![Page 1: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/1.jpg)
Lecture08– Control-flowHijackingDefenses
StephenCheckowayUniversityofIllinoisatChicago
CS487– Fall2017SlidesadaptedfromMiller,Bailey,andBrumley
![Page 2: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/2.jpg)
ControlFlowHijack:Alwayscontrol+computation
computation +control
shellcode (aka payload) padding &buf
2
• codeinjection• return-to-libc• Heapmetadataoverwrite• return-orientedprogramming• ...
Sameprinciple,differentmechanism
![Page 3: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/3.jpg)
ControlFlowHijacks
…happenwhenanattackergainscontroloftheinstructionpointer.
Twocommonhijackmethods:• bufferoverflows• formatstringattacks
3
![Page 4: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/4.jpg)
ControlFlowHijackDefenses
Bugsaretherootcauseofhijacks!• Findbugswithanalysistools• Proveprogramcorrectness
MitigationTechniques:• Canaries• DataExecutionPrevention/NoeXecute• AddressSpaceLayoutRandomization
4
![Page 5: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/5.jpg)
CANARY/STACKCOOKIES
http://en.wikipedia.org/wiki/File:Domestic_Canary_-_Serinus_canaria.jpg5
![Page 6: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/6.jpg)
…argvargc
return addrcaller’sebp
buf(64 bytes)argv[1]buf
“A”x68.“\xEF\xBE\xAD\xDE”#include<string.h>int main(int argc, char **argv) {
char buf[64];strcpy(buf, argv[1]);
}
Dump of assembler code for function main:0x080483e4 <+0>: push %ebp0x080483e5 <+1>: mov %esp,%ebp0x080483e7 <+3>: sub $72,%esp0x080483ea <+6>: mov 12(%ebp),%eax0x080483ed <+9>: mov 4(%eax),%eax0x080483f0 <+12>: mov %eax,4(%esp)0x080483f4 <+16>: lea -64(%ebp),%eax0x080483f7 <+19>: mov %eax,(%esp)0x080483fa <+22>: call 0x8048300 <strcpy@plt>0x080483ff <+27>: leave 0x08048400 <+28>: ret
6
%ebp
%esp6
![Page 7: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/7.jpg)
…argvargc
return addrcaller’sebp
buf(64 bytes)
argv[1]buf
0xDEADBEEF
AAAA
AAAA
…(6
4into
tal)
“A”x68.“\xEF\xBE\xAD\xDE”#include<string.h>int main(int argc, char **argv) {
char buf[64];strcpy(buf, argv[1]);
}
Dump of assembler code for function main:0x080483e4 <+0>: push %ebp0x080483e5 <+1>: mov %esp,%ebp0x080483e7 <+3>: sub $72,%esp0x080483ea <+6>: mov 12(%ebp),%eax0x080483ed <+9>: mov 4(%eax),%eax0x080483f0 <+12>: mov %eax,4(%esp)0x080483f4 <+16>: lea -64(%ebp),%eax0x080483f7 <+19>: mov %eax,(%esp)0x080483fa <+22>: call 0x8048300 <strcpy@plt>0x080483ff <+27>: leave 0x08048400 <+28>: ret
7
%ebp
%esp
corruptedoverwrittenoverwritten
7
![Page 8: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/8.jpg)
StackGuardIdea:
• prologueintroducesacanaryword betweenreturnaddr andlocals
• epiloguecheckscanarybeforefunctionreturns
WrongCanary=>Overflow
[Cowenetal.1998]
…arg 2arg 1
return addrcaller’sebpcallee-saveCANARY
locals
%ebp
%esp8
![Page 9: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/9.jpg)
return addrcaller’sebpCANARY
buf(64 bytes)
gcc Stack-SmashingProtector(ProPolice)Dump of assembler code for function main:
0x08048440 <+0>: push %ebp0x08048441 <+1>: mov %esp,%ebp0x08048443 <+3>: sub $76,%esp0x08048446 <+6>: mov %gs:20,%eax0x0804844c <+12>: mov %eax,-4(%ebp)0x0804844f <+15>: xor %eax,%eax0x08048451 <+17>: mov 12(%ebp),%eax0x08048454 <+20>: mov 4(%eax),%eax0x08048457 <+23>: mov %eax,4(%esp)0x0804845b <+27>: lea -68(%ebp),%eax0x0804845e <+30>: mov %eax,(%esp)0x08048461 <+33>: call 0x8048350 <strcpy@plt>0x08048466 <+38>: mov -4(%ebp),%edx0x08048469 <+41>: xor %gs:20,%edx0x08048470 <+48>: je 0x8048477 <main+55>0x08048472 <+50>: call 0x8048340 <__stack_chk_fail@plt>0x08048477 <+55>: leave 0x08048478 <+56>: ret
Compiledwithv4.6.1:gcc -fstack-protector -O1 …
9
![Page 10: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/10.jpg)
CanaryshouldbeHARD toForge
• TerminatorCanary– 4bytes:0,CR,LF,-1(low->high)– terminatestrcpy(),gets(),…
• RandomCanary– 4randombyteschosenatloadtime– storedinaguardedpage– needgoodrandomness
10
![Page 11: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/11.jpg)
Ideasfordefeatingstackcanaries?
