Transcript pptx
Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew Bernat, and Bill Williams Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Threat Model o Attack goal: effect some malicious intent by hijacking program control flow o Historically, accomplished via code injection process address space stack heap injected shellcode code entry point Detecting Code Reuse Attacks Using Dyninst Components 2 Threat Model o W X prevents code injection process address space o Alternative: construct an exploit using code that already exists within the program’s address space stack heap injected shellcode code entry point “code reuse attacks” Detecting Code Reuse Attacks Using Dyninst Components 3 Anatomy of a Code Reuse Attack code 08 27 c0 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 40 fd 2f d2 f0 80 57 0c 5b b9 d2 2d 89 af b6 95 51 02 7a 08 40 73 xchg 1c 88 f2 64 32 fdiv e7 c2 16 jmp 84 02 1c b0 18 b5 77 0e 20 add 27 c0 73 0c jmp b6 f2 48 6a d8 6a d0 56 4b %eax,%ecx f5 07 b6 66 21 0c 85 %st(3),%st 90 14 8a 14 26 60 d9 *-0xf(%esi) 22 8e 63 01 de a2 87 f1 b1 fb bb 1f 67 83 e9 3d e0 09 e8 68 c0 %edi,%ebp 1c 88 48 6a d8 6a d0 *-0x39(%ebp) 64 32 f5 07 b6 66 21 2b 37 07 42 79 fe a5 c0 d0 21 26 de 1f 37 07 42 20 1b 51 3d 5e 92 94 45 56 0c 60 a2 67 1b 51 3d fd 2f d2 f0 80 57 2b be 4b 85 d9 87 83 2f d2 f0 5b 95 e7 c2 16 90 14 8a 14 26 60 b9 51 84 02 1c 22 8e 63 01 de a2 0xc(%esi),%eax d2 mov 02 b0 18 b5 f1 b1 fb bb 1f 67 2d mov 7a 77 0e 20 e9 3d e0 09 e8 68 %eax,(%esp) 89 call 08 27 c0 73 1c 88 48 6a d8 6a *0x4(%esi) af 40 0c b6 f2 64 32 f5 07 b6 66 20 fd 5b 95 7a 77 0e 20 e9 3d e0 79 add 5e 80 89 08 27 c0 73 1c 88 48 %edi,%ebp fe 92 57 af 40 0c b6 f2 64 32 f5 jmp *-0x39(%ebp) a5 94 2b 20 fd 5b 95 e7 c2 16 90 83 a1 37 1b 2f b9 51 84 02 1c 22 ad f3 07 51 d2 d2 02 b0 18 b5 f1 sysenter c0 30 e7 c2 16 90 14 8a 14 26 60 b9 …51 84 02 1c 22 8e 63 01 de a2 d2 pop 02 b0%ebx 18 b5 f1 b1 fb bb 1f 67 2d 7a 77 0e 20 e9 3d e0 09 e8 68 fe a5 83 ad c0 45 56 0c 92 94 a1 f3 30 be 4b 85 57 2b 37 07 42 79 fe a5 af 20 1b 51 3d 5e 92 94 d9 87 83 c0 d0 21 09 6a 07 14 8e b1 d9 87 83 c0 83 ad c0 45 56 0c e8 d8 b6 8a 63 fb 83 ad c0 45 a1 f3 30 be 4b 85 68 6a 66 14 01 bb a1 f3 30 be Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) Detecting Code Reuse Attacks Using Dyninst Components 4 Anatomy of a Code Reuse Attack process address space stack stack heap process address space injected shellcode heap code code entry point entry point xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add jmp %edi,%ebp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add jmp %edi,%ebp *-0x39(%ebp) sysenter … pop %ebx code injection attack code reuse attack Detecting Code Reuse Attacks Using Dyninst Components 5 Previous Code Reuse Attack Defenses o Detect using heuristics based on attack behaviors [Chen et al. 2009,2010], [Davi et al. 2011], [Huang et al. 2012], [Kayaalp et al. 2012] o Enforce control flow integrity at runtime [Abadi et al. 2009], [Bletsch et al. 2011], [Zhang et al. 2013] In the next talk,Tugrul will talk about another interesting defense technique. Detecting Code Reuse Attacks Using Dyninst Components 6 Our Approach o Define conformant program execution (CPE) as a set of requirements on program states o Valid program counter o Valid callstack o Enforce CPE by monitoring program at runtime Detecting Code Reuse Attacks Using Dyninst Components 7 Model Component #1 Valid program counter (PC): PC must point to instruction in the original program PC 0xb7fe3424 b7fe3424: b7fe3425: b7fe3426: b7fe3427: pop %ebp pop %edx pop %ecx ret Detecting Code Reuse Attacks Using Dyninst Components CFG 8 Model Component #2 Valid callstack: For each frame: 1. frame must have valid stack frame height 2. (caller current frame) must represent a valid control flow transfer in the program … bffff67c foo … stack pointer bffff524 b7fcdff4 b7f45d43 caller frame: foo bffff544 b7fcdff4 bffff510 current stack frame: height bar callstack push %ecx push %edx push %ebp mov %esp, %ebp sysenter pop %ebp … bar Detecting Code Reuse Attacks Using Dyninst Components CFG 9 Program Validation Design decision: when do we validate? o Option 1: At all instructions o “Conformant program execution” o Disadvantage: inefficient o Option 2: At system calls o “Observed conformant program execution”(OCPE) o Effective because attacks must use the system call interface to modify overall machine state Detecting Code Reuse Attacks Using Dyninst Components 10 ROPStop Implementation ROPStop running process or binary Initialization 1. Attach to running process or launch new process from binary 2. Parse program binary ProcControlAPI A Dyninst Component ParseAPI A Dyninst Component 3. Register callbacks at system calls 4. Continue process At each system call 1. Validate current program counter InstructionAPI A Dyninst Component StackwalkerAPI A Dyninst Component 2. Perform robust stackwalk and validate the current callstack DataflowAPI A Dyninst Component Detecting Code Reuse Attacks Using Dyninst Components 11 Evaluation Accuracy Overhead Real code reuse attacks SPEC CPU2006 SPEC CPU2006 Detecting Code Reuse Attacks Using Dyninst Components 12 Results: Real Code Reuse Attacks Exploit Type Detected Detection Component Why Invalid? 17286(a) ROP ✓ Invalid stack frame height Overwritten return address 17286(b) ROP ✓ Invalid stack frame height Overwritten return address Rsync ROP ✓ Invalid stack frame height Overwritten return address Bletsch JOP ✓ Invalid stack frame height Gadget executing Stack-smash Stack-smash ✓ Invalid stack frame height Overwritten return address 100% accuracy using real ROP and JOP exploits Detecting Code Reuse Attacks Using Dyninst Components 13 Results: SPEC CPU2006 Overhead 20% 15% 10% 5% 0% 100% accuracy (0 false positives), 5.42% overhead (geometric mean) Detecting Code Reuse Attacks Using Dyninst Components 14 Open Questions o Data-driven attacks (orthogonal type of attack) [Chen et al. 2005], [Demay et al. 2011] o Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006], [Wagner and Soto 2002] Detecting Code Reuse Attacks Using Dyninst Components 15 Conclusion o We defined conformant program execution and an efficient approximation, observed conformant program execution o We built a tool to enforce OCPE, ROPStop, on top of Dyninst components Detecting Code Reuse Attacks Using Dyninst Components 16 Questions? o For more details, our paper is available at: ftp://ftp.cs.wisc.edu/paradyn/papers/Jacobson13ROPStop.pdf o Come see the demo on Tuesday Detecting Code Reuse Attacks Using Dyninst Components 17