low‐level software security · ‣ so why not just fix all software? ‣ fixing software is...
TRANSCRIPT
Low‐LevelSoftwareSecurity:AttacksandDefenses;ControlFlowIntegrity
SystemSecuritySeminarPresenter:CătălinHrițcu
‣ Low‐LevelSoftwareSecurity:AttacksandDefenses,byÚlfarErlingsson(FOSAD2007)‣ Control‐flowintegrity,byMartínAbadi,MihaiBudiu,ÚlfarErlingsson,JayLigatti(CCS2005)
‣ManythankstoÚlfarErlingssonfromMicrosoftResearchandReykjavkUniversity‣ ManyoftheslidesarefromhisFOSAD2007talk‣ Opinionsandmistakesarestillmine
References
Areal‐worldattack
‣MicrosoftWindowsanimatedcursorbufferoverflowvulnerability(March30,2007)
Ratedas“Extremelycritical”
Exploitedimmediatelyinthewild
‣ Attackvectors:‣ HTMLemail/spam‣ Browsersvulnerable‐2000+differentsiteshostingexploit
Microsoftreactsfast
‣ Releases“outofband”patch(April3)
‣ Unpatchedsystemsarestillbeingactivelyexploited
Low‐levelattacks
‣ Bufferoverflows~50%ofallreportedattacks‣ 1988:RobertMorris’sInternetWorm‣ 2000:CodeRed,SQLSlammer‣ 2007:Windows.ANIvulnerability
‣ Possiblewhenevercompilingahigh‐levellanguageintoalow‐levelonewithoutguaranteeingthatthetranslationpreservesthehigh‐levelabstractions
ThelegacyofC
‣ Millionsoflinesofsecurity‐criticalcodewritteninC‣ Ccompilersdonotguaranteeanypropertyofthetranslation‣ Evenifweignorecompilation,Cisnottypeandmemorysafe‣ Thisoftenleadstoexploitablevulnerabilities
‣ Saferlow‐levellanguages:Cyclone,CCured,SafeC,...‣ MostofthemaresafedialectsofC‣ ExistingCcodecanbemigratedwithsomechanges
!"#$%#&'()$*+$,
! -.//.*01$*+$/.0#1$*+$1'+#2)3(4.2.('/$,$(*5#" 67&#$.08#129#02:
! #$%&%'&(&)%*&'+,%'-.&+/%'+.0'-.,%12+31%'0-%')4'56&'1+78'4/'2);#$'05$9#9*4)$1'+#2)
! <##5$'0 .0(4#9#02'/$24'01.2.*0$2*$1'+#4$'05$9*4#$4#/.'=/#$1)12#91:
Advertisement:Deputy
‣ PromisingsafeCcompilerfromBerkeley‣ Designedtoworkonexistingreal‐worldCcode‣ IncludingtheLinuxkernelitself!
‣ Allowsforincrementaltransition‣ Memorylayoutofdatastructurespreserved
‣ Dependenttypes(additionalannotations)‣ Hybridtypechecking(static+dynamic)
‣ Lowperformanceimpact‣ Averageof10‐20%forCPU‐intensivetests
‣ Lowannotationburden‣ FortheLinuxkernellessthan1%oflinesannotated
‣Mightbethesubjectofafuturetalkinthisseminar
High‐levellanguages
‣ e.g.Java,C#,Python,O’Caml,StandardML,...‣ Usuallypromisetobesaferandmoresecure‣ Theiractualsafetystilldependsonlow‐leveldetails‣ Compilerandruntime‐systemneedtobecorrect‣ Staticcheckingisnotenough‣ Mosthigh‐levelpropertiesneedtobeenforcedatrun‐time‣ Safetyvs.performancetradeoff
‣ Rewritinglegacycodeinanewlanguageisinmostcasesoutofthequestion‣ Evenifthetargetlanguagewouldbeperfectlysecure‣ Andtherun‐timeoverheadnegligible
Mitigationtechniques
