USENIX Security Symposium, Baltimore, MD, Non-Control-Data Attacks Are Realistic Threats Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign Department of Computer Science, North Carolina State University Department of Computer Science, North Carolina State University * Cybersecurity and Systems Management Group, Microsoft Research

USENIX Security Symposium, Baltimore, MD, Control Data Attack: Well-Known, Dominant Control data attack: corrupt function pointers, jump targets and return addresses to run malicious code Control data attack: corrupt function pointers, jump targets and return addresses to run malicious code E.g., code injection, mimicry attack and return-to-LibCE.g., code injection, mimicry attack and return-to-LibC Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] By exploiting many vulnerabilities such as buffer overflow, format string bug, integer overflow, double free, etc.By exploiting many vulnerabilities such as buffer overflow, format string bug, integer overflow, double free, etc. Many current defense techniques: to enforce control data integrity to provide security. Many current defense techniques: to enforce control data integrity to provide security.

USENIX Security Symposium, Baltimore, MD, Non-Control-Data Attack Non-control-data attacks: attacks not corrupting any control data Non-control-data attacks: attacks not corrupting any control data i.e., attacks preserving the integrity of control flow of the victim processi.e., attacks preserving the integrity of control flow of the victim process Currently very rare in reality Currently very rare in reality Very few instances documented in literature.Very few instances documented in literature. Several papers: theoretically possible to construct non-control-data attacks against synthetic programs.Several papers: theoretically possible to construct non-control-data attacks against synthetic programs. Not yet considered as a serious threatNot yet considered as a serious threat How applicable are such attacks against real- world software? How applicable are such attacks against real- world software? Why rare attackers incapability or lack of incentives?Why rare attackers incapability or lack of incentives? No focused investigation yet.No focused investigation yet.

USENIX Security Symposium, Baltimore, MD, Motivating Facts Random hardware memory errors could subvert the security of real-world systems. Random hardware memory errors could subvert the security of real-world systems. Boneh and DeMillo: random errors allow deriving secret keys in CRT-based RSA implementation. [Eurocrypt97]Boneh and DeMillo: random errors allow deriving secret keys in CRT-based RSA implementation. [Eurocrypt97] Our previous work: authentication of SSH and FTP servers, packet filtering of Linux firewalls can be compromised. [DSN01 and DSN02]Our previous work: authentication of SSH and FTP servers, packet filtering of Linux firewalls can be compromised. [DSN01 and DSN02] Govindavajhala and Appel: Java type system can be subverted. [S&P03]Govindavajhala and Appel: Java type system can be subverted. [S&P03] None of them is control-data attack. A wide range of real-world software susceptible.None of them is control-data attack. A wide range of real-world software susceptible. Software vulnerabilities are more deterministic and more amenable to attacks. Software vulnerabilities are more deterministic and more amenable to attacks. Many software vulnerabilities are essentially memory fault injectors: overwriting an arbitrary memory location Many software vulnerabilities are essentially memory fault injectors: overwriting an arbitrary memory location Heap overflowHeap overflow Double freeDouble free Format string bugFormat string bug Integer overflowInteger overflow

USENIX Security Symposium, Baltimore, MD, Our Claim: General Applicability of Non-Control-Data Attacks The claim: The claim: Many real-world software applications are susceptible to non-control-data attacks.Many real-world software applications are susceptible to non-control-data attacks. The severity of the attack consequences is equivalent to that due to control data attacks.The severity of the attack consequences is equivalent to that due to control data attacks. Goal of our project Goal of our project Experimentally validate the claimExperimentally validate the claim Construct non-control-data attacks to compromise the security of representative applications Construct non-control-data attacks to compromise the security of representative applications Discuss the implications of the claim on current defensive techniquesDiscuss the implications of the claim on current defensive techniques Call for comprehensive defensive techniquesCall for comprehensive defensive techniques

USENIX Security Symposium, Baltimore, MD, Selection of Target Applications Real-world applications, not synthetic applications. Real-world applications, not synthetic applications. Leading application categories Leading application categories CERT advisories (2000 – 2004)CERT advisories (2000 – 2004) 84% are server vulnerabilities 84% are server vulnerabilities HTTP service (18%), database service (10%), 6 remote login service (8%), mail service (5%), FTP service (4%). HTTP service (18%), database service (10%), 6 remote login service (8%), mail service (5%), FTP service (4%). Selection criteria Selection criteria Different types of vulnerabilities should be coveredDifferent types of vulnerabilities should be covered Different types of server applications should be studiedDifferent types of server applications should be studied Practical constraints for our selection Practical constraints for our selection Uncertainties in many vulnerability reports: really exploitable?Uncertainties in many vulnerability reports: really exploitable? Proprietary source codeProprietary source code Limited information about details of many vulnerabilitiesLimited information about details of many vulnerabilities Eventually, we selected Eventually, we selected Open-source FTP, SSH, Telnet, HTTP serversOpen-source FTP, SSH, Telnet, HTTP servers Stack buffer overflow, format string, heap corruption, integer overflow.Stack buffer overflow, format string, heap corruption, integer overflow.

