break exploit and payload– Costs:
• Performance impact to relocate code• Memory impact due to reduced sharing across processes
– Options:• Baseline: Rebase and Share
– shared, but introduces common vulnerabilities across all apps
• Rebase on First Use• Rebase on Request
– Configurable via registry settings
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution DAWSON Second Layer
• Payload Execution Prevention– IAT permutation (Done prior to July PI meeting)
• IAT used to lookup addresses of functions in DLLs
• By permuting the order of IAT entries, attack code will access the wrong function
– PEB/SEH Protection (New)• PEB is a data structure with the addresses of common API
functions
• PEB is memory protected, accessing PEB raises an exception
• Exception Handler checks location of caller, if it is outside the program boundary, access is denied.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Rebasing Executables using Exception Handler
.text
stack
IAT
1
2
3
.text
IAT
21
2
3Address
Map
Exception Handler
with
Address Map
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Limitations
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Where Absolute Address Randomization Fails
• Non-pointer attacks– Overflow a buffer to corrupt nearby non-pointer data, e.g.,
string used as argument of execve– Relies on the ability to find security-critical data next to
vulnerable buffers: Not very easy.
• Attacks that can extract “randomization key”– “Information leakage attacks”– Relies on a vulnerability that sends back pointer values in a
response to a request
• Vulnerabilities shared by many other defenses– StackGuard, StackGhost, PointGuard and some ISR
implementations
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Repetitive attacks
• Double-pointer attack– AAR provides only limited protection
• Guessing attacks– Require of the order of 15K attempts
• Solutions– Layer 2 defenses– Automated response:
• Filtering based on automatically generated signature is a promising approach to address these
• [Liang et al ’05] generate successful signatures to reliably block 10 of 11 attacks in their test suite.
• Less than 10% performance overheads, no false positives.
Expected Attack Attempts for Conventional Attacks
Attack Name Effect 1 Effect 2 Expected attack attempts
Stack-smash Injected code 500K to 5M
Base ptr attack Write using corrupted ptr
Injected code 500K to 5M or more
Return-to-libc Existing code 15K
Format string Write using corrupted ptr
Injected code 15K
Heap overflow Write using corrupted ptr
Injected code 15K
Integer overflow (1) Write using corrupted ptr
Injected code 15K
Integer overflow (2) Injected code 15K
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Testing Update
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Implementation Status
• Kernel Driver: System DLLs randomization• Layer 1:
– 2-Level Stack Randomization, including primary stack– 2-level Heap Randomization– Application DLLs randomization – EXE randomization when .reloc is available (included in
synthetic vulnerable server)
• Layer 2:– IAT permute and library name erase integrated– SEH/PEB protection developed, NOT integrated
• Layer 3: Not integrated
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Testing Changes(Since July 05)
• Extended Benchmark Vulnerable Service to incorporate 15 vulnerabilities. – Extended Attack Corpus to 15 corresponding attacks
packaged in Metasploit.• Extensive internal testing
– Performed testing on Emulab to observe contributions of individual randomizations.
– Automated testing on small scale 3-node in-house testbed and used results to refine/debug randomization software.
– Built an iterative test to restart VulnSrv to support testing of brute force attacks.
• Conducted Red Team Experiment in November.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Vulnerable Service
Listening Thread
Vulnerable Service
Listening Thread
Vulnerable Service
Listening Thread
Metasploit Attack Center
Attack String
Vulnerable Service
Listening Thread
DAWSON Testing Platform
Monitoring
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Key Test Characteristics
• Vulnerabilities– Stack buffer Overflow– Format String– Integer Overflow– Heap Overflow– A function may have combinations of the
vulnerabilities
• Payloads:– Injected Code– Existing Code– Existing Program
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Test Demo
2 Dec 200512:12PMKmd+1111 w/ConflResolv1201
RandomizationBlocks most attacks from the test corpus.
All randomizationsturned on.
Single Kernel Randomization.
Processes re-randomize every process start.
