Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk † and Ravi K. Iyer † ‡ Department of Computer Science, North Carolina State University, North Carolina State University, U.S.A. U.S.A. † Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign, U.S.A. U.S.A. IEEE International Conference on Dependable Systems and Networks Yokohama, Japan, June 30, 2005

2 Introduction Memory corruption attack Major threat of Internet Major threat of Internet Current dominant form: Control data attack Current dominant form: Control data attack Our contributions Non-control data attacks are realistic Non-control data attacks are realistic More general observation: pointer taintedness More general observation: pointer taintedness A new architecture for detection A new architecture for detection

3 Outline Non-control Data Attacks The Concept of Tainted Pointers Processor Architecture for Pointer Taintedness Detection Experimental Evaluation Conclusion

4 Control Data Attack Control data attack a.k.a. control hijacking or code-injection attack a.k.a. control hijacking or code-injection attack Dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] Dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] Control data (code pointers) data used as targets of call, return and jump data used as targets of call, return and jump widely understood as security critical-data widely understood as security critical-data Many existing defenses: enforce security via control data integrity

5 Control Data Attack – An Example WU-FTPD format string attack Execute malicious code Overwrite a return address Embed malicious contents in input get an FTP command Authentication; x = user ID repeat FTP_service() seteuid(x) SITE_EXEC(fmt) printf(fmt,…) seteuid(0) exec(“/bin/sh”)

6 Non-Control-Data Attack: A Realistic Threat Non-control-data: not control data (code pointers), attacks corrupt application-specific data Not been seriously considered We constructed non-control-data attacks against a number of real world applications Equivalent security compromise as control data attacks Equivalent security compromise as control data attacks Root privilege on HTTP, SSH, Telnet and FTP servers Root privilege on HTTP, SSH, Telnet and FTP servers Corrupting user identify data, configuration data, user input data, and decision-making data Corrupting user identify data, configuration data, user input data, and decision-making data Will appear in USENIX Security Symposium, Aug 2005 Will appear in USENIX Security Symposium, Aug 2005

7 Non-Control Data Attack – An Example WU-FTPD format string attack Overwrite x (saved user ID) Embed malicious contents in input get an FTP command Authentication; x = user ID repeat FTP_service() seteuid(x) SITE_EXEC(fmt) printf(fmt,…) getdatasock(... ) { seteuid(0); setsockopt(... ); seteuid(x); }

8 More Non-Control-Data Attacks Against NULL HTTP server Corrupt the configuration string of CGI-BIN path. Corrupt the configuration string of CGI-BIN path. Run /bin/sh as a CGI program Run /bin/sh as a CGI program Against SSH Communications SSH server Corrupt a Boolean Corrupt a Boolean Log in as root with an arbitrary password Log in as root with an arbitrary password Against GazTek HTTP server Corrupt user URL input Corrupt user URL input Run /bin/sh as a CGI program Run /bin/sh as a CGI program New threat calling for new defense How can we defeat both control-data and non-control-data attacks? How can we defeat both control-data and non-control-data attacks?

9 Pointer Taintedness Detection Tainted pointers: code or data pointers derived from malicious user input Root cause of a large class of memory corruption attacks (control-data or non-control- data) Detection of tainted pointers Defeat a large class real-world memory attacks, e.g., stack smashing, format string, heap corruption, integer overflow Defeat a large class real-world memory attacks, e.g., stack smashing, format string, heap corruption, integer overflow

10 Internals of Stack Buffer Overflow Attacks Vulnerable code: char buf[100]; strcpy(buf,user_input); Return addr Frame pointer buf[99]…buf[1]buf[0] High Low Stack growth buf user_input Frame pointer or return address can be tainted.

11 Runtime Pointer Taintedness Detection A processor architectural level mechanism to detect pointer taintedness Implemented a taintedness-aware memory system Implemented a taintedness-aware memory system One-bit extension for each byte to indicate the taintedness of the byte One-bit extension for each byte to indicate the taintedness of the byte Taintedness initialization Taintedness initialization Tag every byte of data received from external input sources Taintedness tracking Taintedness tracking Tainedness is propagated by ALU instructions Tainedness is propagated by ALU instructions Attack detection Attack detection When a tainted value is dereferenced (i.e., used as a pointer). When a tainted value is dereferenced (i.e., used as a pointer). On SimpleScalar processor simulator

12 ALU taintedness tracking logic Register File 4 bits 32 bits ALUALU Bitwise OR 32 bits36 bits 4 bits MUXMUX MUXMUX 36 bits Data Memory 36 bits MUXMUX ID/EX EX/MEM MEM/WB MUX Opcode Compare specific logic Shift specific logic XOR specific logic MUXMUX 0 alert jr? MUX 4 bits 0 alert load/ store? Jump pointer taintedness detector Data pointer taintedness detector 8-bit byte Taintedness bit 36 bits store path load path AND specific logic

13 Related Work on Taintedness Perl security Shankar and Wagner (2001) Static analysis to uncover format string vulnerabilities Static analysis to uncover format string vulnerabilities Our previous work on pointer taintedness (Aug. 2004) A source code analysis technique to uncover pointer taintedness vulnerabilities A source code analysis technique to uncover pointer taintedness vulnerabilities Reasoning taintedness at machine code level, relying on an extended memory model Reasoning taintedness at machine code level, relying on an extended memory model More recent work: Secure Program Execution (MIT), Minos (UC-Davis) and TaintCheck (CMU) (late 2004 and early 2005) Similar memory model Similar memory model Taintedness of control data Taintedness of control data Pointer taintedness vs. control-data taintedness  cause vs. result of memory corruption Pointer taintedness vs. control-data taintedness  cause vs. result of memory corruption