‣ Themainsubjectofthistalk‣ Limitedlanguage‐baseddefensesthat‣ Workonlegacycode‣ Arefullyautomatic‣ Operateatthelowestlevel(machine‐code)‣ Involvenosource‐codechanges(atmostre‐compilation)‣ Typically,runtimecheckstoguaranteehigh‐levelproperties‣ Unobtrusive:closetozerooverheadandzerofalsepositives‣ Onlypreventcertainvulnerabilities/attacks‣ Oftenunclearwhatvulnerabilitiesarecovered
Mitigationsareacompromise
‣Mitigationsarelimited,correctsoftwareisbetter‣ Wouldn’tneedanydefensesifsoftwarewas“correct”…
‣ Sowhynotjustfixallsoftware?‣ Fixingsoftwareisdifficult,costly,anderror‐prone‣ Itishardeventospecifywhat“correct”shouldmean‣ Needssource,buildenvironments,etc.,andmayinteractbadlywithtesting,debugging,deployment,andservicing
‣Mitigationsarenottheoptimalsolution,but...‣ Theycanruleoutmanypracticalattacks‣ Someoftheoneswewillseearedeployedinpractice(e.g.WindowsXPSP2andVista)
Outline
‣ Asimplebufferoverflowexample‣ Twosimplemitigationtechniques‣ Stackcanariesandcookies‣ Preventingdataexecution(NXD)‣ Amorecomplexjump‐to‐libcattack‣ Amorepowerfulmitigationtechnique‣ Control‐flowintegrity
Aconcretestackoverflowexample!""#$%&'(&)*"+,-&#..,*//&$0122*,3-4
!"#$%&'()*+,-./010/*#,23-450*#0675839:'
! $3346;*,1052/,-<*4*=28>0?.<8@0A*45549*,B*3C0*<346;
! !"#$%&'()*+'$,#)&,'$-..,#//$0+*')/$)+$)"#$-))-(1#,2/$(+.#
! DC0*E0<3*;B,-B*/,-./010/*43346;
! F<0?*E9*3C0*GB305B03*H,5I*8B*JKLL*4B?*6,II,BM/460*<8B60
! N4B*4MM/9*3,*3C0*4E,10*14584B3*,2*+-/#5* 4B?*/#5*
!"#$%#&'('")(*#+"$,'&-.$/"'0*12.'
!"#$%&'()*+,-./010/*#,23-450*#0675839::
! ;<0*4=,10*>346?*>@4A><,3*8>*4/>,*@,5B4/*-C,*,1052/,-
! !"#$%&'()#*+,$"#&#$%&#$-./0#1223$%*4$-2,,=453
!"#$%#&'('")(*#+"$,'&-.$/"'0*12.'
!"#$%&'()*+,-./010/*#,23-450*#0675839::
! ;<0*4=,10*>346?*>@4A><,3*8>*4/>,*@,5B4/*-C,*,1052/,-
! !"#$%&'()#*+,$"#&#$%&#$-./0#1223$%*4$-2,,=453
!"#$%#&'('")(*#+"$,'&-.$/"'0*12.'
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! !8<4//9=*4*>346?*><4@>A,3*-83A*4<*,1052/,-B
! C<*3A0*4D,10=*3A0*>346?*A4>*D00<*6,557@30E
! FA0*>06,<E*G43346?05.6A,>0<H*45I !"#$4>E24>E24>E24>E2%
! &'#()*+",-#./#.00.(1,+#2!340#/)0#()++*50#!/#04!"#6.78
!"#$%#&'('")(*#+"$,'&-.$/"'0*12.'
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
� $*<346=*<>4?<@,3*-83@*4*A0>8B>*!"#$%!&
� C>*3@0*4A,10D*3@0*<346=*@4<*A00>*6,557?30E
� F@0*<06,>E*G43346=05.6@,<0>H*45B 8<*I4<E24<E24<E24<E2J
� "2*6,75<0D*4>*43346=05*K8B@3*>,3*6,557?3*8>*3@8<*-49L
!"#$%#&'('")(*#+"$,'&-.$/"'0*12.'
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! <,-=*4*>346?*>@4A>B,3*-83B*4*C4/868,7>*,1052/,-)
! D@*3B0*4E,10=*3B0*>346?*B4>*E00@*6,557A30F*C4/868,7>/9
! GB0*45H> !"#$%&'(#)**+$!,-$.!"/'01(!"$!//!02#".6B,>0@*F434
! II*64@*E0*4@9*@,@.J05,*E930*14/70
!"#$%#&'('")(*#+"$,'&-.$/"'0*12.'