Comparative Results
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Overall Layer 1 Effectivenesssta
ckov
_abs
stack
ov_e
sp
stack
ov_e
sp_e
xe
stack
ov_e
sp_n
tdll
stack
ov_e
sp_k
ernel3
2
stack
ov_rt
l
stack
ov_lf
p
integ
erov1
integ
erov2
fmrst
r1
heap
ov1
heap
ov2
heap
ov3
heap
ov4
heap
ov5
100%100%100%100%100%100%100%100%100% 100% 100%
100% 100%100%
100%
0% 5%0%
0% 0% 5% 6%5%
5%5%
5%
0%0%
0% 5%
0%0% 1%
0%0%
0% 0%0%
0% 6%
1%0%
0%0%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%Benchmark attacks against unrandomized baseline avg. penetration rate =100%
With initial randomization, avg. penetration rate fell to 2.4%
After further engineering effort, avg. penetration rate fell to 0.56%
Test results show DAWSON randomization implementation is growing increasingly effective.
Further to go to approach theoretical limits.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Breakdown of Individual Randomization Effectiveness
none dll-only heap-only stack-only iat-only all-but-kmd none dll heap stack iat all"0000" "1000" "0100" "0010' "0001" "1111" "0000" "1000" "0100" "0010" "0001" "1111"
fmrstr1 2 0 2 2 2 0 2 0 2 2 2 0heapov1 2 0 2 2 2 0 2 0 2 2 2 0heapov2 2 0 0 0 2 0 0 0 0 0 0 0heapov3 2 0 0 0 2 0 2 0 0 0 2 0heapov4 2 0 0 0 2 0 0 0 0 0 0 0heapov5 2 0 2 2 2 0 2 0 2 2 2 0integerov1 2 0 2 2 2 0 2 0 2 1 2 0integerov2 2 0 2 2 2 0 2 0 2 2 2 0stackov_abs 2 1 0 0 2 0 2 1 0 0 2 0stackov_esp 2 0 2 0 2 0 0 0 0 0 0 0stackov_esp_exe 2 0 2 0 2 0 0 0 0 0 0 0stackov_esp_kernel32 2 2 2 2 2 2 0 0 0 0 0 0stackov_esp_ntdll 2 2 2 2 2 2 0 0 0 0 0 0stackov_lfp 2 0 2 2 2 0 2 0 2 2 2 0stackov_rtl 2 0 2 2 2 0 2 0 2 2 2 0
without Kernel Mode Driver (KMD) lilo with Kernel Mode Driver (KMD)
On unprotected system, all
baseline attacks succeed
Different randomization techniques are effective
against some attack classes and not others.
Most effective when all techniques are used in
combination.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Minor Performance Impacts
• Heap transformations cause 5% overhead for apps that are intensive in heap allocations
• Other transformations don’t add recurring cost– One-time overhead for relocation adds modestly to
the load-time
• Absolute address randomization does not change program locality– Most relocations occur at page granularity– Relative locations of objects unchanged within a
page
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Performance Impact
* Data collected on a Pentium 4 1.2GHz CPU with 768MB RAM
Defense Technology
Disk File Size
Memory Usage
Load Time Increase
Run Time Increase
DLL Base Randomization
None None < 1 millisec None
Stack Randomization
None None < 1 millisec None
Heap Base Randomization
None None < 1 millisec None
Heap Block Randomization
None Up to 16 bytes per block
None < 5%
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Improving the Test Suite
• Further Work– Add new exploits focusing on payload execution– Testing payload execution protection
• Offer to security community– A package to test memory defense technologies– Open source vulnerable service with advanced
memory errors and exploits (packaged as Metasploit modules)
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
DAWSON Red Team Exercise
•Layer 1 blocked 15 of 16 attacks (many reps)– Red team identified a new “double vulnerability” – This unintended combination of a stack-buffer
overflow and format-string vulnerabilities made the Red Team exercise a lot more interesting and useful!
