Jump-Oriented Programming

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Slides revised 3/25/2014 by Patrick Kelley. 2 Procedures Unlike other branching structures (loops, etc.) a Procedure has to return to where it was called.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Introduction to Computer Engineering ECE 252, Fall 2010 Prof. Mikko Lipasti Department of Electrical and Computer Engineering University of Wisconsin –
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS ) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.
Computer Organization and Architecture
1 Today  Remember to use your late days wisely —We can’t post solutions until all HWs have been turned in  One complete example —To put together the.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Memory - Registers Instruction Sets
Basic Computer Organization, CPU L1 Prof. Sin-Min Lee Department of Computer Science.
Computer Organization and Architecture
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Group 5 Alain J. Percial Paula A. Ortiz Francis X. Ruiz.
Computer Organization CS345 David Monismith Based upon notes by Dr. Bill Siever and notes from the Patterson and Hennessy Text.
Programmer's view on Computer Architecture by Istvan Haller.
Presented by: Sergio Ospina Qing Gao. Contents ♦ 12.1 Processor Organization ♦ 12.2 Register Organization ♦ 12.3 Instruction Cycle ♦ 12.4 Instruction.
Stack Stack Pointer A stack is a means of storing data that works on a ‘Last in first out’ (LIFO) basis. It reverses the order that data arrives and is.
Functions and Procedures. Function or Procedure u A separate piece of code u Possibly separately compiled u Located at some address in the memory used.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Virtual Memory Expanding Memory Multiple Concurrent Processes.
February 3, 2003Functions in MIPS1 CS 232 It is important that students bring a certain ragamuffin, barefoot irreverence to their studies; they are not.
Module : Algorithmic state machines. Machine language Machine language is built up from discrete statements or instructions. On the processing architecture,
Exploitation possibilities of memory related vulnerabilities
ITCS 3181 Logic and Computer Systems 2015 B. Wilkinson Slides4-2.ppt Modification date: March 23, Procedures Essential ingredient of high level.
Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Introduction to Information Security ROP – Recitation 5.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Structure and Role of a Processor
MIPS Subroutines Subroutine Call – jal subname Saves RA in $31 and jumps to subroutine entry label subname Subroutine Return – jr $31 Loads PC with return.
RISC / CISC Architecture by Derek Ng. Overview CISC Architecture RISC Architecture  Pipelining RISC vs CISC.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
Introduction to Information Security
Remix: On-demand Live Randomization
Protecting Memory What is there to protect in memory?
Assembly language.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
MCI PPT AVR MICROCONTROLLER Mayuri Patel EC-1 5th sem
© Craig Zilles (adapted from slides by Howard Huang)
Procedures 101: There and Back Again
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
ADVANCED PROCESSOR ARCHITECTURE
TAO1221 COMPUTER ARCHITECTURE AND ORGANIZATION LAB 3 & 4 Part 2
Introduction to Compilers Tim Teitelbaum
Procedures (Functions)
Functions and Procedures
Recitation: Attack Lab
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Pick up the handout on your way in!!
Continuous, Low Overhead, Run-Time Validation of Program Executions
MIPS Instructions.
BIC 10503: COMPUTER ARCHITECTURE
Classification of instructions
Introduction to Microprocessor Programming
Process.
Computer Concept and Practice
CPU Structure and Function
Computer Organization and Assembly Language
© Craig Zilles (adapted from slides by Howard Huang)
Computer Operation 6/22/2019.
Return-to-libc Attacks
Presentation transcript:

Jump-Oriented Programming Song Yang

Motivation Defense of ROP: -There are already ways to defense return-oriented programming by identifing a specific trait exhibited by return-oriented attacks. Some enforce the LIFO stack invariant and some detect excessive execution of the ret instruction.(Anti-ROP defenses) What should we do to continue to perform code-reuse attack? -What these techniques have in common is that they all assume that the attack must use the stack to govern control flow.

New class of code-reuse attack Change the formmat of ROP (JOP) -We don't use ret as an ending instruction, instead, we use jmp. What's the difference? -In ROP, we use ret as an ending of gadget to chain multiple frames. -In JOP, we use jmp as an ending of gadget. New problem comes -the attker aim to make sequence of execution, but with jmp as ending, we can't chain the frames.

Jump Oriented Programming Jump Oriented Programming consists of three parts: Dispatcher Gadget: is used to determine which gadget in dispatch table should be execute next Gadget table: is used to hold gadget address and data Gadget Catalog: the exact instructions matching each gadget which is in dispatch table

Jump Oriented Programming

Dispatcher gadget The dispatcher gadget is a specific gadget which plays a critical role in the JOP technique.It essentially maintains a virtual program counter(pc) and executes the JOP program by advancing it through one gadget after another. How do we decide which gadget should be the dispatcher gadget?

Get Dispatcher gadget We consider any jump-oriented gadget that carries out the following algorithm as a dispatcher candidate. pc f(pc); goto *pc; pc can be a memory address or register that represents a pointer into jump-oriented program Each time the dispatcher gadget is invoked, the pc will be advanced accordingly. Then the dispatcher dereferences it and jumps to the resulting address

Jump Oriented Programming

Functional Gadgets The dispatcher gadget itself does not perform any actual work on its own|it exists solely to launch other gadgets, which are functional gadgets. To maintain control of the execution, all functional gadgets executed by the dispatcher must conclude by jumping back to it, so that the next gadget can be launched

Kinds of different functional gadgets Loading data Memory access Arithmetic and logic Branching System calls

Gadget Discovery

New buffer to launch attack A setjmp buffer: The programmer allocates a jmp_buf structure and calls setjmp() with a pointer to this structure at the point in the program where control flow will eventually return. The setjmp() function will store the current CPU state in the jmp_buf object, including the instruction pointer eip and some general-purpose registers. The function returns 0 at this time. Later, the programmer can call longjmp() with the jmp_buf object in order to return control flow back to the point when setjmp() was originally called, bypassing all stack semantics. This function will restore the saved registers and jump to the saved value of eip. At this time, it will be as if setjmp() returns a second time, now with a non- zero return value. If the attacker can overwrite this bu er and a longjmp() is subsequently called, then control flow can be redirected to an initializer gadget to begin the jump-oriented program.

The example vulnerable program

Limitions and futher refinements Though JOP is capable of arbitrary computation in theory, constructing the attack code manually is more complex. Two features of the x86 conspire to make gadgets based on jmp and call especially plentiful. We need to consider what if we apply JOP in an alternative platform.(e.g., MIPS).

Thank you