300 likes | 421 Views
Evaluating Modern Address Space Integrity Protections within the Common Criteria. Ashley Fox CSC Australia. Ashley Fox. Common Criteria Evaluator within CSC Australia’s Evaluation Facility Background in Vulnerability Assessment and Software Security. Agenda.
E N D
Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia
Ashley Fox • Common Criteria Evaluator within CSC Australia’s Evaluation Facility • Background in Vulnerability Assessment and Software Security
Agenda • Memory corruption vulnerabilities • Identification and Exploitation • Mitigations • Evaluating mitigations within the CC
Background • The Common Criteria is designed to provide a degree of Assurance within a Security Product • Assurance gained through evaluation of procedures, processes, development, implementation etc. • Evaluations generally include independent testing and penetration testing of the product
Memory Corruption Vulnerabilities • Vulnerability introduced into a product during the implementation phase • Typically affect software written in C or C++ • Generally the result of mismanagement of user input or memory allocation within a piece of software • Affects almost all product types indiscriminately • Network services • Client applications • Hardware appliances • Long time problem – Morris Worm of 1988
Memory Corruption Vulnerabilities • Several classes of memory corruption vulnerabilities • Some examples: • Stack Based buffer overflow • Heap Based buffer overflow • Format String issues • Integer Manipulation Issues • Allows an attacker to alter the state of a running process • Can alter the process to facilitate execution of code of attacker’s choosing
What do memory corruption vulnerabilities look like? • For those of you unfamiliar the next few slides show some example vulnerabilities of the types discussed previously
Software Complexity • Software is large and complex in nature • Projects may have many different developers over long periods of time • Projects may experience changes in requirements, goals, methodology over time • Assumptions change or are incorrect initially
Identifying Memory Corruption Vulnerabilities • Some vulnerabilities are very easy to identify • Some vulnerabilities hide for decades • Attackers are actively looking for these vulnerabilities • Within the realm of low attack potential? • Within the realm of an “obvious” vulnerability?
Identifying Memory Corruption Vulnerabilities • There are a few simple ways memory corruption vulnerabilities can be discovered • Source Code • “Grep” through source for dangerous function calls, strcpy etc. • Static Analysis tools – RATS, splint etc. • Automated Tools aka “fuzzers” • Tools that automate vulnerability hunting • Some are as simple as random byte generators • Others are quite complex • Many available freely on the Internet.
Constructing Exploit Code • Exploit development can be easy • Many examples to base an exploit can be found on the Internet • Generally requires • Reading public domain papers on buffer overflows etc. • Limited understanding of programming principles • Access to a debugger • Access to a compiler • Process can be as simple as: • Find input that crashes an application using a fuzzer • Use a debugger to find code and data within a process memory space • Take an exploit off the Internet and modify it to suit
Challenges with Memory Corruption Vulnerabilities • An attacker only needs to find one memory corruption vulnerability to be successful • Defenders need to eradicate or mitigate them all • Developer awareness is increasing • Arguably attacker awareness is increasing faster • Modern languages such as Java and C# make memory management significantly easier • There is a lot of code written in C and C++
Defense in Depth • A defense in depth strategy is needed to mitigate this risk • It’s proven extremely difficult to eradicate these problems from our source trees completely • Developers make mistakes like everybody else • Several defenses have been researched and implemented • The two investigated in this presentation are: • Address Space Layout Randomisation • Stack and Heap cookies
Address Space Layout Randomisation • Exploiting a memory corruption vulnerability usually requires knowledge of how a process exists in memory • In order to hijack a process an attacker must know the location in memory of code to execute • Address Space Layout Randomisation exploits this requirement and randomises the locations of code and data in memory
Address Space Layout Randomisation • In order to redirect execution flow an attacker must be able to find somewhere beneficial to redirect to • Failed attempts generally result in an application crash • Reduced risk of exploitation • Developing an exploit still within the realm of low attack potential? I would argue not
Stack and Heap Cookies • Protect important metadata within an application’s address space • Place a randomly generated value in front of important metadata • Before using the metadata the random value is checked to see if it has been altered • The process is terminated before the metadata is used if it has been altered
Stack and Heap Cookies • In order to overflow metadata an attacker is required to successfully predict the value of a cookie • Failed attempts generally result in program termination • Reduced risk of exploitation • Again we are moving outside the realm of low attack potential
Implementation • Several major vendors have implemented these mitigations • Open Source and Commercial Implementations • These features exist in COTS software
Implementations • Heap Protections • Windows XP SP2 • Windows Vista • GNU Lib C • Stack Protections • Stack Guard • GCC ProPolice / Stack-Smashing Protector (SSP) • Visual Studio • Address Space Layout Randomisation • Windows Vista • GRSecurity/PAX (3rd Party Linux kernel patch) • Exec-shield • OpenBSD
Evaluation of Mitigation Technologies • How do we evaluate these technologies? • First we must note several aspects of their implementation • The mechanisms are there to provide attack resistance not immunity (although they may render some vulnerabilities unexploitable this can never be guaranteed) • Both are inherently probabilistic in nature • There are solid metrics we can use in comparison of implementations (Number of bits of entropy, source of entropy etc.) • There are several works in the literature providing analysis of the effectiveness of these mechanisms • These mechanisms can be described in terms of Security Functional Requirements • The functions require a Strength of Function claim
Mitigation Technologies – SFRs or SARs ? • Two approaches to evaluating the technologies • SAR • Evaluate the functionality as a development methodology and tool aka ALC_TAT • SFR • Evaluate the functionality as a security functional requirement, eg an explicit requirement similar to those in the FPT class • I favor the SFR approach • Means other products can use the functionality in the form of an environmental SFR • Strength of Function claims made for the SFR
Example Security Functional Requirements • The TSF shall provide [assignment: number of bits ] bits of entropy of address space layout randomization for [selection: heap, stack, text] addresses. • The TSF shall generate [selection: stack, heap, other] protection cookies with [assignment: number of bits] bits of entropy.
Assumptions for usage • Like all security features these techniques can be used correctly and incorrectly • Several attacks and weaknesses discovered when techniques are used in a certain way • Assumptions would obviously need to be clearly defined within the Security Target
Conclusion • Common Criteria allows vendors to make claims regarding the security attributes of their products that can be independently verified • Common Criteria allows consumers to make an informed decision when comparing and selecting similar products • Address Space Integrity Protection Mechanisms are finding their way into commodity products • It is advantageous for both developers and consumers to have these features evaluated
White Paper • This presentation is based on a white paper produced within our Evaluation Lab • If you are interested come up and speak to me • Alternatively email me (address is on the next slide)
Questions, Comments, Thoughts, Suggestions? • Information on CSC Evaluations and Pre-Evaluation Consultation Services – aisef@csc.com • Feel free to email me – ashley.fox@csc.com • Thanks for listening!