•Layer 2 blocked the 16th attack
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Attack Outline
• Vulnerable code (simplified): void vulnerable(char *attack) {
char buf1[512], buf2[512]; strcpy(buf1, attack);sprintf(buf2, buf1);
}
• Attack– Guess a writable memory location X– Use format-string attack to inject code at X– Overflow buf2 to overwrite return address– Note: attack impossible if the order of declaration of buf1
and buf2 were interchanged!
• Use brute-force to guess X
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Attack Details: Layer I
raddr
char[512]bufmain
DWORD WINAPI FormatStrThread(LPVOID lparameter { char safebuf[4096]; nRet=recv(peersock,safeBuf,sizeof(safeBuf),0); formatStrAttack(safeBuf,nRet);}
evilchar[4096]safeBuf
form
atS
trA
ttac
k
MDVULN.dll – vulnerable service code
evil
1) First sprintf copies the attack string from safeBuf into buf.
2) Second sprintf interprets “496c” in format string overflowing waddr into the return address location.
3) “%229c%hn%229c%hn” manipulates #chars written to write a JMP ESP instruction into 2 bytes at waddr.
4) Return from formatStrAttack branches to waddr and executs JMP ESP instruction. At this time ESP points into expanded format string near bufmain..
5) ESP is manipulated to point to where shell code slid to inside the formatStrThread stack frame.
6) Normal return now branches to waddr where it executes the JMP ESP
7) ESP location contains shellcode on stack that gains control & bootstraps a DLL injection attack.
form
atS
trT
hrea
d
some page in memory
0x7ffdxxxx
JMP ESP
char[512]buf
void formatStrAttack(char *sbuffer, int nSize) { char buf[512]; char bufmain[512]; sprintf(buf, “String : %s”,sBuffer); // (1) sprintf(bufmain,buf); // (2)} // (4)
sprintf(void*dest, char*fmt,…)…interprets lots of % conversion spex…to access stack in flexible …ways
High
Lowsprin
tf
Arg2/fmt
Arg1/dest
waddr
(1)
(2)
Arg5Arg4Arg3
Addresses embedded at start of attack string get interpreted as arguments tosprintf(*dest,*fmt,arg1,arg2,arg3,…)
(3)
496
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Attack Details: Layer II
exploit
char[4096]safeBuf
parms
Shellcode
Metasploit shell code for DLL injection:
1. Uses PEB to look up GetProcAddress and LoadLibrary
2. Loads w32.dll and opens socket connection to call home.
3. Loads the injected DLL payload (hackmark.dll) into memory and tricks Windows into treating it as a and ordinary DLL linked & loaded.
4. Transfers execution to the init entry point in the DLL.
DAWSON Layer 2
Catches and stops PEB access since it made from code executing from the stack.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Estimating number of attempts needed
• Attacker needs to guess a writable memory location X• Probability of correctly guessing X
= fraction of writable memory in address space= 10MB/2GB = 0.005, for an app using 10MB data
• Vulnerable server uses 0.5MB, so probability of success should be about 1/4000
• But Red Team succeeded in 128 attempts! Why?– Red Team was varying only the leading 8 bits of address– PEB was not relocated, and happened to be located at an
address that matched the lower 24-bits used by Red Team– Red Team informed by the Blue team of this vulnerability
• And the possibility of injecting code into PEB
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Red Team Attack: Conclusions
• DAWSON robust against attacks that exploit any single vulnerability in vulnerable server
• Randomization is vulnerable to rare combinations of vulnerabilities
• To be effective, all memory regions should be randomized– Non-randomization of PEB was the reason for Red Team
to succeed in ~100 attempts as opposed to about ~4000– Ongoing work with kernel driver will relocate PEB/SEH,
thus addressing this weakness• Multi-layered approach is important
– Layer 2 was able to defeat the attack even though the attack got through layer 1.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Tech Transition
• Looking at Service IA entrance points, e.g.,– CECOM/CERDEC (S&TCD)– Navy (NMCI)– Air Force
• Initial ideas for commercial sales & support– Commercial partner– Spin-off– Other (GOTS)?
