Embed Size (px)
Citation preview
MemoryCorrup+on
BasicMemoryCorrup+onA3acks
OriginalslideswerecreatedbyProf.DanBoneh
Memorycorrup+ona3acks• A3acker’sgoal:
– Takeovertargetmachine(e.g.webserver)• Executearbitrarycodeontargetbyhijackingapplica+oncontrolflowleveragingmemorycorrup+on
• Examples.– Bufferoverflowa3acks– Integeroverflowa3acks– Formatstringvulnerabili+es
Example1:bufferoverflows• ExtremelycommonbuginC/C++programs.
– Firstmajorexploit:1988InternetWorm.fingerd.
0
100
200
300
400
500
600
1995 1997 1999 2001 2003 2005
Source:NVD/CVE
≈ 20%ofallvuln.
Whatisneeded• UnderstandingCfunc+ons,thestack,andtheheap.• Knowhowsystemcallsaremade• Theexec()systemcall
• A3ackerneedstoknowwhichCPUandOSusedonthetargetmachine:
– Ourexamplesareforx86runningLinuxorWindows– DetailsvaryslightlybetweenCPUsandOSs:
• Li3leendianvs.bigendian(x86 vs. Motorola)• StackFramestructure(Unixvs.Windows)
Linuxprocessmemorylayout
unused 0x08048000
run+meheap
sharedlibraries
userstack
0x40000000
0xC0000000
%esp
brk
Loadedfromexec
0
excep+onhandlers
StackFrame
arguments
returnaddressstackframepointer
localvariablesSP
StackGrowth
high
low
Whatarebufferoverflows?void func(char *str) { char buf[128];
strcpy(buf, str); do-something(buf);
}
Supposeawebservercontainsafunc+on:
Whenfunc()iscalledstacklookslike:
argument:strreturnaddress
stackframepointer
charbuf[128]
SP
Whatarebufferoverflows?void func(char *str) { char buf[128];
strcpy(buf, str); do-something(buf);
}
Whatif*stris136byteslong?Aferstrcpy:
argument:strreturnaddress
stackframepointer
charbuf[128]
SP
*str Problem:nolengthcheckinginstrcpy()
charbuf[128]
returnaddress
BasicstackexploitSuppose*strissuchthataferstrcpystacklookslike:
ProgramP:exec(“/bin/sh”)
Whenfunc()exits,theusergetsshell!Note:a3ackcodePrunsinstack.
ProgramP
low
high
TheNOPslideProblem:howdoesa3acker
determineret-address?Solu+on:NOPslide• Guessapproximatestackstate
whenfunc()iscalled
• InsertmanyNOPsbeforeprogramP:nop,xoreax,eax,incax
charbuf[128]
returnaddress
NOPSlide
ProgramP
low
high
Detailsandexamples• Somecomplica+ons:
– ProgramPshouldnotcontainthe‘\0’character.– Overflowshouldnotcrashprogrambeforefunc()exists.
• (in)Famousremotestacksmashingoverflows:– (2007)OverflowinWindowsanimatedcursors(ANI).LoadAniIcon()
– (2005)OverflowinSymantecVirusDetec+on
test.GetPrivateProfileString "file", [long string]
Manyunsafelibcfunc+onsstrcpy(char*dest,constchar*src)strcat(char*dest,constchar*src)gets(char*s)scanf(constchar*format,…)andmanymore.
• “Safe”libcversionsstrncpy(),strncat()aremisleading– e.g.strncpy()mayleavestringunterminated.
• WindowsCrun+me(CRT):– strcpy_s(*dest,DestSize,*src):ensurespropertermina+on
Bufferoverflowopportuni+es• Excep+onhandlers:(WindowsSEHa3acks)
– Overwritetheaddressofanexcep+onhandlerinstackframe.
• Func+onpointers:(e.g.PHP4.0.2,MSMediaPlayerBitmaps)
– Overflowingbufwilloverridefunc+onpointer.
• Longjmpbuffers:longjmp(pos)(e.g.Perl5.003)
– Overflowingbufnexttoposoverridesvalueofpos.
