Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR

Slides:

Advertisements

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Advertisements

Smashing the Stack for Fun and Profit

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

Review: Software Security David Brumley Carnegie Mellon University.

Framing Signals— A Return to Portable Shellcode

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

1  1998 Morgan Kaufmann Publishers Chapter Seven Large and Fast: Exploiting Memory Hierarchy (Part II)

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.

Address Space Layout Permutation

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Mitigation of Buffer Overflow Attacks

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

Exploitation possibilities of memory related vulnerabilities

Exploit Defenses: ASLR, W X, TaintCheck Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

Covert Channels Through Branch Predictors: a Feasibility Study

Translation Lookaside Buffer

Mitigation against Buffer Overflow Attacks

Remix: On-demand Live Randomization

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

HDFI: Hardware-Assisted Data-flow Isolation

X. Zhang, Y. Xiao, Y. Zhang Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices Xiaokuan Zhang, Yuan Xiao, Yinqian.

CS 140 Lecture Notes: Virtual Memory

Jump-Oriented Programming

Memory COMPUTER ARCHITECTURE

The Hardware/Software Interface CSE351 Winter 2013

CSC 495/583 Topics of Software Security Stack Overflows (2)

CSC 495/583 Topics of Software Security Return-oriented programming

Bruhadeshwar Meltdown Bruhadeshwar

Software Security.

Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

CS 140 Lecture Notes: Virtual Memory

Continuous, Low Overhead, Run-Time Validation of Program Executions

Advanced Buffer Overflow: Pointer subterfuge

Meltdown CSE 351 Winter 2018 Instructor: Mark Wyse

CS 140 Lecture Notes: Virtual Memory

Address Space Layout Randomization (ASLR) Dirk Gordon

Side channels and covert channels Part I – Architecture side channels

Machine Level Representation of Programs (IV)

CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs

CSE451 Virtual Memory Paging Autumn 2002

CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs

CS703 - Advanced Operating Systems

CS 140 Lecture Notes: Virtual Memory

Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization Nathaniel Enos.

Spectre Attacks: Exploiting Speculative Execution

Meltdown & Spectre Attacks

Return-to-libc Attacks

Presentation transcript:

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Dmitry Evtyushkin*, Dmitry Ponomarev*, Nael Abu-Ghazaleh§, * § The 49th Annual IEEE/ACM International Symposium on Microarchitecture October 18, 2016 Taipei, Taiwan

Buffer Overflow & Code Injection Data Stack: str2 [ret address] str1 = &(str2) Stack frame for vulnerable() vulnerable.c vulnerable(char*str1) { char str2[100]; strcpy(str2, str1); return; } Protection: W^X, NX-bit, etc. – Mark pages either writable or executable – But not both

Reuse Instead of Injecting Code Key Idea: Reuse executable or library code instead of code injection Programs use standard libraries, e.g. glibc Attacker can return to functions in libraries e.g. system() Programs have huge code base with versatile code Attacker can combine this code into desired code Bypass NX protection

Code Reuse Attacks (CRA) Attacker Code: Data Stack: xor ecx,ecx; mul ecx; lea ebx,[esp+8]; mov al, 11; int 0x80; ret; A B C D E Stack Pointer Code Pages: A B B D C E D E C A

How to Protect from Code Reuse? Address Space Layout Randomization (ASLR) Randomize position of important structures including code segment and libraries ASLR can be applied to both User space and Kernel space Implemented on all modern Operating Systems Bypass Return-to-libc, Return-Oriented Programming and Jump-Oriented programming (JOP) attacks

How ASLR Works Where are my gadgets? ret; xor ecx,ecx; A mul ecx; Attacker Code: Data Stack: xor ecx,ecx; mul ecx; lea ebx,[esp+8]; mov al, 11; int 0x80; ret; A B C D E Stack Pointer Code Pages: A B B D C E D E C A

Kernel ASLR Similar attack applies to OS Kernel The attacker can make the kernel to jump to arbitrary address The attacker needs to know kernel code layout

Bypassing ASLR The attacker can rely on other attacks to bypass ASLR: Memory disclosure attacks to leak pointers e.g. Dangling Pointer Use side channels to find out code layout e.g. Shared cache or Branch predictor

Overview of Jump-over-ASLR Attack Use Branch Target Buffer (BTB) to recover random address bits Two scenarios: One user space process attacking another User process attacking Kernel ASLR Attack capabilities: Recover all random bits in Linux Kernel and KVM* Recover part of random bits in User Process making brute force attack much faster * https://github.com/felixwilhelm/mario_baslr/

Attack principals (User-Level) Victim Spy BTB Address tag Target A: jmp A: jmp A B B: B: C: Observation: MISPREDICTION Observation: HIT

Latencies Observed by the Spy Percentage Latency (in cycles)

Looking for BTB Collisions Victim Spy Observations: jmp 86ms *no contention* 87ms *no contention* 100ms 89ms *no contention* *COLLISION DETECTED* jmp

Latencies Observed by the Spy

Limitations Not all address bits are used for BTB addressing This makes possible collisions in higher and lower halves of address space

Attack Principals (OS/VMM-Level) OS Space Attack Principals (OS/VMM-Level) BTB A: jmp 0xffffa9fe8756 9fe8756 Address tag Target User Space B: B: jmp A: C: 0x0000a9fe8756 9fe8756 Collision: match address tag, not target

KASLR in Linux Result: full KASLR bits recovery in about 60 ms

Latencies Observed by the Spy

Attack Conclusion Partial recovery bits in User-Level programs due to BTB addressing scheme Full fast recovery KASLR bits in Linux kernel and KVM New side channel attack makes current ASLR schemes insecure

Proposed Mitigation Techniques Software Mitigations Randomize more KASLR bits requires reorganization of kernel memory space Fine-grained ASLR: randomize at function, block, instruction level Performance implications Requires recompilation Hardware Mitigations KASLR: prevent user and kernel space collisions User-Level: make unique BTB mappings for each process

Questions?