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Further Development• Issues
– Fixed PEB/TEB base location– Exception handler location– Initial process heap/CRT heap base randomization– Some things not exhaustively covered
• Process/thread creation, memory allocation– Undocumented Native API
• Occasional communication error with Win32 subsystem– Inadequate monitoring and control
• Solutions– Kernel mode driver– Expanded vulnerabilities and attacks for Layer 2 testing– Control and alerting interfaces
• Enterprise capabilities and productization needed
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Thank You
Questions?
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Backup Slides
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Analytic Update
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Address Space Randomization (ASR)
• Absolute address randomization– Randomize absolute address of an object– Distances between objects may not be randomized
• Relative address randomization– Randomize distances between objects, even those
within the same segment
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Attacks on DAWSON
• Exploit phase– Defeating randomization
• Payload execution phase– Difficulty of successfully executing system
functions needed to carry out the attack– Comes into play if and when DAWSON exploit
protection is defeated
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Probability of Successful Attacks
Pr(A) = Pr(V)/[EE(A) * PEE(A)]• Success probability of attack A exploiting
vulnerability V• EE: “exploit effort”
–Given by range of randomization of addresses involved in A
• PEE: “payload execution effort”–Attempts to successfully execute “attack payload”
• Multiplicative effect –requires rerandomization after every failed attack–does not apply if attack defeats the same randomization in
both layers
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Layer 2 Threat Model
• Injected code has begun execution
• Attack needs to invoke system APIs to deliver its payload
• No direct invocation of system calls– Supposed to be protected by layer 3 (not
implemented for DAWSON)
• Existing code attacks– Still requires breaking layer 1 defense to get to
exploitable code within application
• We estimate PEE(V) for other types of attacks
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Data Attacks
Attack Name Effect 1 Effect 2 Expected attack attempts
[Chen et al] Wu-Ftpd Write using corrupted pointer
Corrupt data value 15 to 30K, can possibly be increased by another 4K to 16K times
[Chen et al] NullHttpd Write using corrupted pointer
Corrupt data value Same as above
[Chen et al] Telnetd Write using corrupted pointer
Corrupt data value Same as above
[Chen et al] GHttpd Write using corrupted pointer
Same as above
[Chen et al] Sshd Corrupt data value Need more details.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
PE(V) for conventional attacks
• Stack-smashing– modify return address to point to injected code on
stack– Range of possible code addresses is 1GB– Can improve success using NOP padding
• With 1KB padding, PE(V) = 10-6
• Heap overflow– Relies on knowing absolute addresses– If target pointer is in static data area,
PE(V) = 1GB/64KB = 15K– This estimate applies to many other attack types:
return-to-libc, format-string,…
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Attacks on DAWSON Randomization
• Exploit weaknesses in randomization– Attacks that can extract “randomization key”
• “information leakage attacks”– Partial overflow attacks
• Overflow only the least significant byte of address– Double pointer attacks
• Rely only on finding a writable address in memory– All require a combination of vulnerabilities
• Low likelihood of finding them
• Derandomization (brute-force) attacks– Analyzed work factor in the next slides.– [Liang et al ’05] approach promises to block these …
• Automatically learn signatures of memory error exploits and discard subsequent instances of them
• Shown to be very effective on recent attacks on Linux
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Exception Handler Protection – The Numbers
• Program address space is ~2Gb
• Assume a program size of ~200 Mb
• Dummy padding with alert functions and fail-crash code size is ~1.8 Gb
• Attacker has a 1 in 500 Million chance of getting the right DLL address; 90% chance of tripping an alarm per try.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Attack DescriptionsVulnerability Attack Name, VulnNum, Port Exploit Target Payload Execution
Stack Buffer Overflow Run_Stackov_absVulnNum 100, Port 9100
Absolute stack address contains return Address, (32 bytes NOP) Inject buffer,
Stack Buffer Overflow Run_Stackov_espVulnNum 110, Port 9110
Overwrite stack return address with jmp ESP in vulnerable DLL, (32 bytes NOP) Inject buffer
Stack Buffer Overflow Run_Stackov_esp_exeVulnNum 111, Port 9111
Overwrite stack return address with jmp ESP in EXE(32 bytes NOP)
Inject buffer
Stack Buffer Overflow Run_Stackov_esp_ntdllVulnNum 112, Port 9112
Overwrite stack return address with Jmp ESP in NTDLL, (32 bytes NOP) Inject buffer
Stack Buffer Overflow Run_Stackov_esp_ws2VulnNum 113, Port 9113
Overwrite stack return address with JMP ESP in ws2_32.dll, (32 bytes NOP) Inject buffer
Stack Buffer Overflow Run_stackov_rtlVulnNum 120, Port 9120
Overwrite stack return address with a local function address(32 bytes NOP)
Return to libc type.