Heapor
stackbuf[128] FuncPtr
Corrup+ngmethodpointers• Compilergeneratedfunc+onpointers(e.g.C++code)
• Aferoverflowofbuf:
ptr
data
ObjectT
FP1FP2FP3
vtable
method#1method#2method#3
ptr
buf[256] data
objectT
vtable
NOPslide
shellcode
Findingbufferoverflows• Tofindoverflow:
– Runwebserveronlocalmachine– Issuemalformedrequests(endingwith“$$$$$”)
• Manyautomatedtoolsexist(calledfuzzers–nextmodule)– Ifwebservercrashes,
searchcoredumpfor“$$$$$”tofindoverflowloca+on• Constructexploit(noteasygivenlatestdefenses)
MemoryCorrup+on
MoreMemoryCorrup+onA3acks
MoreCorrup+onOpportuni+es
• Integeroverflows:(e.g. MS DirectX MIDI Lib)
• Doublefree:doublefreespaceonheap– Cancausememorymgrtowritedatatospecificloca+on– Examples:CVSserver
• Use after free: using memory after it is freed
• Format string vulnerabilities
IntegerOverflows(seePhrack60)Problem:whathappenswhenintexceedsmaxvalue?
intm;(32bits)shorts;(16bits)charc;(8bits)
c=0x80+0x80=128+128 ⇒c=0
s=0xff80+0x80 ⇒s=0
m=0xffffff80+0x80 ⇒m=0Canthisbeexploited?
Anexamplevoidfunc(char*buf1,*buf2,unsignedintlen1,len2){
char temp[256]; if (len1 + len2 > 256) {return -1} // length check memcpy(temp, buf1, len1); // cat buffers memcpy(temp+len1, buf2, len2); do-something(temp); // do stuff
}
Whatiflen1=0x80,len2=0xffffff80?⇒len1+len2=0
Secondmemcpy()willoverflowheap!!
0
20
40
60
80
100
120
140
1996 1998 2000 2002 2004 2006Source:NVD/CVE
Integeroverflowexploitstats
Formatstringbugs
Formatstringproblem int func(char *user) { fprintf( stderr, user); }
Problem:whatif*user = “%s%s%s%s%s%s%s”??– Mostlikelyprogramwillcrash:DoS.– Ifnot,programwillprintmemorycontents.Privacy?– Fullexploitusinguser=“%n”
Correctform: fprintf( stdout, “%s”, user);
Vulnerablefunc+onsAnyfunc+onusingaformatstring.Prin+ng:prin{,fprin{,sprin{,…vprin{,vfprin{,vsprin{,…
Logging:syslog,err,warn
Exploit• Dumpingarbitrarymemory:
– Walkupstackun+ldesiredpointerisfound.
– prin{(“%08x.%08x.%08x.%08x|%s|”)
• Wri+ngtoarbitrarymemory:
– prin{(“hello%n”,&temp)--writes‘6’intotemp.
– prin{(“%08x.%08x.%08x.%08x.%n”)
MemoryCorrup+on
Pla{ormDefenses
Preven+nghijackinga3acks1. Fixbugs:
– Auditsofware• Automatedtools:Coverity,Prefast/Prefix.
– Rewritesofwareinatypesafelanguange(Java,ML)• Difficultforexis+ng(legacy)code…
2. Concedeoverflow,butpreventcodeexecu+on
3. Addrun+mecodetodetectoverflowsexploits– Haltprocesswhenoverflowexploitdetected– StackGuard,LibSafe,…
Markingmemoryasnon-execute(W^X)
Preventa3ackcodeexecu+onbymarkingstackandheapasnon-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott – NXbitineveryPageTableEntry(PTE)
• Deployment:– Linux(viaPaXproject);OpenBSD– Windows:sinceXPSP2(DEP)
• VisualStudio:/NXCompat[:NO]
• Limita+ons:– Someappsneedexecutableheap(e.g.JITs).– Doesnotdefendagainst`ReturnOrientedProgramming’exploits
Examples:DEPcontrolsinWindows
DEPtermina+ngaprogram
A3ack:ReturnOrientedProgramming(ROP)
• Controlhijackingwithoutexecu+ngcode
argsret-addr
sfp
local buf
stack
exec()printf()
“/bin/sh”
libc.so
Response:randomiza+on• ASLR:(AddressSpaceLayoutRandomiza+on)
– Mapsharedlibrariestorandloca+oninprocessmemory⇒A3ackercannotjumpdirectlytoexecfunc+on
– Deployment:(/DynamicBase)• Windows7: 8bitsofrandomnessforDLLs
– alignedto64Kpageina16MBregion⇒256choices• Windows8: 24bitsofrandomnesson64-bitprocessors
• Otherrandomiza+onmethods:– Sys-callrandomiza+on:randomizesys-callid’s– Instruc+onSetRandomiza+on(ISR)
ASLRExampleBooting twice loads libraries into different locations:
Note:everythinginprocessmemorymustberandomized stack,heap,sharedlibs,baseimage
• Win8ForceASLR:ensuresallloadedmodulesuseASLR
Morea3acks:JiTsprayingIdea: 1.ForceJavascriptJiTtofillheapwith
executableshellcode
2.thenpointSFPanywhereinsprayarea
heap
vtable
NOPslide shellcodeexecuteenabledexecuteenabled
executeenabled executeenabled
MemoryCorrup+on
Run-+meDefenses
Run+mechecking:StackGuard
• Manyrun-+mecheckingtechniques…– weonlydiscussmethodsrelevanttooverflowprotec+on
• Solu+on1:StackGuard– Run+metestsforstackintegrity.– Embed“canaries”instackframesandverifytheirintegritypriortofunc+onreturn.