USENIX Security Symposium, Baltimore, MD, Non-Control-Data Attack against WU-FTPD Server (via a format string bug) int x; FTP_service(...) { authenticate(); x = user ID of the authenticated user; seteuid(x); while (1) { get_FTP_command(...); if (a data command?) getdatasock(...); } getdatasock(... ) { seteuid(0); setsockopt(... ); seteuid(x); } x=109, run as EUID 0 x uninitialized, run as EUID 0 x=109, run as EUID 109. Lose the root privilege! x=0, run as EUID 0 When return to service loop, still runs as EUID 0 (root). Allow us to upload /etc/passwd We can grant ourselves the root privilege! Only corrupt an integer, not a control data attack. Get a data command (e.g., PUT) Get a special SITE EXEC command. Exploit a format string vulnerability. x= 0, still run as EUID 109.

USENIX Security Symposium, Baltimore, MD, /usr/local/httpd/exe Non-Control-Data Attack against NULL-HTTP Server (via a heap overflow bug) Attack the configuration string of CGI-BIN path. Attack the configuration string of CGI-BIN path. Mechanism of CGI Mechanism of CGI suppose server name = CGI-BIN =suppose server name = CGI-BIN = Requested URL = URL = The server executesThe server executes Our attack Our attack Exploit the vulnerability to overwrite CGI-BIN to /binExploit the vulnerability to overwrite CGI-BIN to /bin Request URL URL The server executesThe server executes The server gives me a root shell! Only overwrite four characters in the CGI-BIN string. /usr/local/httpd/exe /bin /sh /bar /bar

USENIX Security Symposium, Baltimore, MD, Non-Control-Data Attack against SSH Communications SSH Server (via an integer overflow bug) void do_authentication(char *user,...) { int auth = 0;... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) {... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case... } if (auth) break; } /* Perform session preparation. */ do_authenticated(…); } auth = 0 Password incorrect, but auth = 1 auth = 1 Logged in without correct password auth = 1

USENIX Security Symposium, Baltimore, MD, More Non-Control-Data Attacks Against NetKit Telnet server (default Telnet server of Redhat Linux) Against NetKit Telnet server (default Telnet server of Redhat Linux) Exploit a heap overflow bugExploit a heap overflow bug Overwrite two strings: /bin/login –h foo.com -p (normal scenario) /bin/sh –h –p -p (attack scenario)Overwrite two strings: /bin/login –h foo.com -p (normal scenario) /bin/sh –h –p -p (attack scenario) The server runs /bin/sh when it tries to authenticate the user.The server runs /bin/sh when it tries to authenticate the user. Against GazTek HTTP server Against GazTek HTTP server Exploit a stack buffer overflow bugExploit a stack buffer overflow bug Send a legitimate URL Send a legitimate URL The server checks that /.. is not embedded in the URL The server checks that /.. is not embedded in the URL Exploit the bug to change the URL to Exploit the bug to change the URL to The server executes /bin/sh The server executes /bin/sh

USENIX Security Symposium, Baltimore, MD, What Non-Control-Data Attacks Imply? Control flow integrity is not a sufficiently accurate approximation to software security. Control flow integrity is not a sufficiently accurate approximation to software security. Many types of non-control data critical to security Many types of non-control data critical to security User identify data, configuration data, user input data and decision-making dataUser identify data, configuration data, user input data and decision-making data Once attackers have the incentive, they are likely to succeed in non-control-data attacks. Once attackers have the incentive, they are likely to succeed in non-control-data attacks.