Stack Buffer Overflow Run_stackov_lfpVulnNum 130, Port 9120
Overwrite a local function pointer that called later (32 bytes NOP)
Return to libc type
Integer Overflow Run_integerov1VulnNum 200, Port 9200
Integer overflow data array and overwrite neighbor function pointer Return to libc type
Integer Overflow Run_integerov2VulnNum 210, Port 9210
Integer overflow stack to overwrite exception handler with payload address Return to libc type
Format string andStack Buffer Overflow
Run_stackov_fmrVulnNum 300, Port 9300
Stack buffer overflow return address using format string function sprintf Return to libc type
Heap overflow Run_heapov1VulnNum 400, Port 9400
Heap overflow to overwrite a local function pointer Return to libc type
Heap overflow Run_heapov2_pebVulnNum 410, Port 9410
Heap overflow to overwrite RtlCriticalSection in PEB, cause Call System() to launch an external program
LookAsideList Run_lookaside1VulnNum 420, Port 9420
Heap Lookaside List overflow stack return address with payload function address Return to libc
LookAsideList Run_lookaside2VulnNum 421, Port 9421
Heap Lookaside List overflow stack return Return to libc
CriticalSectionList Run_CSListVulnNum 430, Port 9430
Process Heap Critical Section List Overflow to overwrite a local function pointer Call System() to launch an external program
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Composite Results
with KMDnone dll-only heap-only stack-only iat-only all-but-kmd kmd-only all+kmd"0000" "1000" "0100" "0010' "0001" "1111" "0000"+K "1111"+K
fmrstr1 2 0 2 2 2 0 2 0heapov1 2 0 2 2 2 0 2 0heapov2 2 0 0 0 2 0 0 0heapov3 2 0 0 0 2 0 2 0heapov4 2 0 0 0 2 0 0 0heapov5 2 0 2 2 2 0 2 0integerov1 2 0 2 2 2 0 2 0integerov2 2 0 2 2 2 0 2 0stackov_abs 2 1 0 0 2 0 2 0stackov_esp 2 0 2 0 2 0 0 0stackov_esp_exe 2 0 2 0 2 0 0 0stackov_esp_kernel32 2 2 2 2 2 2 0 0stackov_esp_ntdll 2 2 2 2 2 2 0 0stackov_lfp 2 0 2 2 2 0 2 0stackov_rtl 2 0 2 2 2 0 2 0
Results of lilo VulnSrv2 without kernel driver randomization
Emulab + Red Team Demo System Composite
without Kernel Mode Driver (KMD)
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
DAWSON Testing Notes
December 1, 2005
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Manual Tests3 Node Red Team
Testbed
Trials Infected Blocked %Blocked Trials Infected Blocked %Blocked100 stackov_abs 65 65 0 0% 294 0 294 100%110 stackov_esp 65 65 0 0% 294 14 280 95%111 stackov_esp_exe 65 65 0 0% 294 0 294 100%112 stackov_esp_ntdll 65 65 0 0% 294 0 294 100%113 stackov_esp_kernel32 65 65 0 0% 294 0 250 85%120 stackov_rtl 65 65 0 0% 294 15 279 95%130 stackov_lfp 65 65 0 0% 293 15 234 80%200 integerov1 65 65 0 0% 293 15 278 95%210 integerov2 65 65 0 0% 293 15 278 95%300 fmrstr1 65 65 0 0% 293 15 278 95%400 heapov1 65 65 0 0% 293 15 278 95%410 heapov2 65 65 0 0% 293 0 293 100%420 heapov3 65 65 0 0% 294 0 294 100%421 heapov4 65 65 0 0% 293 0 293 100%430 heapov5 65 65 0 0% 293 15 278 95%
without Kernel Mode Driver (KMD) lilo with Kernel Mode Driver (KMD)
none ("0000") all ("1111")
Composite result of
44 manual and 250 semi-automated test runs on fully randomized system.
