Detecting Code Reuse Attacks with a Model of Conformant Program Execution

Detecting Code Reuse Attacks with a Model of Conformant Program

Execution

Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller

Computer Sciences DepartmentUniversity of Wisconsin

ESSoS 2014Munich, GermanyFebruary 27, 2014

• Attack goal: effect some malicious intent by hijacking program control flow

• Historically, accomplishedvia code injection

Threat Model

Detecting Code Reuse Attacks with a Model of Conformant Program Execution

heap

entry point

code

process address spacestack

injected shellcode

2

• W X prevents code injection

• So, code cannot be executed from the stack or heap

• Alternative: construct an exploit using code that already exists within the program’s address space

Threat Model

code reuse attacks


heap

entry point

code

process address spacestack

injected shellcode

3

7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80

89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92

57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5

94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9

83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2

87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f

67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09

e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48

6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32

f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2

16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84

02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02

b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d

7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80

89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92

57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5

94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68

c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8

6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07

b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90

14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c

22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18

b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8

68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a

d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5

07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e

20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27

Anatomy of a Code Reuse Attack

xchg %eax,%ecxfdiv %st(3),%stjmp *-0xf(%esi)

add %edi,%ebpjmp *-0x39(%ebp)

mov 0xc(%esi),%eaxmov %eax,(%esp)call *0x4(%esi)


sysenter…pop %ebx

Select gadgets from within the address space of the process

Chain gadgets together with indirect control flow

Usually a short attack with the goal of escaping the confining W X environmentexec(“/bin/sh”)

code


Example based on exploit presented in Bletsch et al. 2011

4

indirect jump instructions “jump-oriented programming” (JOP)

Anatomy of a Code Reuse AttackSelect gadgets from within the address space of the process



7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80

89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92

57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5

94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9

83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2

87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f

67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09

e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48

6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32

f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2

16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84

02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02

b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d

7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80

89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92

57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5

94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68

c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8

6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07

b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90

14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c

22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18

b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8

68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a

d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5

07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e

20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27

xchg %eax,%ecxfdiv %st(3),%stjmp *-0xf(%esi)


mov 0xc(%esi),%eaxmov %eax,(%esp)call *0x4(%esi)


sysenter…pop %ebx

Usually a short attack with the goal of escaping the confining W X environmentexec(“/bin/sh”)

Example based on exploit presented in Bletsch et al. 2011

5

Existing Defenses Against Code Reuse Attacks


Select gadgets from within the address space of the process


Making gadget discovery difficult:• ASLR• software diversification• removal of useful instruction

sequences[Li et al. 2010] [Onarlioglu et al. 2010] [Hiser et al. 2012] [Pappas et al. 2012] [Wartell et al. 2012] [Davi et al. 2013]

Make discovery difficult, not impossible

Detecting control flow manipulations:• shadow stack• matched call/return pairs[Davi et al. 2009] [Francillon et al. 2009] [Chen et al. 2010] [Huang et al. 2012] [Kayaalp et al. 2012] [Davi et al. 2013]

Defeated by JOPEnforcing control flow integrity:[Abadi et al. 2009] [Zhang et al. 2012] [Zhang et al. 2013]

Require binary rewriting of all code

6

Our Approach

• Define security policy based on well-defined behaviors of the program binaryDoes not rely on behavior of known attacks

• Use static analysis of binary to extract the modelDoes not require learning phase or expert

knowledge

• Enforce expected behaviorProtects against new exploit variationsDetecting Code Reuse Attacks with a Model of Conformant Program

Execution7

Our Approach

• Define conformant program execution (CPE) as a set of requirements on program states• Valid program counter• Valid callstack

• Enforce CPE by monitoring program at runtime• Monitor is protected from being exploited

because it’s in a separate process


8

Model Component #1

Valid program counter (PC):PC must point to a valid instruction in the original

program


b7fe3424: pop %ebpb7fe3425: pop %edxb7fe3426: pop %ecxb7fe3427: ret

0xb7fe3424P

C

CFG

9

Model Component #2


Valid callstack:For each frame:1. frame must have valid stack frame height2. (caller current frame) must represent a valid control flow

transfer in the program

stack pointer

…78787878

787878787878787878787878callstac

k

CFG

expected stack frame

push %ecxpush %edxpush %ebpmov %esp, %ebpsysenter…jmp b7fe3417pop %ebppop edxpop ecxret

pop %ebppop %edxpop %ecxret

invalid return address

valid control flow transfer?

10

Program Validation

Design decision: when do we validate?• Option 1: At all instructions • “Conformant program execution”• Disadvantage: inefficient

• Option 2: At system calls• “Observed conformant program

execution”(OCPE)• Effective because attacks must use the system

call interface to modify overall machine state• Disadvantage: relies on attack being observable

at system calls


11

ROPStop Implementation


Operating System

running process

(monitored application)

systemcalls

intercept via ptrace

binary

running process

ROPStop1. Attach to running process

or launch new process from binary

2. Parse program binary

3. Register callbacks at system calls

4. Continue processAt each system call:1. Validate current program

counter2. Perform robust stackwalk

and validate the current callstack

or

12

Accuracy

Evaluation

Real code reuse

attacks

SPEC CPU2006

Overhead

Apache HTTP

Server

SPEC CPU2006

Apache HTTP

Server

False negatives?