str ret sfp localtopof
stackcanarystr ret local canaryFrame1Frame2
sfp
CanaryTypes• Randomcanary:
– Randomstringchosenatprogramstartup.– Insertcanarystringintoeverystackframe.– Verifycanarybeforereturningfromfunc+on.
• Exitprogramifcanarychanged.Turnspoten+alexploitintoDoS.– Tocorrupt,a3ackermustlearncurrentrandomstring.
• Terminatorcanary:Canary={0,newline,linefeed,EOF}– Stringfunc+onswillnotcopybeyondterminator.– A3ackercannotusestringfunc+onstocorruptstack.
StackGuard(Cont.)• StackGuardimplementedasaGCCpatch
– Programmustberecompiled• Minimalperformanceeffects:8%forApache
• Note:Canariesdonotprovidefullprotec+on– Somestacksmashinga3acksleavecanariesunchanged
• Heapprotec+on:PointGuard– Protectsfunc+onpointersandsetjmpbuffersbyencryp+ngthem:e.g.XORwithrandomcookie
– Lesseffec+ve,moreno+ceableperformanceeffects
StackGuardenhancements:ProPolice• ProPolice(IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrangestacklayouttopreventptroverflow. args
retaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
Protectspointerargsandlocalpointersfromabufferoverflow
MSVisualStudio/GS[since2003]Compiler/GSop+on:
– Combina+onofProPoliceandRandomcanary.– Ifcookiemismatch,defaultbehavioristocall_exit(3)
Func+onprolog:subesp,8//allocate8bytesforcookiemoveax,DWORDPTR___security_cookiexoreax,esp//xorcookiewithcurrentespmovDWORDPTR[esp+8],eax//saveinstack
Func+onepilog:movecx,DWORDPTR[esp+8]xorecx,espcall@__security_check_cookie@4addesp,8
Enhanced/GSinVisualStudio2010:– /GSprotec+onaddedtoallfunc+ons,unlesscanbeprovenunnecessary
/GSstackframeargs
retaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
excepaonhandlers
Canaryprotectsret-addrandexcep+onhandlerframe
Evading/GSwithexcep+onhandlers• Whenexcep+onisthrown,dispatcherwalksupexcep+onlist
un+lhandlerisfound(elseusedefaulthandler)
highmemnext handlernext handlernext handler
0xffffffff
buf
SEHframeSEHframe
Aferoverflow:handlerpointstoa3acker’scodeexcep+ontriggered⇒controlhijack
ptrtoa3ackcode
Mainpoint:excep+onistriggeredbeforecanaryischecked
next
Defenses:SAFESEHandSEHOP• /SAFESEH:linkerflag
– Linkerproducesabinarywithatableofsafeexcep+onhandlers– Systemwillnotjumptoexcep+onhandlernotonlist
• /SEHOP:pla{ormdefense(sincewinvistaSP1)– Observa+on:SEHa3ackstypicallycorruptthe“next”entryinSEHlist.– SEHOP:addadummyrecordattopofSEHlist– Whenexcep+onoccurs,dispatcherwalksuplistandverifiesdummy
recordisthere.Ifnot,terminatesprocess.