65 manual runs on unprotected baseline system
Test run is 15 attacks, one against 15 new process instances
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Testing: Scale
Small Scale Tests Large Scale TestsMethod: Relatively more manual Method: Much more Automated
Scale: Fewer test cases (tens to hundreds) smaller networks (2 or 3 nodes).
Scale: Many more trials (thousands to millions) larger networks (10’s to 100’s)
Observation: Close – More state available for analysis (can stop and drill down into images at run time – dynamic debugger)
Observation: – Limited. Less state available – can only inspect what was logged. Logs massive but limited
Advantage: ability to stop and analyze causes of unanticipated events, much state data retained and available
Advantage: finds effects and problems that occur at larger scales or over longer periods of time.
Disadvantage: miss phenomena that occur at scale.
Disadvantage: limited to data from log records – less complete picture of system state.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Testing
• Testing in the small– Fewer test cases, but closer observation– Much system state available – can stop and run debugger to observe
even closer.– When interesting phenomena occur can stop and drill down into
system state with debuggers, etc.
• Testing in the large– Flexible network based testing on Emulab– Test defenses on larger networks up to 100 nodes.– Automate a suite of tests– Provide feedback to developers– Provide examples on networks of non-trivial size.– Observe phenomena scale
• Test on larger networks of up to 100 hosts• Use parallelism for more test cases over time
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution What is Emulab
Project at Univ of UTAH (Jay Lepreau)
Shared network testbed of over 300 hosts
Dynamically imaged and configured for each experiment
Web-interface to remote users
Common resource for researchers
Progenitor of numerous other testbeds
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution What we have done
• Automated Installation & Configuration of Emulab Images for DAWSON
• Packaged a corpus of attacks in Metasploit• Added instrumentation to detect marker file dropped
by attacker• Automate attacks on variety of defense configurations
to probe effectiveness of individual randomizations.• Sample test runs:
– 15 attacks x 6 defensive configurations = 90 trials– Target population of 10 nodes
• Empirical validation of expectations
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Examples
• DAWSON Wiki – Main Page
• Overview
• Recent script generated results
• Quick Demo– RDT
• Show log files
• Show summary chart
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Red Team Meeting
• Notes on Nov 7 Meeting with Red Team– Attack Ideas
• Does vulnSrv2 have way to send data out a port?– Potentially speed up probing
• Trigger reversion to old DLLs
• Restore original DLLs & convince system these are already randomized
• Some critical data structures not randomized
• Direct system calls – interrupts/svc’s
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Baseline Effectiviness
sta
ckov_abs
sta
ckov_esp
sta
ckov_esp_exe
sta
ckov_esp_ntd
ll
sta
ckov_esp_kern
el3
2
sta
ckov_rtl
sta
ckov_lfp
inte
gero
v1
inte
gero
v2
fmrs
tr1
heapov1
heapov2
heapov3
heapov4
heapov5
100%100%100%100%100%100%100%100%100% 100% 100%
100% 100%100%
100%
0% 5%0%
0% 0% 5% 6%5%
5%5%
5%
0%0%
0% 5%
0%0% 1%
0%0%
0% 0%0%
0% 6%
1%0%
0%0%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Catalyst Experiment Monitor
December 6, 2005KMD+1111+ConflResolv1201Called at approx 2:23 pm
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Abstract View of Attacks
S
Pg“good” statesNot compromised.
Programs acting on“good” inputs.
G
E
Pe“evil” statesAttacker compromisedsystem
Program acting on“evil” inputs.