False positives?


13

Results: Real Code Reuse Attacks

Exploit Type Detected

Detection Component Why Invalid?

17286(a) ROP ✓ Invalid stack frame height

Overwritten return address

17286(b) ROP ✓ Invalid stack frame height


Rsync ROP ✓ Invalid stack frame height


Bletsch JOP ✓ Invalid stack frame height

Gadget executing

Stack-smash

Stack-smash ✓ Invalid stack frame

heightOverwritten return address

100% accuracy using real ROP and JOP exploits


14

Results: Real Code Reuse Attacks


CFG

push %ecxpush %edxpush %ebpmov %esp, %ebpsysenter…jmp b7fe3417pop %ebppop edxpop ecxret

pop %ebppop %edxpop %ecxret

Exploit Type Detected

Detection Component Why Invalid?

Bletsch JOP ✓ Invalid stack frame height

Gadget executing

stack pointer

…78787878

787878787878787878787878callstac

k

expected stack frame

invalid return address

15

Results: SPEC CPU2006pe

rlbe

nch

bwav

es

mcf

zeus

mp

cact

usAD

M

nam

dso

plex

hmm

erge

msF

DTD

h264

ref

lbm

asta

rsp

hinx

3

-5%

0%

5%

10%

15%

20%

Overh

ead

100% accuracy (0 false positives),

5.3% overhead (geometric mean)Detecting Code Reuse Attacks with a Model of Conformant Program Execution

16

Results: SPEC CPU2006

Where does the overhead come from?• PC validity• Callstack validity• Monitor context switching (~frequency of

system calls)Detecting Code Reuse Attacks with a Model of Conformant Program

Execution

perl

benc

hbw

aves

mcf

zeus

mp

cact

usAD

M

nam

dso

plex

hmm

erge

msF

DTD

h264

ref

lbm

asta

rsp

hinx

3

-5%

0%

5%

10%

15%

20%

Overh

ead

241.5 system calls/

second

2.0system calls/

second

17

Results: Apache HTTP Server

1000

020

000

3000

040

000

5000

060

000

7000

080

000

9000

010

0000

1100

0012

0000

1300

0014

0000

1500

0016

0000

1700

0018

0000

1900

0020

0000

0%

5%

10%

15%

20%

25%

30%

Total Number of Requests

Overh

ead

100% accuracy (0 false positives),

6.3% overhead (geometric mean)Detecting Code Reuse Attacks with a Model of Conformant Program Execution

18

Open Questions

• Data-driven attacks (orthogonal type of attack)[Chen et al. 2005] [Demay et al. 2011]

• Exploits that modify program data (e.g., system call arguments) to effect an attack • May not have visible effects on the program states we monitor

• Mimicry/evasion attacks (do not exist as code reuse attacks)[Giffin et al. 2006] [Wagner and Soto 2002]

• Exploits that evade system call monitoring by ensuring program state is restored before system call check takes place

• Are designed to have no visible effects on the program states we monitor


19

Conclusion

• Approach for detecting code reuse attacks

• We defined conformant program execution and an efficient and adoptable approximation, observed conformant program execution

• We built a tool to enforce OCPE, ROPStop


20

Questions?

[email protected]

www.paradyn.org


21

Overhead breakdown

BenchmarkSystem call rate (calls/second)

% Overhead Imposed

% Instruction Validity % Callstack Validity % Context Switching

perlbench 167.8 9.6 0.2 50.7 49.1

bzip2 2 0.8 0 43.8 56.2

bwaves 3.3 1.4 0 31.7 68.2

gamess 29.5 2.4 0.1 59 40.9

mcf 3.4 1.9 0 51.4 48.5

milc 25.5 5.7 0.1 23.5 76.4

zeusmp 0.2 0.7 0 54.2 45.7

gromacs 1.5 0.6 0 45.1 54.9

cactusADM 7.6 1 0.1 52 47.9

leslie3d 31.4 9.2 0.1 14.2 85.7

namd 3.1 0.9 0 61.6 38.4

gobmk 14 2.2 0.1 43.6 56.4

soplex 241.5 18.1 0.2 50.8 49.1

povray 156.2 18.1 0.1 53.3 46.6

hmmer 18.6 2.6 0.1 38.8 61.1

sjeng 4.8 1.3 0 40.5 59.5

GemsFDTD 88.7 7.3 0.2 40.9 59

libquantum 0.3 0.7 0 50.2 49.8

h264ref 5.1 1.3 0 28.9 71

tonto 119.6 19.1 0.1 41.2 58.7

lbm 1.4 3.4 0 15.5 84.5

omnetpp 3.7 8.8 0 12.7 87.3

astar 7.2 1.3 0.1 56.7 43.3

wrf 53.2 15.7 0 13.4 86.6

sphinx3 18.6 2.4 0.1 38.1 61.822

Documents

Detecting Code Reuse Attacks with a Model of Conformant Program Execution