Summary:Canariesarenotfullproof• Canariesareanimportantdefensetool,butdonotpreventall
controlhijackinga3acks:
– Heap-baseda3ackss+llpossible
– Integeroverflowa3ackss+llpossible
– /GSbyitselfdoesnotpreventExcep+onHandlinga3acks (alsoneedSAFESEHandSEHOP)
Whatifcan’trecompile:Libsafe• Solu+on2:Libsafe(AvayaLabs)
– Dynamicallyloadedlibrary(noneedtorecompileapp.)– Interceptscallstostrcpy(dest,src)
• Validatessufficientspaceincurrentstackframe:|frame-pointer–dest|>strlen(src)
• Ifso,doesstrcpy.Otherwise,terminatesapplica+on
dest ret-addr sfp topof
stacksrc buf ret-addr sfp
Libsafestrcpy main
HowrobustisLibsafe?
strcpy()canoverwriteapointerbetweenbufandsfp.
dest ret-addr sfp highmemorysrc buf ret-addr sfp
Libsafestrcpy main
lowmemory
Moremethods…Ø StackShield
§ Atfunc+onprologue,copyreturnaddressRETandSFPto“safe”loca+on(beginningofdatasegment)
§ Uponreturn,checkthatRETandSFPisequaltocopy.§ Implementedasassemblerfileprocessor(GCC)
Ø ControlFlowIntegrity(CFI)§ Acombina+onofsta+canddynamicchecking
§ Sta+callydetermineprogramcontrolflow§ Dynamicallyenforcecontrolflowintegrity
MemoryCorrup+on
AdvancedA3acks
HeapSprayA3acks
Areliablemethodforexploi+ngheapoverflows
Heap-basedcontrolhijacking• Compilergeneratedfunc+onpointers(e.g.C++code)
• Supposevtableisontheheapnexttoastringobject:
ptr
data
ObjectT
FP1FP2FP3
vtable
method#1method#2method#3
ptr
buf[256] data
objectT
vtable
Heap-basedcontrolhijacking• Compilergeneratedfunc+onpointers(e.g.C++code)
• Aferoverflowofbufwehave:
ptr
data
ObjectT
FP1FP2FP3vtable
method#1method#2method#3
ptr
buf[256] data
objectT
vtable
shellcode
Areliableexploit? <SCRIPTlanguage="text/javascript"> shellcode=unescape("%u4343%u4343%..."); overflow-string=unescape(“%u2332%u4276%...”);
cause-overflow(overflow-string);//overflowbuf[] </SCRIPT>
Problem: a3ackerdoesnotknowwherebrowser
placesshellcodeontheheap
ptr
buf[256] data
shellcodevtable
???
HeapSpraying[SkyLined2004]Idea: 1.useJavascripttosprayheap
withshellcode(andNOPslides)
2.thenpointvtableptranywhereinsprayarea
heap
vtable
NOPslide shellcode
heapsprayarea
Javascriptheapspraying var nop = unescape(“%u9090%u9090”) while (nop.length < 0x100000) nop += nop
var shellcode = unescape("%u4343%u4343%...");
var x = new Array () for (i=0; i<1000; i++) { x[i] = nop + shellcode; }
• Poin+ngfunc-ptralmostanywhereinheapwillcauseshellcodetoexecute.
Vulnerablebufferplacement• Placingvulnerablebuf[256]nexttoobjectO:
– BysequenceofJavascriptalloca+onsandfreesmakeheaplookasfollows:
– Allocatevuln.bufferinJavascriptandcauseoverflow
– SuccessfullyusedagainstaSafariPCREoverflow[DHM’08]
objectO
freeblocks
heap
Manyheapsprayexploits
• Improvements:HeapFengShui[S’07]– ReliableheapexploitsonIEwithoutspraying– Givesa3ackerfullcontrolofIEheapfromJavascript
[RLZ’08]
(par+al)Defenses• Protectheapfunc+onpointers(e.g.PointGuard)
• Be3erbrowserarchitecture:– StoreJavaScriptstringsinaseparateheapfrombrowserheap
• OpenBSDheapoverflowprotec+on:
• Nozzle[RLZ’08]:detectspraysbyprevalenceofcodeonheap
non-writablepages
preventscross-pageoverflows
Referencesonheapspraying[1] HeapFengShuiinJavascript,
byA.So+rov,BlackhatEurope2007[2] EngineeringHeapOverflowExploitswithJavaScript
M.Daniel,J.Honoroff,andC.Miller,WooT2008[3] Nozzle:ADefenseAgainstHeap-sprayingCodeInjecaonAiacks, byP.Ratanaworabhan,B.Livshits,andB.Zorn
[4] InterpreterExploitaaon:PointerinferenceandJiTspraying,
byDionBlazakis