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
� <,-=*4*>346?*>@4A>B,3*-83B*4*C4/86!"#$%"&'()"-)
� D@*3B0*4E,10=*3B0*>346?*B4>*E00@*6,557A30F*C4/868,7>/9
� GB0*45H> 450*I*/0)JJK*4@F*A453867/45*43346?05.6B,>0@*F434
� LL*64@*E0*4@9*@,@.M05,*E930*14/70
Stackcanaries
‣ Verysimpledefense‣ Assumeacontiguousbufferoverflowisusedbyattackers‣ Andthattheoverflowisbasedonzero‐terminatedstrings‣ Putcanarywith“terminator”valuesbelowthereturnaddress
‣ Checkcanaryintegritybeforeusingreturnaddress!
!"#$%&$#'#()*+
!"#$%&'()*+,-./010/*#,23-450*#0675839:'
! ;<=304>*,2*659?3,@A$B !"#$%&'$"$&()*+'$,&-"!.$!"#"/01
! $==7C0*4*6,<38D7,7=*E72205*,1052/,-*8=*7=0>*E9*43346F05=
! $<>*3G43*3G0*,1052/,-*8=*E4=0>*,<*H05,.305C8<430>*=358<D=*036I
! 2%-$"$!"#"/0$3(-4$,-'/)(#"-5/1$6"+%'&$7'+53$-4'$/'-%/#$"88/'&&
! !"#$%&$'(')*&+(,#-)+,*&.#/0)#&12+(-&,"#&)#,1)(&3'41#5
Stackcookies
‣ Canalsouserandom,secretvalues:cookies‣ Defendsagainstnon‐null‐terminatedoverflows(e.g.viamemcpy)
‣ Checkcookieintegritybeforeusingreturnaddress!‣ ImplementedinWindows(/GScompilerflag)
! !"#$%&'$(")%'&$*+,'-$+,"#$"))./'-*$0"#"-1'&
! !"#$%&'()*%+$,%-*.,%+$/+$'0$-%**$'0$1%#"0$2%343$!"!!!#$$!%2
! !"#$")&*$%&'$-"#3*45$&'0-'+$(")%'&5$*-$!""#$%&
! 61))$,')7$"8"1#&+$#*#.+'-41#"+'3$*('-9)*:&$;'<8<$(1"$&'&()*2
! !"#$%&$''%(#&()*#+,(*-&.#/',#&01()+&*"#&,#*0,)&2340#5
!"#!!$#%%$ !"""#"$%&'%()"'#*+,-"&,,./%"0#12%
+,#(-.(//-0'1
=>?@ABCDE$F*:.)'(')$?*9+:"-'$?'0%-1+GHI
‣ Donotpreventheap‐basedbufferoverflows
Stackcanariesandcookies!"#"$%"&'(&)*%+,&-./0.$+%,&.++.12%
!"#$%&'()*+,-./010/*#,23-450*#0675839::
! #346;*64<4580=*4<>*=346;*6,,;80=*?410*1059*/833/0*6,=3
! "</9*<00>0>*,<*27<638,<=*-83?*/,64/*45549=
! @10<*=,A*<,3*4/-49=*4BB/80>)*?0758=386=*>0305C8<0*-?0<
! DE,3*4*F,,>*8>04A*4=*=?,-<*G9*5060<3*$EH*43346;*,<*I8=34J
! K8>0/9*8CB/0C0<30>)*LM#A*#346;M745>A*N5,N,/860A*036O
! HCB/0C0<3438,<=*39B864//9*6,CG8<0*-83?*,3?05*>020<=0=
! P48<*/8C83438,<=)*
! "</9*B5,3063=*4F48<=3*6,<38F7,7=*=346;.G4=0>*,1052/,-=
! E,*B5,30638,<*82*43346;*?4BB0<=*G02,50*27<638,<*50375<=
! !,5*0Q4CB/0A*C7=3*B5,3063*27<638,<.B,8<305*45F7C0<3=
Preventingdataexecution
‣ Simplypreventtheexecutionofdataascode‣ Thispreventsbothstackandheap‐basedattacks‣ Thereishardwaresupportforthis(NXbitonx86)‣ Canbedonewithprettymuchzerooverhead‣ Butitbreaksalotofsoftware:‣ MostWin32GUIapps,CLR(andJITs)
‣ Canalsobedoneinsoftware(SMAC)‣ Limitations:‣ Attackersdon’talwayshavetoexecutedataascode‣ Theycanjustcorruptdata:data‐onlyattacks‣ Theycansimplyexecuteexistingcode:jump‐to‐libc
Jump‐to‐libc
‣ BodyLevelOne
!"#$%&'()*+,-./010/*#,23-450*#0675839:(
! $;9*0<8=38;>*6,?0*64;*@0*0<06730?*@9*43346A05=*
! B49*@0*4;*0<8=38;>*27;638,;C*=76D*4= !"!#$%&'
! EF>FC*4*27;638,;*3D43*8=*;0105*8;1,A0?*G?04?*6,?0H
! "5*6,?0*8;*3D0*I8??/0*,2*4*27;638,;
! !"#$%&%#$'%$()**)+,-#./,.01$0)2%
! !,7;?*-83D8;*0<06734@/0*J4>0=*G0F>F*=-836D*34@/0=H
! "5*2,7;?*-83D8;*0<8=38;>*8;=357638,;=*G/,;>*<KL*8;=357638,;=H
! M9J864//9*4*=30J*3,-45?=*57;;8;>*43346A05=*,-;*=D0//6,?0
! MD0=0*450*!"#$%&'%!"#$ ,5*()&"(*%&'%!"#$ 43346A=
! $//,-*43346A05=*3,*,1056,I0*NO*?020;=0=
(##)*+,-.