“evil” statesAttacker succeeds
Pg in good statesstay in good states.Represents desired behavior.s
wp(Pg,G)<=G
Pe describes flaws where certain inputs allow compromise
G<=wp(Pe,E)
Characterize successful attacks as program inputs e that transition from good states to evil states.
Until we create more nearly perfect programs, flaws in realization of P will continue to exhibit Pe cases
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Idealized Effect of Randomizing Transformations
S
Pg
G
E
Pe
S’
Pg
G’
E’
Pf
Randomizing Transform
After the Transformation:Nearly all good inputs in good states still work: wp(Pg,G’)<=G’Previously successful attacks no longer work: wp(Pe,G’)<=G’
PePfVulnerability to e randomlyremapped to an unknown f
f-attack analogs to old e-attack, where wp(Pf,G’)<=E will appear, but • f is hard to find for a specific host• f’s are diverse over the host population
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Attack String Construction: Phase I
Offset sprintf destination to the return address on stack
Address to write 1st byte of JMP ESP instr
Padding
Address to write 2nd byte of JMP ESP instr
Short NOP sled
jmp esp
Format string escapes to writethe $writeAddr into the return address.
add esp,7fh (3 times)add esp, 5fh
Point ESP toa cleancopy of attackString and jmp into it
Entry point of our JMP ESPFixes up ESP register to prior value
Falls through into Metasploit shell code for DLL injection.
my $evil = pack ('V', "$writeAddr"); $evil .= "\x41\x41\x41\x41"; $evil .= pack ('V',$writeAddr+1); $evil .= "%496c"; $evil .= pack ('V',$writeAddr); $evil .= "\x90\x90\x90\x90”
“\x83\xc4\x7f”“\x83\xc4\x7f”“\x83\xc4\x7f”“\x83\xc4\x5f”“\xff\xe4”“%229c%hn%229c%hn”“\x83\xec\x7f”“\x83\xec\x7f”“\x83\xec\x7f”“\x83\xec\x5f";
$evil .= $shellcode;
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution An Alternative Attack: Phase I
return
void formatStrAttack(char *sbuffer, int nSize) { char buf[512]; char bufmain[512]; sprintf(buf, “String : %s”,sBuffer); // (1) sprintf(bufmain,buf); // (2)} // (4)
char[512]buff
DWORD WINAPI FormatStrThread(LPVOID lparameter { char safebuf[4096]; nRet=recv(peersock,safeBuf,sizeof(safeBuf),0); formatStrAttack(safeBuf,nRet);}
char[4096]safeBuf
form
atS
trA
ttac
k
MDVULN.dll – vulnerable service code
1) First Sprintf overflows buffer putting a “magic” address MA into the return address slot.
2) Second sprintf interprets the format string poking a JMP ESP instruction into memory at the “magic” address
3) ESP is manipulated to point to start of shell code inside the stack frame.
4) Normal return now branches to MA where it executes the JMP ESP
form
atS
trT
hrea
d
MA
A writeable/executable page in memory
0x7ffdxxxx
JMP ESP
Old ESP
char[512]bufmain
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
DAWSONDLL Rebase Design
Considerations
• DAWSON DLL Rebase – Benefits vs Costs– Functionality vs Flexibility
• DLL Base randomization– Rebase and Share– Rebase on Demand– Rebase on Request
• Local Configuration
• Interface with Blackboard
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
PEB/SEH Protection: Exception Handlers
• Monitoring for exceptions are done– From another process
• Using Win32 DEBUG API
– within the same process• Using Vectored Exception Handling
• Monitor needs to receive exception events before the attacker
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution
Four ways to monitor exceptions
Load Time Runtime
Monitoring Process
CreateProcess(…,
DEBUG_PROCESS,…)
DebugActiveProcess(process_id
)
DLL injection Import table modification &AddVectoredException
Handler(…)
CreateRemote
Thread(…) &AddVectoredException
Handler(…)
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Red Team Exploit Analysis
1. Phase I of the attack is insensitive to DLL positions or stack locations. (see 6 & 7)• It only needs a location to which it can write a JMP ESP instruction.• It typically finds such a location inside a page where the PEB (Process
Environment Block) resides by default.• Though marked READ_ONLY in SP1 an exception handler in the kernel
implements Copy-on-write semantics for the first write to this page.• The fixed address 0xffdc082 is near the PEB but not inside of it. Writing
to it does not typically corrupt the PEB/TEB structures.
