1 / 24

CS457 – Introduction to Information Systems Security Software 4

CS457 – Introduction to Information Systems Security Software 4. Elias Athanasopoulos elathan@ics.forth.gr. Defending ROP. Randomization Address Space Layout Randomization (ASLR) Fine -grained Randomization (Smashing the gadgets, Binary Stirring) Control Flow Integrity (CFI)

branden-gonzalez
Download Presentation

CS457 – Introduction to Information Systems Security Software 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS457 – Introduction to Information Systems SecuritySoftware 4 Elias Athanasopoulos elathan@ics.forth.gr

  2. Defending ROP • Randomization • Address Space Layout Randomization (ASLR) • Fine-grained Randomization (Smashing the gadgets,Binary Stirring) • Control Flow Integrity (CFI) • Run-time Detection • Based on H/W features (kBouncer) Elias Athanasopoulos

  3. Control-flow Graph Can you spot other indirect branches? Indirect call of lt()/gt() All ret instructions are indirectbranches! Direct call of sort() Elias Athanasopoulos

  4. Enforcing CFI(1) Things we don’t care about Direct calls: cannot controlled by attacker (fixed targets) Do nothing! Do nothing! Direct call of sort() Elias Athanasopoulos

  5. Enforcing CFI(2) Forward Edges R: target Legitimate targets:lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort() Check label on function entry points Indirect call of lt()/gt() Attach label toindirect call: l7 Elias Athanasopoulos

  6. Implementation Example Elias Athanasopoulos

  7. Enforcing CFI(3) Backward Edges (1) Add labels to call sites (2) check if we return from the correct returns Call site (instruction after a call) Call site (instruction after a call) All ret instructions are indirectbranches! Elias Athanasopoulos

  8. Ideal CFI Two problems: CFG discovery (especially in legacy apps) Performance in checks Elias Athanasopoulos

  9. Two labels only: One for ensuring an indirect call enters a function entry point One for ensuring a ret returns to a call site Coarse-grained (loose) CFI Elias Athanasopoulos

  10. Gadgets under coarse-grained CFI Elias Athanasopoulos

  11. Linking Gadgets under CFI Elias Athanasopoulos

  12. Exploitation under CFI Elias Athanasopoulos

  13. Run-time ROP detection (kBouncer) Elias Athanasopoulos

  14. Last Branch Record (LBR) • 16 pairs of H/W registers • Used for debugging • They store the last occurred branches • Can be configured to store only indirect branches Elias Athanasopoulos

  15. kBouncer Elias Athanasopoulos

  16. Normal vs ROP Elias Athanasopoulos

  17. kBouncer Checks • call-ret pairing • Coarse-grained CFI • Heuristics • Up to 20 instructions is considered a gadget • 6 gadgets in a row is considered an attack Elias Athanasopoulos

  18. kBouncer Heuristics Elias Athanasopoulos

  19. Bypassing kBouncer Elias Athanasopoulos

  20. kBouncer bypass PoC Elias Athanasopoulos

  21. Other Software Vulnerabilities • Use-after-free and dangling pointers • Integer overflows Elias Athanasopoulos

  22. Use-after-free 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object t0: P1 and P2 point to A NULL t1: P1 is freed P1 P2 still points to, it is a dangling pointer Object A Free space New Object t2: attacker allocates space New Object t3: P2 now points to a new Object! P2 New Object Elias Athanasopoulos

  23. Integer Overflows off_t j, pg_start = /* from user space */; size_t i, page_count = . . . ; intnum_entries = . . . ; if (pg_start + page_count > num_entries) return –EINVAL; . . . for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; Elias Athanasopoulos

  24. Integer Overflows (fix) off_t j, pg_start = /* from user space */; size_t i, page_count = . . . ; intnum_entries = . . . ; if ((pg_start + page_count > num_entries) || (pg_start + page_count < pg_start)) return –EINVAL; . . . for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; Elias Athanasopoulos

More Related