/0$*1#234,$02!#234,*56$,72),8)6,9523#$:!
!"#$%"&'#()*+#")+",$"-))-(.$/
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! <,=>730?*3@0*=0A84B*8B30C05*8B*4B*8B>73*45549
! #,53?*4*6,>9*,2*3@0*45549*4BA*50375B*3@0*=8AA/0*8B30C05
! D2*0$# 8?*/45C05*3@4B*1!234567-0*@410*4*?346E*,1052/,-
!"#$%&'()$#*&+#,-"./01"#(10"/$2
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! <4=9*-49>*3,*43346?*3@0*'$+0&" 27=638,=
! A@0*.'( B,8=305*8>*7>0C*D02,50*3@0*27=638,=*50375=>
! E3*64=*D0*,105-58330=*D9*4*>346?.D4>0C*,1052/,-
! $=C*>346?*64=4580>*,5*6,,?80>*450*=,3*4*C020=>0
! F>8=G*H7IB.3,.)0*.J*4=*43346?*64=*4/>,*2,8/*KL
! F>0*0M8>38=G*6,C0*3,*8=>34//*4=C*H7IB*3,*43346?*B49/,4C
! E=6/7C8=G*I45?8=G*3@0*>@0//6,C0 D930>*4>*0M06734D/0
! NM4IB/0*,2 !"#!$%&'(&)#%(!"*%&'!)"
! O$>*,BB,>0C*3,*#!$%&'(&)#%(!"*%&'!)"(8=*B5018,7>*43346?>P
!"#$%&'&()*+,-'"-./0$ 1''1$2(&31+,.&
!"#$%&'()*+,-./010/*#,23-450*#0675839:'
! $*;,5<4/*=346>*2,5*3?0*+&4/1#27;638,;
! #346>*=;4@=?,3*43*3?0*@,8;3*,2*3?0*64//*3,*+&+$,5
! A$BCDEF#*8=*G
! F?0*'+, 45549*8=*0<@39H*,5*4//*I05,
!"#$%&'&()*+,-'"-./0$ 1''1$2(&31+,.&
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! $*!"#$%# <346=*
,1052/,-*8>*3?0*
+&4/1# 27>638,>*
! @,3*3?0*14/70<*3?43*
4>*43346=05*-8//*
!"##$%&'
!"#$%&'&()*+,-'"-./0$ 1''1$2(&31+,.&
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! $*!"#$%$&'( <346=*,1052/,-*8>*3?0*+&4/1# 27>638,>*
! !"#$%&&%'($)*#+,-&$
6,557@3*3?0*50375>*4AA50<<*B0CDCE*3,*41,8A*<346=*64>459*,5*6,,=80*A020><0<F
! G,>35,/.2/,-*8<*50A850630A*8>*56"%'
! H<0<*[email protected],../0$3,*2,8/*KL*A020><0<
usethereturn
!"#$%&'&()*+,-'"-./0$ 1''1$2(&31+,.&(
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! <0/,-*=>,-=*3>0*6,?30@3*,2*6AB 8?1,6438,?*8?*C=,53
! D,0=*3,*4*E.F930*!"#$%&'()* =0C70?60*2,7?G*8?*4*/8F5459
!"#$%&'#&'$()$'"#$*+,-.'(./%01 2''213
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! <052,5=*4*>0580>*,2*64//>*3,*0?8>38@A*/8B5459*27@638,@>
! C83D*645027//9*>0/0630E*45A7=0@3>
! FD0*022063*8>*3,*8@>34//*4@E*0?06730*3D0*43346G*H49/,4E
x86__cdeclfunction‐callconvention‣ Pushparametersontothestack,fromrighttoleft
‣ Callthefunction
‣ Saveandupdatethe%ebp
‣ Allocatelocalvariables
‣ Performthefunction'spurpose
‣ Releaselocalstorage
‣ Restoresavedregisters
‣ Restoretheoldbasepointer
‣ Returnfromthefunction
‣ TheRETinstructionpopstheold%EIPfromthestackandjumpstothatlocation.Thisgivescontrolbacktothecallerfunction.Onlythestackpointerandinstructionpointersaremodifiedbyasubroutinereturn.
