CS457 – Introduction to Information Systems Security

Software 3

Elias Athanasopouloselathan@ics.forth.gr

Elias Athanasopoulos 2

Software Exploitation – High Level

CS-457

Vulnerable Software (e.g., web browser)

Input (malicious web page)

Exploit Code

Renders malicious page

Exploit Runs Collect Gadgets

Build ROP Chain

Exec ROP Chain

Introduce new control

flows

HACK

ED

Elias Athanasopoulos 3

How the ROP chain works? –use esp as the instruction pointer

CS-457

ROP Chain TEXT Section (Code)

Addr. of G1

Addr. of G2

Addr. of G3

Addr. of GN

G1; ret

G2; ret

G3; ret

GN; ret

Elias Athanasopoulos 4

Heap Overflows

CS-457

Stack Heap Data Text

High Address Low Address

Vulnerability(VTable ptr)

(*)f()

Jump to Gadget

G1

…; ret

Attacker does NOT control the stack!

Elias Athanasopoulos 5

Stack Pivoting

CS-457

Stack Heap Data Text

High Address Low Address

Vulnerability(VTable ptr)

(*)f()

Jump to Gadget

G1

xchg %eax,%esp; ret

Stack Pivoting

Force %esp to point to

heap

Execute the rest of the ROP chain

Elias Athanasopoulos 6

Defending ROP

CS-457

Elias Athanasopoulos 7

Randomization

ASLR- Address Space Layout Randomization

Fine-grained Randomization- Smashing the gadgets- Binary Stirring

CS-457

Elias Athanasopoulos 8

ASLR (demo)

CS-457

Elias Athanasopoulos 9

Fine-grained Randomization

Shuffle instructions, without changing the semantics

CS-457

Elias Athanasopoulos 10

Information Disclosure Bugs

String formatting bugsint main(){ char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); …}

CS-457

localStr = "AAAA %08x %08x %08x";

Elias Athanasopoulos 11

Just-in-time ROP

CS-457

Elias Athanasopoulos 12

Control-Flow Integrity (CFI)

CS-457

Elias Athanasopoulos 13

Ideal CFI

CS-457

Two problems:1) CFG discovery (especially in legacy apps)2) Performance in checks

Elias Athanasopoulos 14

Coarse-grained (loose) CFI

CS-457

Elias Athanasopoulos 15

Gadgets under CFI

CS-457

Elias Athanasopoulos 16

Linking Gadgets under CFI

CS-457

Elias Athanasopoulos 17

Exploitation under CFI

CS-457

Elias Athanasopoulos 18

Run-time ROP detection (kBouncer)

CS-457

Elias Athanasopoulos 19

kBouncer

CS-457

Elias Athanasopoulos 20

kBouncer Checks

call-ret pairing- Coarse-grained CFI

Heuristics- Up to 20 instructions is considered a gadget- 6 gadgets in a row is considered an attack

CS-457

Elias Athanasopoulos 21

kBouncer Heuristics

CS-457

Elias Athanasopoulos 22

Bypassing kBouncer

CS-457

Elias Athanasopoulos 23

kBouncer bypass PoC

CS-457