Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer Science Katholieke Universiteit Leuven Belgium

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Overview  Introduction  Code Injection Attacks  Model-based countermeasure design  Metamodel and methodology  Conclusion

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Introduction  Code injection attacks: foreign code injected into application  Still a major security problem: 24/28 CERT advisories in 2003 related to code injection  Attackers are using more advanced techniques to bypass countermeasures  Current countermeasures are often built in an ad hoc manner  A more structured approach to designing countermeasures is needed

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Overview  Introduction  Code Injection Attacks  First wave  Second wave  Third wave  Model-based countermeasure design  Metamodel and methodology  Conclusion

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, First wave: stack-based buffer overflows  An attacker inserts gives code as input to the program, the program stores it as data.  The attacker then overflows the bounds of a stack- allocated array and overwrites the return address  When the function returns the injected code is executed  Countermeasure: StackGuard (Cowan et al), places random 32-bit value before the return address and checks it before returning  Attackers developed indirect pointer overwriting (IPO) to bypass the countermeasure

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Second wave: Heap-based attacks  Dynamically allocated memory  No return addresses  IPO or function pointer overwriting  Overwrite memory management information to perform indirect pointer overwrite  Exploitable with heap-overflow and dangling pointer reference (double free)  Some allocators can be misused by overflowing just 1 byte

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Doug Lea’s malloc Size of prev chunk Size of chunk1 Chunk1 Chunk2 User data Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer High addr Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Chunk3 Chunk4

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Backward Pointer Return address Heap-based buffer overflows Size of prev chunk Size of chunk1 Chunk1 Chunk2 User data Size of chunk1 Size of chunk2 Old user data Forward Pointer Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Chunk3 Chunk4 Stack Injected code

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Heap-vulnerabilities  Attacks for heap-based buffer overflows and double frees exist for other memory allocators as well:  CSRI (overflow)  Quickfit (overflow)  Phkmalloc (overflow)  Boehm’s Garbage Collector (overflow, double free)

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Second Wave  Second wave:  Overflows in Data section (contains global and static compile-time initialized data)  Overflows in bss section (contains global and static uninitialized data)  Can be used to overwrite execution abstractions that the runtime environment relies on

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Third wave  Third wave:  Integer errors  Integer signedness errors  Integer overflows  Format string vulnerabilities  Fourth wave?

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Overview  Introduction  Code Injection Attacks  Model-based countermeasure design  Machinemodel  A partial machinemodel of dlmalloc  Countermeasure based on the machine model  A countermeasure for dlmalloc  Metamodel and methodology  Conclusion

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Model-based countermeasure design  Most countermeasures use an ad-hoc approach when protecting applications  Attackers are using more advanced techniques to bypass them.  A more methodical approach is needed to combat code injection attacks  Building a model of the execution environment allows us to evaluate which memory locations to protect.

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Machinemodel  Addresses and abstractions of control flow  Addresses that could lead to IPO  Contextual information:  What is used when  What operations are performed

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Countermeasures based on the machinemodel  Most architectures separate code from data  Apply a similar approach to data  Separate control-flow information from regular data  Requires several far reaching changes to the memory of the process  Design is aided by the machine model

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Countermeasures based on the machine model  Built a machine model for Linux on Intel architecture  Designed a modified machine model for the memory allocator  Implemented the separation of management information from chunk data  Implementation was named DistriNet malloc (dnmalloc)

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Machinemodel for dlmalloc

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Machinemodel for dnmalloc

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Dlmalloc - Dnmalloc performance overhead ProgramDlmalloc runtime (± stderr)Dnmalloc runtime (± stderr)Overhead percentage gzip253 (± 0) (± 0.01) 1.18% vpr (± 0.16) (± 0.13) -0.11% gcc (± 0.05) (± 0.04) 0.54% mcf (± 0.07) (± 0.07) 1.01% crafty253 (± 0)254 (± 0) 0.40% parser (± 0.02) (± 0.05) -0.10% eon (± 0.13) (± 0.11) -0.58% perlbmk (± 0.04) (± 0.05) 4.24% (highest) gap (± 0.02)184 (± 0) -0.04% vortex250 (± 0) (± 0.04) 3.52% bzip (± 0.05) (± 0.07) 0.45% twolf (± 0.43) (± 0.41) -1.76% (lowest) Spec CPU2000 results for dlmalloc and dnmalloc (13 runs on 8 identical PCs (P4 2.8ghz, 512mb) = 104 runs)

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Countermeasures based on the machinemodel  Modify the way the stack is organized: 3 stacks  Control information: return address, frame pointer, pointers and arrays of pointers (bounds checked)  Integers and floating types  Regular data  Work in progress  Prototype running with 3 stacks  Preliminary performance results look promising

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Countermeasure based on the machinemodel  Reorganize the data segment  Memory in the data segment must be reorganized

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Overview  Introduction  Attacks  Model-based countermeasure design  Metamodel and methodology  Conclusion

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Metamodel and methodology  A machine model is strongly linked to an architecture: limited usefulness  Metamodel is built as an abstraction of several machine models  Accompanied by a methodology for building machine models  Allows reasoning about countermeasures at a very high level of abstraction  Platform expert: metamodel + methodology: build a machinemodel  Security expert: design countermeasure on a machinemodel

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Overview  Introduction  Attacks  Model-based countermeasure design  Metamodel and methodology  Conclusion

Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, Conclusion  Many countermeasures can be bypassed using one of the techniques described earlier.  A more structured approach is needed at a higher level of abstraction  By using machine models and a metamodel  Supports collaboration (platform/security expert)  Less prone to porting errors (uniform representation)  Better design (easier to notice shortcomings)  Platform for comparing and evaluating countermeasures  For more information: papers are available SoBeNet user group website