‣ Cleanuppushedparameters
!"#$%&'$(%%()*$+,#-,.'/ %&'$/%()*
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! !85<3*8=14/8>*6,=35,/.2/,-*0>?0*?,0<*3,*354@A,/8=0
! B54@A,/8=0*50375=<*3,*3C0*<3453*,2*D85374/$//,6
! EC86C*50375=<*3,*3C0*<3453*,2*3C0*F=305/,6G0>HI6CJ*27=638,=
! EC86C*50375=<*3,*3C0*6,A9*,2*3C0*43346G*A49/,4>*
VirtualAlloc
InterlockedExchange
New executable
copy of attack
payload
esp
esp
!"#$#%&'%()*+%,-#(,.%&$/01'.)*#-2
!"#$%&'()*+,-./010/*#,23-450*#0675839:(
! ;<*+8<7=*.)34>*,<0*8<*?(@*A930B*8B*4*5647 $#& ,C6,D0
! "<0*8<*E(F*A930B*8B*4<*,CC,537<8B386>*,5*7<8<30<D0D>*$#&
! 8..%'(%&"#-#%0/9%3#%,-#(,.%-'0#"':
(;%4;%5;%55%55%55%%%%&#-&%%#+)<%565555555;
5(%=>%?>%47% -#&*@ 39&#%1&$ A#31BCDE
#34538<G*,<0*A930*/4305>*3H0*43346I05*8<B304D*,A348<B
4;%5;%55%55%55%5( 0'F. #+)<%565(555555
=>% 64"G #/6<%#31
?>% )*4%%%#31
47% $#&
!"#"$%&'(")*+,-./01/&'23 %00%345
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! !"#"$%&'"()$*%+,%-)$&./&01,#1,(&234#)(-$5&660789:
! <,==8>/0*3,*46?8010*4@93?8@A*>9*,@/9*0B06738@A*354CD,/8@0=
! 6,$&#)(4)*"&%+,(4);-$"*&-$%)&<5,'5"%=&4+-(-%->"*
! 03#1&<+"%3+$.,580@30E.#)(43%-$5=&-*&?3+-$5&#)(4;"%"
! <5463864/F*010@*82*,@/9*,DD,537@8=386*$"0 =0G70@60=*450*7=0E
! H,@285C=*4*/,@A.=34@E8@A*4==7CD38,@)*
!"#$%&!'%$%(#)*+,!-.#$%/*-0#1!'2!-#34!5'!-.6#
3437*'$&83#7/03#!5#,3%+!''30
'23-
$-#$''$793%#7$-#7$*53#$-(#035!%306#&$0#&32$:!/%
!""#$%&'&$()*"+#,)"*&#)-&.#+,#)"*
!"#$%&'()*+,-./010/*#,23-450*#0675839(:
! ;7<=.3,./8>6 43346?@*450*,2*A5043*=5463864/*6,B605B
! !,5*8B@34B60C*5060B3*$DE*43346?*,B*F8@34*8@*@8<8/45*3,*/0-,#)
! G54H838,B4//9C*50375B.3,.1,2$-83I*3I0*345A03**3*"0/45
! J0<,18BA**3*"0/45 8@*B083I05*4*A,,H*B,5*@7228680B3*H020B@0
! K0B054/839*,2*354<=,/8B0@*<4?0@*3I8@*4*7B45A74>/0*=,8B3
! $B9-49*H822867/3*3,*0/8<8B430*6,H0*25,<*@I450H*/8>54580@
! L4@0H*,B*?B,-/0HA0*,2*0M8@38BA*6,H0C*4BH*83@*4HH50@@0@
! $3346?05@*<7@3*H04/*-83I*B43754/*@,23-450*14584>8/839
! EB6504@8BA*3I0*14584>8/839*64B*>0*4*A,,H*H020B@0
! L0@3*H020B@0*8@*3,*/,6?*H,-B*3I0*=,@@8>/0*6,B35,/*2/,-
! "3I05C*@8<=/05*<04@750@*-8//*4/@,*I0/=
Jump‐to‐libcattacks
‣ ~60%ofattackssubverttheexpectedcontrolflow‣ Enforcingcontrol‐flowintegritywouldpreventsuchattacks
Control‐flowintegrity
Badcontrolflow
!""#$%&'()"*+,(#&*-()&.(/*0/(1
!"#$%&'()*+,-./010/*#,23-450*#0675839:
! ;0*-5830*,75*6,<0*8=*>8?>./010/*/4=?74?0@
! A43754//9B*,75*0C06738,=*D,<0/*4@@7D0@)
! !7=638,=@*@3453*43*3>0*E0?8==8=?
