Upload
kevin-mclaughlin
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
Framing Signals—A Return to Portable
ShellcodeErik Bosman and Herbert Bos
Vrije Universiteit, Amsterdam
35th Security and Privacy
(May, 2014)
Best Student Paper Award
A Seminar at Advanced Defense Lab 2
Outline
• Introduction
• Signal Delivery on UNIX Systems
• SROP
• Turing-Complete Interpreter
• Mitigation
2014/6/16
A Seminar at Advanced Defense Lab 3
Introduction
2014/6/16
System Kernel Application
Kernel Space User Space
System Call,Interrupt
Signal
A Seminar at Advanced Defense Lab 4
In This Paper…
• While each flavor handles signals in slightly different ways, the different implementations are all very similar.
• We show that the implementation can be used as an attack method in exploits and backdoors.
2014/6/16
A Seminar at Advanced Defense Lab 5
Stack Smashing Attacks
• But…• W^X (OpenBSD)
• Exec Shield (Linux)
• DEP (Windows)
2014/6/16
Stack
Return Address
Shellcode
Buffer
A Seminar at Advanced Defense Lab 6
Code Reuse Attacks
2014/6/16
Stack
Return Address
Buffer
Code
Return Address
Return Address
A Seminar at Advanced Defense Lab 7
Ret-to-libc vs. ROP
Ret-to-libc ROP/JOP
Complexity Few function addresses Many gadgets
Code source Only functions in library Any executable segment
To defeat ASLR • Information leak • Information leak
• Non-randomized library
To change shellcode Easy Hard
2014/6/16
SROP
Few gadgets
As ROP
As ROP
Easy
A Seminar at Advanced Defense Lab 8
Signal Delivery on Early UNIX Systems
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ipsp
Signal Frame
A Seminar at Advanced Defense Lab 10
sigreturn System call (4.3BSD)
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ip
sp
Invoke sigreturn
A Seminar at Advanced Defense Lab 12
SROP
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ip
sp
Invoke sigreturn
A Seminar at Advanced Defense Lab 14
A example of sigreturn chain in SROP
2014/6/16
Stack
Ret: sigreturn
rip: syscallrax: sys_yyy num
Other register:Syscall arguments
Ret: sigreturn
rip: syscallrax: sys_xxx num
Other register:Syscall arguments
Code
mov sigreturn, %raxsyscallret
ip
rax
sigreturnsys_xxxsp
ip
sys_yyy
sp
sp
sp ip
sp
A Seminar at Advanced Defense Lab 15
SROP Pre-conditions
• The attacker should have control over the instruction pointer.
• The stack pointer should be located on attacker controlled data and NULL bytes must be allowed.
• The attacker knows the address of a piece of data controlled by the attacker.
• The attacker knows the location of code calling sigreturn, or syscall.
2014/6/16