2. In later testing, it appears that the Red Team attack either always succeeds or always fails for a particular boot.• Even in the failures, Phase I of the attack appears to work, i.e. the DLL
injection callback gains control and does execute.• Attack fails by not successfully writing a marker file on the target host.
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Vulnerable Server
• VulnSrv2.exe:– A program run as a command line console
application.– VulnSrv2 loads MdVuln2.dll and listen to the
specified port for certain vulnerability. • Each vulnerability on a different port
– Uses multi-threaded server architecture• One thread for each vulnerability
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Small Scale Tests
Tria
ls
Infe
cted
Blo
cked
%B
lock
ed
%U
nblo
cked
Tria
ls
Infe
cted
Blo
cked
%B
lock
ed
%U
nblo
cked
Tria
ls
Infe
cted
Blo
cked
%B
lock
ed
%U
nblo
cked
100 stackov_abs 65 65 0 0% 100% 294 0 294 100% 0% 355 0 355 100% 0%110 stackov_esp 65 65 0 0% 100% 294 14 280 95% 5% 355 0 355 100% 0%111 stackov_esp_exe 65 65 0 0% 100% 294 0 294 100% 0% 355 5 350 99% 1%112 stackov_esp_ntdll 65 65 0 0% 100% 294 0 294 100% 0% 356 0 356 100% 0%113 stackov_esp_kernel32 65 65 0 0% 100% 250 0 250 100% 0% 356 0 356 100% 0%120 stackov_rtl 65 65 0 0% 100% 294 15 279 95% 5% 356 0 356 100% 0%130 stackov_lfp 65 65 0 0% 100% 249 15 234 94% 6% 356 0 356 100% 0%200 integerov1 65 65 0 0% 100% 293 15 278 95% 5% 356 0 356 100% 0%210 integerov2 65 65 0 0% 100% 293 15 278 95% 5% 356 0 356 100% 0%300 fmrstr1 65 65 0 0% 100% 293 15 278 95% 5% 356 23 333 94% 6%400 heapov1 65 65 0 0% 100% 293 15 278 95% 5% 356 2 354 99% 1%410 heapov2 65 65 0 0% 100% 293 0 293 100% 0% 356 0 356 100% 0%420 heapov3 65 65 0 0% 100% 294 0 294 100% 0% 355 0 355 100% 0%421 heapov4 65 65 0 0% 100% 293 0 293 100% 0% 355 0 355 100% 0%430 heapov5 65 65 0 0% 100% 293 15 278 95% 5% 355 0 355 100% 0%
lilo w/KMD
no randomization all BEFORE ConfResolv1201 all AFTER ConflResolv1201
w/o KMD lilo w/ KMD
Corpus of15 baselineAttacks(Metasploit)
No Randomization
65 trials
AllRandomizations11/15 Release(Red Team)
294 trials
AllRandomizations12/01 Release
355 trials
#Trials#Infected#Blocked%Blocked%Unblocked
OS
De
pth
Attack Depth
Defense Techniques
USER.EXE
USER.DLL
SYSTEM.DLL
SYSTEM.SYS
Exploit Payload
Randomize Stack Base and Allocation
Randomize Heap Base and Allocation
Rebase DLL
Randomize Code
Location
Non-Bypassability
Address Resolution Further Development• Expects
– Fixed PEB/TEB base location– Exception handler location– Initial process heap/CRT heap base randomization– Some things not exhaustively covered
• Process/thread creation, memory allocation– Undocumented Native API
• Occasional communication error with Win32 subsystem– Remote monitoring and management
• Solutions– Kernel mode driver– Expanded vulnerabilities and attacks for Layer 2 testing– Control and alerting interfaces
• Enterprise version capabilities (Army CECOM?)
Recommended