• Usetargetedwrite,e.g.,formatstring• Overwritedatapointerfirst• Overwritefunctionpointerloadedandusedfromhigherupthestack
• memcpy bufferoverflowwithfixedcanary• Canaryleak
return addrcaller’sebpCANARY
buf(64 bytes)
![Page 12: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/12.jpg)
Bypass:DataPointerSubterfugeOverwriteadatapointerfirst…
int *ptr;char buf[64];memcpy(buf, user1);*ptr = user2;
return addrcaller’sebpCANARY
ptr
buf(64 bytes)
12
![Page 13: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/13.jpg)
Overwritefunctionpointerhigherup
• Overflowbuffertooverwritefunonthestack• Tricky!Compilercanloadfunintoaregisterbeforestrcpy (thiscanhappenwithoptimization)
• Worksbetterwithstructs withfunctionpointers(e.g.,OpenSSL)orC++classes
void contrived(const char *user, void (*fun)(char *)) {char buf[64];strcpy(buf, user);fun(buf);
}
funuser
return addrcaller’sebpCANARY
buf(64 bytes)
![Page 14: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/14.jpg)
memcpy/memmove withfixedcanary
• Fixedcanaryvalueslike000d0aff (0,CR,NL,-1)aredesignedtoterminatestringoperationslikestrcpy andgets
• However,theyaretrivialtobypasswithmemcpy vulnerabilities
![Page 15: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/15.jpg)
CanaryleakI:twovulnerabilities
• Exploitonevulnerabilitytoreadthevalueofthecanary• Exploitasecondtoperformabufferoverflowonthestack,overwritingthecanarywiththecorrectvalue
![Page 16: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/16.jpg)
CanaryleakII:pre-forkservers
• Someserversforkworkerprocessestohandleconnections• Inthemainserverprocess– Establishlisteningsocket– Forkalltheworkers;ifanydie,forkanewone
• Intheworkerprocess(inaloop)– Acceptaconnectiononthelisteningsocket– Processrequest
![Page 17: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/17.jpg)
CanaryleakII:pre-forkservers
• Thisdesigninteractspoorlywithstackcanaries• Sinceeachworkerisforkedfromthemainprocess,itinitiallyhasexactlythesamememorylayoutandcontents,includingstackcanaryvalues!
• Attackercanoftenlearnthecanaryabyteatatimebyoverflowingjustasinglebyteofthecanary,tryingvalues00throughff untilitdoesn’tcrash;thenmoveontothenextbyte
![Page 18: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/18.jpg)
Whatis“Canary”?Wikipedia:“thehistoricpracticeofusingcanariesincoalmines,sincetheywouldbeaffectedbytoxicgasesearlierthantheminers,thusprovidingabiologicalwarningsystem.”
