Overview

Overview • Firefox exploit • Code injection using buggy javascript interpeter • Javascript code exploiting the bug • The bug in C++ • The bug in assembly code • Instrumentation: Finding values • Daikon: Finding invariants • LiveShield: Enforcing invariants DARPA AC MIT Site Visit

Remote Code Execution Exploit html Load Java script From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 2

JavaScript Exploit Code // spray payload memory = new Array(); for (i=0;i<heapBlocks;i++) // Insert x86 instructions for calling shell code. memory[i]= …; // Invoke injected code InstallTrigger.install.call(0x9800000, "a", "a"); April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 3

JavaScript Interpreter (C++ code) // getting C++ object from JavaScript object nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)JS_GetPrivate(cx, obj); // bug: doesn’t check the type of nativeThis nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled); // exploit point April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 4

Disassembled Code nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled); // exploit point push ecx push 1 push dword ptr [ebp-10h] push ebx call dword ptr [eax+0Ch] // ptr[eax+0Ch] is the method address April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 5

Overview • Firefox exploit • Instrumentation: Finding values • Register and memory values, jumps, calls, and returns • Daikon: Finding invariants • LiveShield: Enforcing invariants DARPA AC MIT Site Visit

Instrumentation April 10, 2007 • To find invariants without source code or debug symbol access • Captures important values • Finding exploit root causes is challenging • Currently manually select locations for instrumentation • Memory firewall (Determina) may help to locate DARPA AC MIT Site Visit DARPA AC MIT Site Visit 7

Binary Variable Examples • Binary variable: a variable in machine (binary) code • Name: instruction address and register name • Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 8

Binary Variable Examples • Binary variable: a variable in machine (binary) code • Name: instruction address and register name • Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 9

x86 Instrumentation Output • Binary variable: a variable in machine (binary) code • Name: instruction address and register name • Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx instrumentation xpinstal.dll:0xa111 BV esi 0x00000000 xpinstal.dll:0xa114 BV ebx 0x01f13bcc xpinstal.dll:0xa114 BV [ebx] 0x6005c6d8 xpinstal.dll:0xa116 BV ecx 0x0012ecf4 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 10

Output for Firefox Normal Runs call dwordptr [eax+0Ch] xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d […] xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d […] xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d […] April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 11

Normal VS Exploit Runs • Normal run xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d • Exploit run xpinstal.dll:0xa11d BV [eax+0Ch] 0x1200002c April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 12

Overview • Firefox exploit • Instrumentation: Finding values • Daikon: Finding invariants • Grouping values into basic blocks • Grouping basic blocks into program points • Finding invariants among variables in a program point • LiveShield: Enforcing invariants DARPA AC MIT Site Visit

Basic Block Basic Block Basic Block Grouping values into basic blocks Thread Address (dll+offset) opcode (BV=Binary Variable) • ... • 1588 xpinstal.dll:0x5ebe BV esp 0x0012df20 • 1588 xpinstal.dll:0x5ebe ICALL ret xpinstal.dll:0x5ec1 • xpinstal.dll:0x5ecf BV esp 0x0012df1c • 1588 xpinstal.dll:0x5ecf BV [4+esp] 0x1e78e98 • ... • 1588 xpinstal.dll:0x5ed9 BV [0+esp] 0x60045ec1 • xpinstal.dll:0x5ed9 RET to xpinstal.dll:0x5ec1 • xpinstal.dll:0x5ec1 BV eax 0x00000002 • ... DARPA AC MIT Site Visit

Grouping basic blocks into program points • You might need variables from previous basic-blocks to find the right invariant • For example: • The right invariant might be: • The size of the buffer is less than 256: Some.dll:0x1bb1d mov eax, … char* p = …; while (*p) { … } Some.dll:0x1bccc mov …, [eax] eax@Some.dll:0x1bccc - eax@Some.dll:0x1bb1d < 256 DARPA AC MIT Site Visit

Algorithm to create Daikon input • Partition the basic blocks into functions • Build a control-flow-graph for each function • Calculate dominators • The program point of each basic block includes the binary-variables in its dominators DARPA AC MIT Site Visit

Invariant for Firefox Exploit Buggy Code xpinstal.dll:0xa11d call [eax+0Ch] xpinstal.dll:0xa120 cmp … Invariant [eax+0Ch]@xpinstal.dll:0xa11d == 0x6004592d DARPA AC MIT Site Visit

Overview • Firefox exploit • Instrumentation: Finding values • Daikon: Finding invariants • LiveShield: Enforcing invariants • Code in C that is woven into the application when loaded into the code cache • Determina’s product • Distributed and managed in the central controller DARPA AC MIT Site Visit