! F>09*G39H864//9I*0C06730*25,D*E0?8==8=?*3,*0=<
! $=<B*->0=*<,=0B*3>09*50375=*3,*3>085*64//*@830
! "=/9*3>0*6,<0*8=*3>0*H5,?54D*64=*E0*0C06730<
! F>0*@03*,2*0C06734E/0*8=@357638,=@*8@*/8D830<*3,*
3>,@0*,73H73*<758=?*6,DH8/438,=*,2*3>0*H5,?54D
!""#$%&'()"*+,(#&*-()&.(/*0/(1
!"#$%&'()*+,-./010/*#,23-450*#0675839:
! ;0*-5830*,75*6,<0*8=*>8?>./010/*/4=?74?0@
! !"#$%&'#"&(()$%&#%#*+%(+,+(%-.%/&'*01+%'-2+
! A4=*@3453*8=*3>0*B8<</0*,2*27=638,=@
! $*254?B0=3*,2*4*27=638,=*B49*C0*0D06730<
! E0375=@*64=*?,*3,*4=9*F5,?54B*8=@357638,=
! $//*3>0*<434*>4@*7@74//9*C00=*0D06734C/0
! "=*3>0*DGHI*64=*@3453*0D06738=?*=,3*,=/9*8=*3>0*
B8<</0*,2*27=638,=@I*C73*B8<</0*,2*8=@357638,=@J*
!"#$%&'$()%*+,,%$"(%-./%+0$(121($3
! !"#$%"#&'()"*&+',&%'*-.+/#"0.+'-.'*-./#-)',)-%
! 1'*"))'/-'"',2.*/0-.3(-0./&#'*".')&"$'4".5'()"*&+6
!"##$%&'()"*+,"&
-&".(/'#+$*0+$"*
10-'()"/'2/0+0
!"##$%&'()"*+,"&
-&".(/'#+$*0+$"*
10-'()"/'2/0+0
!"#!"# $%&'()*$%&'()*!"#()*!"#()* !"#('+%!"#('+%
,-../01234!2567/-83-93:2;-<=
>?7?3;2;-<=
'-@23;2;-<=
9-<396857/-8 A
'-@23;2;-<=
9-<396857/-8 B
7891:;<=6'>-%3)&?&)'9-,/%"#&'9&*2#0/5=@
!"#$%&'$()%*+,,%$"(%-./%+0$(121($3
! !"#$%"#&'()"*&+',&%'*-.+/#"0.+'-.'*-./#-)',)-%
! 1'*"))'/-'"',2.*/0-.3(-0./&#'*".')&"$'4".5'()"*&+6
!"##$%&'()"*+,"&
-&".(/'#+$*0+$"*
10-'()"/'2/0+0
!"##$%&'()"*+,"&
-&".(/'#+$*0+$"*
10-'()"/'2/0+0
!"#!"# $%&'()*$%&'()*!"#()*!"#()* !"#('+%!"#('+%
,-../01234!2567/-83-93:2;-<=
>?7?3;2;-<=
'-@23;2;-<=
9-<396857/-8 A
'-@23;2;-<=
9-<396857/-8 B
7891:;<=6'>-%3)&?&)'9-,/%"#&'9&*2#0/5=@
Enforcingcontrol‐flowintegrity!"#"$%"&'(
)$#*+,-$.&,*$/+*01#0*2&-$/".+-/3&
!"#$%&'()*+,-./010/*#,23-450*#0675839(:
! ";/9*605348;*6,;35,/.2/,-*8<*=,<<8>/0*8;*<,23-450
! ?10;*8;*@*4;A*@BB*4;A*27;638,;*4;A*0C=50<<8,;*>,7;A4580<
! #D,7/A*4/<,*6,;<8A05*-D,.64;.E,.-D050F*4;A*A04A*6,A0
! @,;35,/.2/,-*8;30E5839*G04;<*3D43*0C06738,;*=5,600A<*466,5A8;E*3,*4*<=068280A*6,;35,/.2/,-*E54=D*H@!IJK
L0A760<*E4=*>03-00;*G46D8;0*6,A0*4;A*D8ED./010/*/4;E74E0<
! @4;*0;2,560*-83D*@!M*G06D4;8<GF*-D86D*8<*<8G=/0F*0228680;3F*4;A*4==/864>/0*3,*0C8<38;E*<,23-450K
! @!M*0;2,560<*4*>4<86*=5,=0539*3D43*3D-453<*4*/45E0*6/4<<*,2*43346N<!"#$%&'$()#*#+)(,-+..3,.-+./(0-1'2#$34
! @!M*8<*4*2,7;A438,;*2,5*0;2,568;E*,3D05*=5,=05380<
‣ EveninCtherearefunctionandexpressionboundaries
Guardsforcontrolflowintegrity
‣ CFIguardsrestrictcomputedjumpsandcalls‣ Callsthroughfunctionpointers(e.g.virtualmethodsinC++)‣ Allreturn,exceptionandswitchstatements
‣ Directcallsareunaffected‣ CFIguardmatcheslabelatsourceandtarget‣ Labelsareconstantsembeddedinmachine‐code‣ Labelsarenotsecret,butmustbeunique
‣ TwodestinationsareequivalentwhentheCFGcontainsedgestoitfromthesamesetofsources‣ Equivalentdestinationsarelabeledthesame‣ i.e.alabeluniquelyidentifiesaCFGequivalenceclass
Asimpleexample
‣ BodyLevelOne
! !"#$%&'()*+&)#,'*%&'-.%%&-/'*/').*0! "#$%&'#!()*+
! ,)(%-"((+&#.%)$+#()/0%$)//+&+#(%-1)#(.%)#%(2+%31$+
! 4#$)&+3(%31#(&15%/516%*'.(%71%(1%(2+%&)72(%-"((+&#
! 8"#%9+%+#/1&3+$%'.)#7%.1/(6"&+%)#.(&'*+#("()1#
! :;+#%/1&%+<).()#7=%5+7"30%.1/(6"&+
!"#$%!&'()&*+!"#$%&'()*+,(-%.//01234
>?
!""# #$%&'$ ()*&'$ +,*-*./$0.'*(*1*+2
3!""# 4$%&'$ ()*&'$ +,*-*
./$0.'*(*5*+23
6".$7%&'$*89:)*&'$ !9:)*&'$ #/',-
6".$%*8)* #/')*#$ ,26".$%*!)* #/')*4$ ,2
3
!"#$%
!"#$%&
'()"'$*+
&'(")#$%
,(''$-.!#
,(''$-.!#
'()"'$//
&'("#$%
,(''$*+01
!"#$//
'()"'$%&
!"#$!
*"#$%
!"#$%&
'()"'$*+
'()"'$//
@ABCDEFGH%I16!5+;+5%B1/(6"&+%B+3'&)(0
! !"#$%#&'&'(%)$"*)*$+$,)-)#./$.-*'#"0)-'+'.&-$'&&12$+-3$+%%1.)*$'&$1),+/($4.-3&5*$678$)6)/"'+91)*
! :&3)$#)5#.'.-,$-))3$-&'$9)$'#"*')32$9)/+"*)$&;$'<)$=)#.;.)#
! ><)$=)#.;.)#$.*$*.0%1)$?@$AB&:2$0&*'1($%+#*.-,$678$&%/&3)*C
!"#$"%#&'()'*'+,+-#.'&%-/'012
78
!"#$%&'(!")'*
('+(%,%-.