18
![Page 19: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/19.jpg)
DATAEXECUTIONPREVENTION(DEP)/NOEXECUTE (NX)/EXECUTEDISABLED(XD)/EXECUTENEVER(XN)
19
![Page 20: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/20.jpg)
Howtodefeatexploits?
computation +control
shellcode padding &buf
CanaryDEP
20
![Page 21: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/21.jpg)
![Page 22: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/22.jpg)
Memorypermissions
• Set(orclear)abitinapagetableentrytopreventcodefrombeingexecuted
• Enforcedbyhardware:Tryingtofetchaninstructionfromapagemarkedasnon-executablecausesaprocessorfault
![Page 23: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/23.jpg)
DataExecutionPrevention
Markstackasnon-executableusingNXbit
shellcode padding &buf
(stillaDenial-of-Serviceattack!)
CRASH
23
![Page 24: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/24.jpg)
W^X
Eachmemorypageisexclusively either
writableor executable.
shellcode padding &buf
(stillaDenial-of-Serviceattack!)
CRASH
24
![Page 25: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/25.jpg)
Actuallyaprettyoldidea
• MIPSR2000(from1986)hasper-pagereadable,writable,executablebits
• Intel80386(from1985)doesnot.Mappedpagesarealwaysreadableandexecutable
• Intel80286(from1982)introduced16-bit“protectedmode”wherecode,data,andstacksegmentscanbeseparated
• The386hasa32-bit“protectedmode”butmostOSessetcode,data,andstacksegmentstobetheentirevirtualaddressspace
![Page 26: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/26.jpg)
PhysicalAddressExtension
• Inteladdedanextensiontoincreasethesizeofallowablephysicalmemorybeyond4GB
• PAEchangedthepagetableformat,addedathirdleveloftranslation,andaddedtheexecutedisablebit(buttheOShastoenablebothPAEandNXsupport)
• x86-64usesthePAEformatandthussupportsNX
![Page 27: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/27.jpg)
ADDRESSSPACELAYOUTRANDOMIZATION(ASLR)
27
![Page 28: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/28.jpg)
addr ofbuf(0xffffd5d8)
caller’sebpbuf
Shellco
de
0xffffe3f8
0xffffe428
0xffffd5d8
addr ofbuf(0xffffd5d8)
caller’sebpbuf
buf[0]
buf[63]
Shellco
de
0xffffd5d8
AddressSpaceLayout
Randomization
0xffffd618
Oops…28
![Page 29: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/29.jpg)
ASLR
Traditionalexploitsneedpreciseaddresses– stack-basedoverflows: locationofshellcode– return-to-libc: libraryaddresses(we’lltalkaboutthisnexttime)
• Problem:program’smemorylayoutisfixed– stack,heap,librariesetc.
• Solution:randomizeaddressesofeachregion!
29
![Page 30: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/30.jpg)
Imagesource:http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
![Page 31: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/31.jpg)
Runningcat Twice
• Run1
• Run2
31
![Page 32: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/32.jpg)
Bitsofrandomness(32-bitx86)
• DependsontheOS,butroughly– Programcodeanddata:0bits(fixedaddresses)– Heap:13bits(2^13possiblestartlocations)– Stack:19bits(2^19possiblestartlocations)– Libraries:8bits(2^8possiblestartlocations)
• Withposition-independentexecutables(PIE)– Programcodeanddata:8bits– Othersthesame
• 64-bithasmuchmorerandomness
![Page 33: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/33.jpg)
SupportforASLRaddedovertime
• InitiallybythePaX teamforLinux• AllmajorOSessupportitforapplications• KernelASLRnowsupportedbymajorOSes
![Page 34: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/34.jpg)
IsDEP+ASLRapanacea?
• Notreally• Nexttime:DEPbypassviacodereuseattacks• HowcanwebypassASLR?
![Page 35: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/35.jpg)
Imagesource:http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
![Page 36: Lecture 08 –Control-flow Hijacking Defenses · Lecture 08 –Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 –Fall 2017 Slides adapted](https://reader031.vdocuments.net/reader031/viewer/2022041614/5e3a344401219e0ef71b9a5f/html5/thumbnails/36.jpg)
BypassingASLR
• OlderLinuxwouldletlocalattackersreadthestackstartaddressfrom/proc/<pid>/stat
• Non-PIEbinarieshavefixedcodeanddataaddresses• Eachregionhasarandomoffset,butfixedlayout=>learningasingleaddressinaregiongiveseveryaddressintheregion
• Serversthatre-spawn(evenwithnewrandomization)canbebruteforcedwhennumberofbitsofrandomnessislow