2016.6.21 related work: reuse code attacks
TRANSCRIPT
How to Explore Code Reuse to Construct a Turing Machine
https://www.quora.com/What-exactly-is-Turings-Automatic-Computing-Engine
The Turing Machine
• Finite state machine• Read head
• Program
For Example: Return-Oriented Programmingvirtual memory
heap
high
low
code
ADD gadget retLOAD gadget ret
stack
ADD gadget AddrLOAD gadget AddrSP
• Finite state machine • SP (read head) + ret
• Program • LOAD gadget ret
For Simplicity, Code Reuse Attack Using ROP
László Szekeres, etc., “Eternal War in Memory”
Stack overflow Use-After-Free 不只
ROP
沒畫到SMEP
Modify a Code Pointer …
• Code pointer– Stack overflow modifies EIP. Once ret instruction is
used, the execution flow is redirected.– Heap overflow modifies function pointer with an
address that points to stack pivot gadget. Once the overwritten function pointer is used by the application, the execution flow is redirected.
– Enrique Nissim, etc.,Windows SMEP Bypass U=S (!)– …
Just-In-Time ROP
Kevin Z. Snow, etc., “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”
ROP
ASLRASLR
ROP semantics (Load/Store/…) RO Programming自動化找 gadgetsROP gadgets ROP compiler
Just-in-time ROP compiler Bypassing ASLR
Initial code pointer
還需 stack overflow, 等來執行 ROP payload
Network
AttackerVictimInitial code pointer
kuku 補充
Researches on Code Reuse Attacks to Break Defenses
• The different FSMs• The different gadgets
Code Reuse Attacks
• Jump-oriented programming• Loop-oriented programming• Interrupt-oriented programming• Data-oriented programming• …
Jump-oriented Programming
Tyler Bletsch, etc.,”Jump-Oriented Programming: A New Class of Code-Reuse Attack”
• Bypassing ret integrity• Stackless
Loop-oriented(call-ret-pairing) Programming
• Bypassing CFI and shadow stack
Interrupt-oriented Programming
Samuel Junjie Tan, etc., “Interrupt-oriented Bugdoor Programming: A minimalist approach to bugdooring embedded systems firmware“
IOP Setup
Timings are precise enough
The table is from László Szekeres, etc., “Eternal War in Memory”
Data-oriented programming
假設 data address 已知
Data-oriented Exploit
Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”
Data-oriented Exploit
Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”
Data-oriented Exploit
Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”
Data-oriented Exploit isTuring-complete
Hong Hu, etc., “Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks”
• The data consumed by the interpreter is inherently under the remote attacker’s control
• For example, all local variables are under the control of attackers using stack overflow
The Concept of Data-oriented Programming
Vulnerable FTP server with data-oriented gadgets
Data-oriented Programming
a data-oriented gadget simulates three logical micro-operations• the load micro-operation• the intended virtual operation’s
semantics• store micro-operation.
The Evil interpreter
data-oriented gadget of assignment operation
利用 DOP 執行 74+612
round1
*type 被 corrupted 成 !NONE 也不是 !STREAM ,假設 *type =74 。假設 srv 被 corrupted 讓 srv + 0x8 (srv->type) 等於 size 。那執行 assignment gadget 時, *size = 74而執行 addition gadget 是無意思的。
The Evil interpreter
round2
*type 被 corrupted 成 !NONE 也不是 !STREAM ,假設 *type =612 。假設 srv 被 corrupted 成 srv – 0x4 ,讓 srv – 0x4 + 0x8 (srv->type) 會等於 srv + 0x4 (srv->total) 。那執行 assignment gadget 時, srv->total = 612而執行 addition gadget 是無意思的
The Evil interpreter
round3
*type 被 corrupted 成 !NONE 也不是 !STREAM ,假設 *type =612 。假設 srv 被 corrupted 成 (srv – 0x4) + 0x4那執行 assignment gadget 時, 是無意思。而執行 addition gadget 就會是 612 + 74 存至 srv->total
The Evil interpreter
Reference• https://
www.trust.cased.de/fileadmin/user_upload/Group_TRUST/PubsPDF/blackhat-2013-jitrop.pdf
• http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf• https://nebelwelt.net/publications/files/14SP.pdf• https://www.csc.ncsu.edu/faculty/jiang/pubs/ASIACCS11.pdf• http://tcipg.org/sites/default/files/papers/2014_q3_tfs1.pdf• https://
www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_hu_0.pdf
• http://huhong-nus.github.io/advanced-DOP/• https://www.ics.uci.edu/~perl/keynote_sadeghi_runtime_exploits.pdf• https://www.trust.cased.de/fileadmin/user_upload/Group_TRUST/Pub
sPDF/blackhat-2013-jitrop.pdf• http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf