branch regulation: low-overhead protection from code reuse attacks mehmet kayaalp, meltem ozsoy,...
TRANSCRIPT
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks
Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh
and Dmitry Ponomarev
Department of Computer Science
State University of New York at Binghamton
Presented at the 39th International Symposium
on Computer Architecture (ISCA), June 11th 2012
Attack Classification from NIST Database
Stack, Heap and other overflows
Denial of service26%
Memory Corruption15%
Bypass a restriction4%
Gain Privileges3%
Directory Traversal2%
Obtain information1% Other
1%
*2009 – 2010 CVE Records (Vulnerability level 8 – 10)
ISCA 2012 2
48%
ISCA 2012 3
Buffer Overflow and Code Injection Attack: Example
main (int argc, char **argv) {
...vulnerable(argv[1]);...
}
vulnerable(char *str1){
char str2[100];strcpy(str2,str1);return;
}
0x0000
0xFFFF
Stack growth
Stack frame for main()
Stack frame for
vulnerable() return address
str2malicious input
(str2)
xor ecx, ecxmul ecxlea ebx, [esp+8]mov al, 11int 0x80
malicious return
ISCA 2012 4
Existing Protection from Code Injection Attacks: No Execute Bit (NX)
0x0000
0xFFFF
WRITABLENOT EXECUTABLE
xor ecx, ecxmul ecxlea ebx, [esp+8]mov al, 11int 0x80
malicious return
• Mark memory pages as– Either WRITABLE– Or EXECUTABLE– But not both
• Standard technique in current processors and operating systems– Intel XD bit– AMD XN bit– Windows DEP– Linux PaX Stack
growth
ISCA 2012 5
Next Frontier: Code Reuse Attacks (CRAs)
• Key Idea: Reuse existing library code instead of code injection
• CRA timeline– Return-into-libc attack (1997)– Return Oriented Programming (2007)– Jump Oriented Programming (2010)
• All bypass NX
ISCA 2012 6
Return Oriented Programming (ROP)
0x0000
0xFFFF
Stack growth
Stack frame for main()
Stack frame for vulnerable()
<B><D><C>
xor ecx, ecxmul ecxlea ebx, [esp+8] mov al, 11int 0x80
malicious return
xor ecx, ecxret
lea ebx, [esp+8]retmov al, 11int 0x80
mul ecx ret
<A>
<Address A>
<Address B>
Page marked as EXECUTABLE
<Address C>
<Address D>
ISCA 2012 7
Protecting Against ROP: Secure Call Stack
• Semantics of return instruction– ret expects an address pushed by a call
• Keep a copy of return addresses in a separate memory space– Secured by OS/Hardware
• On each return:– Compare two copies of the return addresses– Generate exception if they mismatch
• Citations to these works are in the paper
ISCA 2012 8
Example of a Secure Call Stack
main (int argc, char **argv) {
...vulnerable(argv[1]);...
}
vulnerable(char *str1){
char str2[100];strcpy(str2,str1);return;
}
0x0000
0xFFFF
Stack growth
Stack frame for
main()
Stack frame for vulnerable()
return address
str2
malicious input
return addressmalicious return
≠
ISCA 2012 9
Defeating Secure Call Stacks
• Initiating an attack– Overwrite a function pointer,– Overwrite a longjmp buffer,– Exploit a format string vulnerability
• Performing an attack– Use indirect jumps instead of returns
• Jump Oriented Programming• Need a special gadget to orchestrate control
ISCA 2012 10
Jump Oriented Programming0x0000
0xFFFF
Stack growth
Stack frame for
main()
Stack frame for vulnerable()
xor ecx, ecxmul ecxlea ebx, [esp+8] mov al, 11int 0x80
malicious return
pop edijmp edi
lea ebx, [esp+8]jmp esimov al, 11int 0x80
mul ecx jmp esi
<register values><C><D><F><E>
<B>
xor ecx, ecxjmp esi
popajmp esi
<Address A>
<Address B>
<Address C>
<Address D>Page marked as
EXECUTABLE
<Address E>
<Address F>
Dispatcher Gadget
ISCA 2012 11
Defending Against JOP Attacks
• Use solutions preventing buffer overflows – Bounds Checking– Information Flow Tracking
• Can ensure the legitimacy of jump targets at runtime – Difficult to do
• Need to construct a Control Flow Graph
– Control Flow Integrity (CFI)• Abadi et al, USENIX Security 2005
ISCA 2012 12
Control Flow Integrity
• Generate Control Flow Graph– Unique labels for edges
• Instrument the code with checks– Each indirect branch checks target for a label
...cmp [ecx], 12345678hjne error_label
lea ecx, [ecx+4]jmp ecx...
...mov eax, [esp+4]...
...jmp ecx...
...<data 12345678h>mov eax, [esp+4]...
Source Destination
CFI instrumentation
Added instructions
ISCA 2012 13
CFI Limitations
• Need to construct Control Flow Graph– No publicly available tools for constructing CFG from
binaries• Need access to source code
• Runtime performance overhead due to extra instructions – About 20% for SPEC 2K6 Benchmarks
• Problems with dynamic linking
• Does not handle unintended instructions
ISCA 2012 14
Where Do Jump Targets Go?
• Typical use of indirect jump instruction– To efficiently implement switch-case statements
• Target is in the same function
– To support dynamic linking• Target is a function entry point
Key Observation:
Legitimate jump targets ARE NOT in the middle of another function
ISCA 2012 15
Our Proposal: Branch Regulation
• Enforce the following rules:– Returns go to the correct addresses– Jumps target same functions or function entry points– Calls target function entry points
• Use hardware checks for enforcement– Low performance overhead (around 2%)– Unintended instructions are handled– No CFG needed– Requires minimal binary annotations
• Security shown for common libraries
ISCA 2012 16
How Does BR Mitigate JOP Attacks?
0x0000
0xFFFF
Stack growth
Stack frame for
main()
Stack frame for vulnerable()
xor ecx, ecxmul ecxlea ebx, [esp+8] mov al, 11int 0x80
malicious return
pop edijmp edi
lea ebx, [esp+8]jmp esimov al, 11int 0x80
mul ecx jmp esi
<register values><C><D><F><E>
<B>
xor ecx, ecxjmp esi
popajmp esi
function1()
function2()
NOT ALLOWED
ISCA 2012 17
Implementing Branch Regulation
• Use a Secure Call Stack
• Annotate function entry points with function size info
• Compare jump targets with function bounds and allow if checks pass
• Store bounds in secure call stack
• Cache a few secure stack entries for performance
ISCA 2012 18
Inserting Code Annotations
080483e4 <main>: 80483e4: push ebp 80483e5: mov ebp, esp ... 80483f9: mov eax, 0 80483fe: leave 80483ff: ret
...08048410 g F .text 005a __libc_csu_init080483e4 g F .text 001c main080482b8 g F .init 0000 _init...
080483d2 <main>: 80483d2: <annotation> <size=001c> 80483e4: push ebp 80483e5: mov ebp, esp ... 80483f9: mov eax, 0 80483fe: leave 80483ff: ret
Original Code Annotated Code
Symbol Table
ISCA 2012 19
Executing Call Instruction
call eax
...8048232: call eax...80482bc: <annotation> 0x9880482be: push esp80482C0: …...8048300: jmp ecx...8048354: ret...
Fetch Decode Execute Commit
Instruction Cache
call eax
… | … | …
Base | Bound | Return
… | … | …
BR Check
Function Bounds Stack
<annotation> 0098
80482bc80482bc
<annotation>
0098
(function size)
80482bc | 8048354 | 8048236
ISCA 2012 20
Executing Jump Instruction
jmp ecx
...0x8048232: call eax...0x80482BC: <annotation> 0x980x80482BE: push esp0x80482C0: …...0x8048300: jmp ecx...0x8048354: ret...
Fetch Decode Execute Commit
Instruction Cache
jmp ecx … | … | …
Base | Bound | Return
… | … | …
BR Check
Function Bounds Stack
0x80483AA
0x80482BC| 0x8048354 | 0x8048236
0x80482BC
>
0x8048354
>
ISCA 2012 21
Executing Return Instruction
ret
...0x8048232: call eax...0x80482BC: <annotation> 0x980x80482BE: push esp0x80482C0: …...0x8048300: jmp ecx...0x8048354: ret...
Fetch Decode Execute Commit
Instruction Cache
ret
… | … | …
Base | Bound | Return
… | … | …
BR Check
Function Bounds Stack
0x8048236
0x80482BC| 0x8048354 | 0x8048236
0x8048236
=
Return Address from Stack
ISCA 2012 22
Security of Branch Regulation
• Effectively reduces the exploitable code base to the current function
• An attacker needs to find in same function:– A vulnerability to exploit– Sufficient functional gadgets– Dispatcher gadget– A system call instruction
ISCA 2012 23
Number of Vulnerable Functions
Library
libc
libm
libcrypto
libgcrypt
libssl
Functions with Dispatcher Gadget and System Call
0
0
0
0
0
Functions with Dispatcher
Gadget
12
0
3
2
0
Total Number of Functions
7775
1077
7991
1135
1017
ISCA 2012 24
Additional Security Analysis in the Paper
• Analysis of available gadgets
• Dispatcher gadget discovery algorithms
• Gadget trie example
• Analysis of gadget side effects– Gadget length– Impact of unintended gadgets
ISCA 2012 25
Increase of Executable Size
perlbench
bzip2 gcc mcf
gobmk
hmmersje
ng
libquantum
h264ref
omnetpp
xalancb
mkmilc
namddealII
soplex
povraylbm
sphinx3 avg
0%
1%
2%
3%
4%
5%
6%
7%
8%
9%
10%
Control Flow Integrity Branch Regulation
Exec
utab
le S
ize
Incr
ease
ISCA 2012 26
Impact of Secure Stack Cache Size
1 2 3 4 5 6 7 8 90%
2%
4%
6%
8%
10%
12%
14%
16%
18%
Cache size
Slow
dow
n
ISCA 2012 27
BR Performance with 4-Entry Cache
perlbench
bzip2 gcc mcf
gobmk
hmmersje
ng
libquantum
h264ref
omnetpp
xalancb
mkmilc
namddealII
soplex
povraylbm
sphinx3 avg
0%
10%
20%
30%
40%
50%
60%
70%
Control Flow Integrity Branch Regulation
Slow
dow
n
ISCA 2012 28
Conclusions
• Emerging Code Reuse Attacks bypass existing defenses against code injection
• New low overhead solutions are needed
• We proposed Branch Regulation
– Uses hardware checks to enforce a limited set of rules
– Incurs 2% performance overhead and 1% increase in code size
– Handles unintended instructions
– Does not rely on Control Flow Graph of the program
– Can protect legacy binaries with minimal effort
• We demonstrated security of Branch Regulation for a variety of common libraries
ISCA 2012 29
Thank you! Questions?
ISCA 2012 30
Backup Slides
ISCA 2012 31
Unintended Instructions
08048484: E8 33 FE FF FF08048489: 8D BB 18 FF FF FF0804848F: 8D 83 18 FF FF FF08048495: 29 C708048488: FF 8D BB 18 FF FF0804848E: FF 8D 83 18 FF FF08048494: FF 29
Code Snippet from __libc_csu_init function
08048484: E8 33 FE FF FF08048489: 8D BB 18 FF FF FF0804848F: 8D 83 18 FF FF FF08048495: 29 C7
Unintended Code Snippet from __libc_csu_init function
call <_init>lea edi, [ebx-e8h]lea eax, [ebx-e8h]sub, edi, eax
dec [ebp-e745h]dec [ebp-e77dh]jmp [ecx]
FF 8D BB 18 FF FF FF 8D 83 18 FF FF FF 29
ISCA 2012 32
Dispatcher Gadgets
• Replacement of return for JOP attacks• Advance a register/memory to represent
program counter• Dispatcher Gadget Potential (DGP)
– If able to write to the target of indirect jump– If not, not Turing-complete
• Dispatcher Gadget Confirmed (DGC)– If found a potential dispatcher gadget– Still a system call is needed for harmful attack
(DGC-SYS)
ISCA 2012 33
Identifying Dispatcher Gadgets
• If memory indirect branch– Find an iterator
• If register indirect branch– Find a loader and an iterator
• mov/pop etc. loads • add/sub/lea/pop etc. iterates
ISCA 2012 34
Dispatcher Gadget Examples
Instruction Type
loader and iteratorregister indirect jump
iteratormemory indirect jump
iteratorloaderregister indirect jump
iteratorconveyorconveyormemory indirect jump
Dispatcher Gadget
pop r1jmp r1
add r1, r2jmp [r1]
lea r1, [r1 + r2]mov r3, [r1]jmp r3
sub r1, 4mov r2, [r1]mov r3, r2jmp [r3]
ISCA 2012 35
Unintended Instructions
• Mostly garbage instructions• Usually more side effects than intentional
NO-BR DGP DGC DGC-SSE DGC-SYS0
200
400
600
800
1000
1200
1400
4925
458 419
620
19764
972850
353
0
intendedunintended
Num
ber
of G
adge
ts
246894925
ISCA 2012 36
Gadget Length
• Long gadget means more intermediate instructions
1 5 10 15 20 25 30 35 40 45 500%
10%20%30%40%50%60%70%80%90%
100%
Gadget Length
Freq
uenc
y