Framing Signals—A Return to Portable

ShellcodeErik Bosman and Herbert Bos

Vrije Universiteit, Amsterdam

35th Security and Privacy

(May, 2014)

Best Student Paper Award

A Seminar at Advanced Defense Lab 2

Outline

• Introduction

• Signal Delivery on UNIX Systems

• SROP

• Turing-Complete Interpreter

• Mitigation

2014/6/16

A Seminar at Advanced Defense Lab 3

Introduction

2014/6/16

System Kernel Application

Kernel Space User Space

System Call,Interrupt

Signal

A Seminar at Advanced Defense Lab 4

In This Paper…

• While each flavor handles signals in slightly different ways, the different implementations are all very similar.

• We show that the implementation can be used as an attack method in exploits and backdoors.

2014/6/16

A Seminar at Advanced Defense Lab 5

Stack Smashing Attacks

• But…• W^X (OpenBSD)

• Exec Shield (Linux)

• DEP (Windows)

2014/6/16

Stack

Return Address

Shellcode

Buffer

A Seminar at Advanced Defense Lab 6

Code Reuse Attacks

2014/6/16

Stack

Return Address

Buffer

Code

Return Address

Return Address

A Seminar at Advanced Defense Lab 7

Ret-to-libc vs. ROP

Ret-to-libc ROP/JOP

Complexity Few function addresses Many gadgets

Code source Only functions in library Any executable segment

To defeat ASLR • Information leak • Information leak

• Non-randomized library

To change shellcode Easy Hard

2014/6/16

SROP

Few gadgets

As ROP

As ROP

Easy

A Seminar at Advanced Defense Lab 8

Signal Delivery on Early UNIX Systems

2014/6/16

StackCode

Signal Handler

Signal Dispatcher

User Context

Signal Parameters

Return Address

User Code

Kernel Code

ipsp

Signal Frame

A Seminar at Advanced Defense Lab 9

UNIX V6 Interrupt Routine

2014/6/16

A Seminar at Advanced Defense Lab 10

sigreturn System call (4.3BSD)

2014/6/16

StackCode

Signal Handler

Signal Dispatcher

User Context

Signal Parameters

Return Address

User Code

Kernel Code

ip

sp

Invoke sigreturn

A Seminar at Advanced Defense Lab 11

A Signal Frame in Linux x86-64

2014/6/16

A Seminar at Advanced Defense Lab 12

SROP

2014/6/16

StackCode

Signal Handler

Signal Dispatcher

User Context

Signal Parameters

Return Address

User Code

Kernel Code

ip

sp

Invoke sigreturn

A Seminar at Advanced Defense Lab 132014/6/16

A Seminar at Advanced Defense Lab 14

A example of sigreturn chain in SROP

2014/6/16

Stack

Ret: sigreturn

rip: syscallrax: sys_yyy num

Other register:Syscall arguments

Ret: sigreturn

rip: syscallrax: sys_xxx num

Other register:Syscall arguments

Code

mov sigreturn, %raxsyscallret

ip

rax

sigreturnsys_xxxsp

ip

sys_yyy

sp

sp

sp ip

sp

A Seminar at Advanced Defense Lab 15

SROP Pre-conditions

• The attacker should have control over the instruction pointer.

• The stack pointer should be located on attacker controlled data and NULL bytes must be allowed.

• The attacker knows the address of a piece of data controlled by the attacker.

• The attacker knows the location of code calling sigreturn, or syscall.

2014/6/16

A Seminar at Advanced Defense Lab 16

Finding a sigreturn Gadget

2014/6/16

A Seminar at Advanced Defense Lab 17

Linux x86-64 vsyscall page

2014/6/16

A Seminar at Advanced Defense Lab 18

A Linux x86-64 SROP Exploit

2014/6/16

A Seminar at Advanced Defense Lab 19

SROP as a Backdoor

2014/6/16

A Seminar at Advanced Defense Lab 20

A SROP syscall proxy on iOS

2014/6/16

A Seminar at Advanced Defense Lab 21

Turing-Complete Interpreter

2014/6/16

A Seminar at Advanced Defense Lab 22

Mitigation

• Signal Frame Canaries

2014/6/16

A Seminar at Advanced Defense Lab 23

Q & A

2014/6/16