/-)
%-0,/&&/,%"-#'12/-%0#
3(".(/#'4'15,%"-
3(".(/#
'4'15,/6&'7'(%89
!:;
B&+3
.-'&
0)0&#(
3(".(/#1"-,("&<8&"+
.(/$2
7'-)"(*"(*
,(50,')*$/(,9
D!EFGHIJK$B&5L1)=)1$E&;'5+#)$E)/"#.'(
‣ Machinecoderewritingusinginstrumentationtool‣ AppliestolegacyWindowsx86executables‣ Coderewritingneednotbetrusted,becauseoftheverifier‣ Theverifierissimple(2KLoC,mostlyparsingx86opcodes)
CFIformalstudy[ICFEM’05]
‣ FormallyvalidatedthebenefitsofCFI‣ Definedamachinecodesemantics‣ Powerfulattackermodel‣ Attackercanarbitrarilycontrolallofdatamemory
‣ Provedthat,withCFI,executionalwaysfollowstheCFG,evenwhenunderattack
‣ Assumptions‣ NXD:Datacannotbeexecuted(hardwareorsoftware)‣ NWC:Codecannotbemodified(hardware,alreadyused)‣ Wecanrelyonvaluesindistinguishedregisters‣ Jumpscannotgointothemiddleofinstructions‣ Aconvenientsimplificationtomaketheproofmanageable
CFIasfoundationforotherprop.
‣ CFIcanbeusedasafoundationforefficientlyenforcingmoresophisticatedsecurityproperties‣ Softwarefaultisolation(e.g.sandboxing)‣ Dynamicallycheckmemoryaccessestoemulatetraditionalmemoryprotection
‣ Softwarememoryaccesscontrol‣ Strongerthansoftwarefaultisolation:isolateddatamemoryregionsaccessibleonlyfromparticularcode
‣ RemovesNXDassumption,butaddsextraoverhead
‣ Protectedshadowcallstack‣ IDchecksonreturnreplacedbytheuseofacallstack‣ Verylittleextraoverhead(atleastwithx86‐specifictricks)
CostandBenefits
‣ CFIoverhead:~16%insyntheticCPU‐boundbenchmarks‣ Isthisreallyunobtrusive(closetozerooverhead)?
‣ Effectivelystopsmostjump‐to‐libcattacks‣ Notrampolining,evenifCFIenforcesaverycoarseCFG‣ E.g.,mayhavetwolabels‐‐forcallsitesandstartoffunctions
‣ Limitation:Data‐onlyattacks
!"#"$%"&'(&)*%+,&-./0.$+%,&.++.12%
!"#$%&'()*+,-./010/*#,23-450*#0675839:;
! <!=*,105>04?*41054@0A*BCD*,E*<FG.H,7E?*H0E6>I45JA! "230E*I76>*/0AA)*?0K0E?A*,E*-,5J/,4?L*<FG*4E?*=M"L*036N
! #01054/*14584E3A) ON@NL*#420#OP 0Q60K38,E*?8AK436>*8E*R8E?,-A
! O22063810/9*A3,KA*S7IK.3,.3041 43346JA! T,*354IK,/8E8E@ 4H,73L*010E*82*<!=*0E2,560A*4*1059*6,45A0*<!U
! ON@NL*I49*>410*3-,*/4H0/A!2,5*64//*A830A*4E?*A3453*,2*27E638,EA
! V48E*/8I83438,E)*%434.,E/9*43346JA W*$F=*43346JA
#FO<=TX*YZ*502050E60*57EAL*[F*#FYL*#420*V,?0*-M<V%L*F0E387I*;L*E,*PXL*BN\UP]
!"
#!"
$!"
%!"
&!"
'!!"
'#!"
'$!"
()*+# ,-./01 234 5.+ 5,, 5)*+ 6,/ +.-72- 0839/ :3-02; :+- <=>
?@AB24/3-,26240B3:2-C2.D
Conclusion
‣Mitigationtechniques‣ Automaticdefensesthatworkonlegacycode‣ Operateatthemachine‐codelevel‣ Involvenosource‐codechanges‣ Haveclosetozerooverhead‣ Onlypreventcertainkindsofattacks‣ Mayprovideafalsefeelingofsecurity...likeaVolvo‣ Arenotsubstitutesforcorrectcodeorsaferlanguages‣ Donotprotectagainstdenial‐of‐serviceattacks
‣ Control‐flowintegrity‣ Particularlypowerfulmitigationtechnique‣ Preventsmanykindsofattacks,includingjump‐to‐libc