LiveShield for Firefox Exploit <file name="xpinstal.dll"/> <patch offset="0xa116"> <function type="detector" name="ff_detector"/> <function type="protector" name="ff_protector“ return="0xa120"/> </patch> LiveShield hotp_exec_status_t ff_detector(const hotp_context_t *hotp_context) { if (POI(EAX+0xC) != 0x6004592d) return HOTP_EXEC_EXPLOIT_DETECTED | HOTP_EXEC_LOG_EVENT; return HOTP_EXEC_EXPLOIT_NOT_DETECTED; } LiveShield hotp_exec_status_t ff_protector(hotp_context_t *hotp_context) { UNREFERENCED_PARAMETER(hotp_context); return HOTP_EXEC_CHANGE_CONTROL_FLOW | HOTP_EXEC_LOG_EVENT; } LiveShield DARPA AC MIT Site Visit

Demo • Run the FireFox exploit • Turn on a previously generated LiveShield • Run the FireFox exploit again on a different community workstation DARPA AC MIT Site Visit

Firefox Exploits DARPA AC MIT Site Visit

IE Exploits DARPA AC MIT Site Visit

IE exploit – Illegal function call • Exactly like the FireFox exploit • Same fix: skip the call <body onLoad="window();"> jscript.dll:75c5f429 call [ecx+0x8] DARPA AC MIT Site Visit

IE exploit – buffer overflow <object type="////…/////AAAAAAAAAAAAAAAA"/> • String is checked for proper buffer size • Then '/' is changed into '_/_' • Invariant: • Fix: 761240CE lea eax, [ebp+0x104] ... 761240E1 mov [eax], 5Fh 761240E4 inc eax ... eax<=(ebp+0x104)+242) if (eax>(ebp+0x104)+242) eax = (ebp+0x104)+242 DARPA AC MIT Site Visit

Current Protection Process • For example: Vista bug ms06-17 • Determina creates a LiveShield • Knowledge and labor intensive, tedious • Dec 20 : Microsoft informed • Mar 27 : attack in the wild • Apr 3: Microsoft develops a patch • Patch is deployed in the community DARPA AC MIT Site Visit

Application Community Protection Process • Application Community learns • Exploit deployed by blackhats • Exploit automatically recognized • Patch automatically generated • 0-day exploit → 0-day patch DARPA AC MIT Site Visit

Summary • Instrumentation: Finding values • Register and memory values, jumps, calls, and returns • Daikon: Finding invariants • Grouping values into program points • LiveShield: Enforcing invariants • Code in C that is woven into the application • Real exploits: 4 in Firefox, 5 in IE DARPA AC MIT Site Visit

End • Any questions? DARPA AC MIT Site Visit

Eventhandlers – buffer overflow <foo onclick=foo onclick=foo … > 748D94CF mov ecx, [eax+45Ch] eax+0x45C<=93 if (eax+0x45C>93) eax = 93 DARPA AC MIT Site Visit

isComponentInstalled – buffer overflow obj.isComponentInstalled("…") lstrcatA(&subkey_buf, clsid); strlen(clsid)<=93 if (eax+0x45C>93) eax = 93 DARPA AC MIT Site Visit

IE VML – buffer overflow <html xmlns:v="urn:schemas-microsoft-com:vml"> <head> <title>IE VML crash</title> <style> v\:* { behavior: url(#default#VML); } </style> </head> <body> <v:rect style="width:20pt;height:20pt" fillcolor="red"> <v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"/> </v:rect> </body> </html> DARPA AC MIT Site Visit

Strechbelt – Denial of Service <img src="1000x1000.png" width="41943034" height="41943034"> if (width > MAX_WIDTH) width = MAX_WIDTH; if (height > MAX_HEIGHT) height = MAX_HEIGHT; DARPA AC MIT Site Visit

2218 false positives, out of 41360, which is 5.36% BB-xpinstal.dll_0xbe86-InFunction-xpinstal.dll_0x19818::: xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 < xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 < xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 - xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 + 4 == 0 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 At ppt BB-xpinstal.dll_0xa10b-InFunction-xpinstal.dll_0x1b9f6:::, Invariant 'xpinstal.dll_0xa10b__12_eax__xpinstal.dll_0xa11d one of { 301989932, 1610897709 }' invalidated by sample xpinstal.dll_0xa10b__12_eax__xpinstal.dll_0xa11d=301989932: at line 13720 in file ff_exploit.dtrace.gz DARPA AC MIT Site Visit

Application Communities MIT CSAIL, Determina

Overview

Overview

Presentation Transcript

Overview

Overview

OVERVIEW

Overview

Overview

Overview

Overview

Overview

overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview

Overview