USENIX Security Symposium, Baltimore, MD, Discussions on Current Defensive Techniques Defenses based on control flow integrity Defenses based on control flow integrity Monitor system call sequencesMonitor system call sequences Protect control dataProtect control data Non-executable stack and heapNon-executable stack and heap Pointer encryption PointGuard Pointer encryption PointGuard Identifying pointers in low level code is really challengingIdentifying pointers in low level code is really challenging Address space randomization Address space randomization Challenge: need to randomize every program segmentChallenge: need to randomize every program segment Limitation: 32-bit address space cannot provide sufficient entropyLimitation: 32-bit address space cannot provide sufficient entropy Memory safety enforcement Memory safety enforcement Promising direction, e.g., CCured, Cyclone, CREDPromising direction, e.g., CCured, Cyclone, CRED Currently difficult to migrate existing large code bases to memory safe version. Incur runtime overhead. Difficult to ensure memory safety for low-level code.Currently difficult to migrate existing large code bases to memory safe version. Incur runtime overhead. Difficult to ensure memory safety for low-level code. Still open: to design a generic and secure defense Still open: to design a generic and secure defense

USENIX Security Symposium, Baltimore, MD, Mitigating Factors Requiring application-specific semantic knowledge Requiring application-specific semantic knowledge Control-data attack unrelated to the semantics of the victim process (hijack the control flow, do whatever you like)Control-data attack unrelated to the semantics of the victim process (hijack the control flow, do whatever you like) Non-control-data attack rely on the semantics of the victim processNon-control-data attack rely on the semantics of the victim process Not a fundamental constraintNot a fundamental constraint Semantics of widely used applications will be well understood, if attackers have strong incentives Semantics of widely used applications will be well understood, if attackers have strong incentives The more instances attackers see, the easier they can clone new ones. A matter of experiences. The more instances attackers see, the easier they can clone new ones. A matter of experiences. Lifetime of security-critical data Lifetime of security-critical data Attacks are not possible if the vulnerabilities exist outside the lifetime of the target data.Attacks are not possible if the vulnerabilities exist outside the lifetime of the target data. Programs can be modified to reduce data lifetime to enhance security.Programs can be modified to reduce data lifetime to enhance security.

USENIX Security Symposium, Baltimore, MD, Reducing Data Lifetime for Security Original WU-FTPD lifetime of x is global siteexec() { } getdatasock() { seteuid(0); seteuid(0); setsockopt(... ); setsockopt(... ); seteuid(x); seteuid(x);} Modified WU-FTPD siteexec() { } getdatasock() { tmp = geteuid(); tmp = geteuid(); seteuid(0); seteuid(0); setsockopt(... ); setsockopt(... ); seteuid(tmp); seteuid(tmp);} Lifetime of seteuid() argument

USENIX Security Symposium, Baltimore, MD, Reducing Data Lifetime for Security Original SSHD do_authentication() { int auth = 0; while (!auth) { while (!auth) { type = packet_read(); type = packet_read(); switch (type) { switch (type) { case CMSG_AUTH_PASSWORD: case CMSG_AUTH_PASSWORD: if (auth_password(passwd)) if (auth_password(passwd)) auth = 1; auth = 1; case... case... } if (auth) break; if (auth) break; } do_authenticated(pw); do_authenticated(pw);} Modified SSHD do_authentication() { int auth = 0; while (!auth) { while (!auth) { type = packet_read(); type = packet_read(); auth = 0; auth = 0; switch (type) { switch (type) { case CMSG_AUTH_PASSWORD: case CMSG_AUTH_PASSWORD: if (auth_password(passwd)) if (auth_password(passwd)) auth = 1; auth = 1; case... case... } if (auth) break; if (auth) break; } do_authenticated(pw); do_authenticated(pw);} Lifetime of auth flag

USENIX Security Symposium, Baltimore, MD, Conclusions Major claim: many real-world software applications are susceptible to attacks that do not hijack program control flow. Major claim: many real-world software applications are susceptible to attacks that do not hijack program control flow. Constructing a generic and secure defensive technique to defeat both control-data attacks and non-control-data attacks is still an open problem. Constructing a generic and secure defensive technique to defeat both control-data attacks and non-control-data attacks is still an open problem. Reducing data lifetime is a secure programming practice to increase software resilience to attacks. Reducing data lifetime is a secure programming practice to increase software resilience to attacks.

USENIX Security Symposium, Baltimore, MD, Links DEPEND Research Group, Univ. of Illinois DEPEND Research Group, Univ. of Illinois Prof. Jun Xus Research Group. North Carolina State University Prof. Jun Xus Research Group. North Carolina State University Cybersecurity and Systems Management Group, Microsoft Research (a.k.a. the Strider team) Cybersecurity and Systems Management Group, Microsoft Research (a.k.a. the Strider team)