Defeating Instruction Set Randomization Nora Sovarel

1. Defeating Instruction Set Randomization Nora Sovarel

2. “the vulnerability of the decade” Known since 1998 Lots of defenses proposed Non-Executable Buffers Array Bounds checking Address Space Layout Randomization StackGuard/PointGuard Instruction Set Randomization Buffer Overflow

3. I don’t know  Maybe, lack of interest… Maybe, none of the defences is good enough… What about Instruction Set Randomization? Why is still an issue in 2004?

4. [BUFFER OVERFLOWS DEMYSTIFIED, by murat@enderunix.org] "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; Attack String - execve

5. Instruction Set Randomization 31 ^ 12 => 23 c0 ^ ac => 6c 50 ^ 7d => 2d 68 ^ 9c => f4 2f ^ a2 => 8d 2f ^ 55 => 7a 73 ^ 38 => 4b 68 ^ cc => a4 68 ^ 31 => 59 2f ^ 0c => 23 62 ^ 7d => 1f 69 ^ 91 => f8 6e ^ 82 => ec 89 ^ ac => 25 e3 ^ 03 => e0 50 ^ bc => ec 53 ^ 90 => c3 89 ^ ac => 25 e1 ^ 7d => 9c 99 ^ 97 => 0e b0 ^ a2 => 12 0b ^ 0c => 07 cd ^ 90 => 5d 80 ^ dc => 5c

6. Code Intended to Be Executed 31 c0 xor %eax,%eax 50 push %eax 68 2f 2f 73 68 push $0x68732f2f 68 2f 62 69 6e push $0x6e69622f 89 e3 mov %esp,%ebx 50 push %eax 53 push %ebx 89 e1 mov %esp,%ecx 99 cltd b0 0b mov $0xb,%al cd 80 int $0x80 Instruction Set Randomization Code Actually Executed 23 6c 2d f4 and 0xfffffff4(%ebp,%ebp,1),%ebp 8d 7a 4b lea 0x4b(%edx),%edi a4 movsb %ds:(%esi),%es:(%edi) 59 pop %ecx 23 1f and (%edi),%ebx f8 clc ec in (%dx),%al 25 e0 ec c3 25 and $0x25c3ece0,%eax 9c pushf 0e push %cs 12 07 adc (%edi),%al 5d pop %ebp 5c pop %esp 00 00 add %al,(%eax)

7. Can the key be guessed? 32 bit key => 4,294,967,296 possibilities 32 bit key, guess 16 bits and 16 bits => 2 * 65,536 = 131,072 possibilities 32 bit key, guess 8 bits at a time => 4 * 256 = 1,024 possibilities

8. Problems [Randomized instruction set emulation to disrupt binary code injection attacks, Barrantes & all]

9. Solutions Use a 16 or 8 bits instruction Notice a good guess • Infinite loop • Normal behavior

10. Infinite Loop Use jump near – two bytes instruction Advantage • Can be used against any application with a buffer overflow vulnerability Disadvantage • Large number of possibilities

11. Normal Behavior Use ret – one byte instruction Advantage • Very fast – 256 tries at most Disadvantages • Needs a response from application • Needs special conditions to work

12. Assumptions Use TCP to connect Same randomization key for each restart or Same randomization key for all forked processes

13. Jump Attack

14. Ret Attack Instructions executed leave ; restores ebp ret ; normal return from function ret ; injected instruction

15. Results • Simple application with a buffer overflow vulnerability • ISR implementation uses the same key for each forked process • Ret attack works and guesses the key most of the times • Jump attack • Works when checks one key at each run • Unexpected behavior after a large number of tries

16. Future Work • Fix the jump attack to guess the key • Attack a real application with a buffer overflow vulnerability • Attack a real ISR implementation

17. Conclusions • Under the specified assumptions the attack is possible • x86 arhitecture helps the attacker • Infinite loops are sometimes useful