14 Evaluation Attack detection effectiveness Synthetic vulnerable programs Synthetic vulnerable programs Real-world network applications Real-world network applications Evaluation of false positives Real-world network applications Real-world network applications SPEC 2000 benchmarks SPEC 2000 benchmarks Potential false negative scenarios

15 Attack Detection Effectiveness First, test on synthetic vulnerable programs All attacks (control/non-control data) are detected Stack Buffer Overflow Heap Corruption Attack Format String Attack Vulnerable program void exp1() { char buf[10]; char buf[10]; scanf("%s",buf); scanf("%s",buf);} void exp2() { char * buf; char * buf; buf = malloc(8); buf = malloc(8); scanf("%s",buffer); scanf("%s",buffer); free(p); free(p);} void exp3(int s) { char buf[100]; char buf[100]; recv(s,buf,100,0); recv(s,buf,100,0); printf(buf); printf(buf);} Input data (network/console)aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabcd%x%x%x%n Violating instruction 400a38: JR $31 401dc0: LW $3,0($3) 402d60: SW $21,0($3) Tainted data $31= 0x $3 = 0x $3=0x

16 Attack Detection Effectiveness (cont.) Evaluation on real world network applications All attacks are detected No difference between control-data attack and non-control-data attack from the viewpoint of pointer taintedness WU-FTP server Format string attack Overwrite user identity data (non-control-data)detected GazTek HTTP server Stack buffer overflow attack Overwrite user input data (non-control-data)detected NULL HTTP server Heap corruption attack Overwrite configuration data (non-control-data)detected traceroute Double free Function pointer (control-data)detected

17 Transparency and False Positive No need for re-compilation, run existing binary executables Results from network applications: no false positives Results from SPEC benchmarks 15 billion instructions without any false positive 15 billion instructions without any false positive Conclusion: No known false positive BZIP2GCCGZIPMCFPARSERVPRTotal Program size 321KB4184KB485KB304KB595KB697KB6586KB Total number of input bytes 1048KB77.7K282KB39.2KB743.0KB6.4KB2186KB Total number of instructions 5,951M110M6,926M1,653M389M108M15,139M Alert generated? NoNoNoNoNoNoNo

18 Potential False Negative Scenarios Incorrect array index boundary check Determining correct array size requires source code analysis – very hard at binary level Determining correct array size requires source code analysis – very hard at binary level Buffer overflow within the local frame If no pointer is tainted, no alert is raised If no pointer is tainted, no alert is raised Unlikely to cause severe security damage because attacker-controllable location is very limited Unlikely to cause severe security damage because attacker-controllable location is very limited Format string attack causing information leak Allows inspection of some memory data words Allows inspection of some memory data words Cause security compromises if these words containing security-critical secret, e.g., key and password Cause security compromises if these words containing security-critical secret, e.g., key and password

19 Integer overflow Induced Array Index Out of Bound void foo(unsigned int ui) { 1: int i = ui; 2: if (i >= ArraySize) 3: i = ArraySize – 1; 4: array[i] = 1; }

20 Buffer overflow causing critical flags to be corrupted void bar () { 1: int auth; 2: char buf[100]; 3: auth = do_auth (); 4: scanf(“%s”,buf); 5: if (auth) grant_access(); }

21 Format string attack causing information leak void leak() { 1: int secret_key; 2: char buf[12]; 3: recv(s,buf,12,0); 4: printf(buf); } “%x%x%x%x”

22 Conclusions Contributions: Non-control-data attack is a realistic threat Non-control-data attack is a realistic threat Memory corruption attacks, including control-data attacks and non-control-data attacks, are due to pointer taintedness Memory corruption attacks, including control-data attacks and non-control-data attacks, are due to pointer taintedness Proposed a runtime pointer taintedness detection architecture - Substantial improvement in security coverage Proposed a runtime pointer taintedness detection architecture - Substantial improvement in security coverageEvaluation transparent to existing applications transparent to existing applications a near-zero false positive rate a near-zero false positive rate We plan to implement this approach in the Hardware framework for detection and recovery

23 Questions?

24 Another Motivating Example NULL-HTTPD heap corruption attack Overwrite function pointer foo Corrupt heap structure Execute malicious code process HTTP header p=malloc(…) repeat HTTP_service() HTTP_POST() recv(p,…) seteuid(0) exec(“/bin/sh”) free(p) *foo()

25 Non-Control-Data Attack against WU-FTP Server int x; site_exec() { a format string vulnerability } getdatasock(... ) { seteuid(0); setsockopt(... ); seteuid(x); } Overwrite an integer representing user ID  obtain the root privilege of the server

26 ap: argument pointer fmt: format string pointer Internals of Format String Attack In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Vulnerable code: recv(buf); printf(buf); /* should be printf(“%s”,buf) */ \xdd \xcc \xbb \xaa %d %d %d %n …%n%d%d%d0xaabbccdd fmt: format string pointer ap: argument pointer High Low Stack growth *ap is a tainted value.

27 Future Directions Combination of static code analysis and architecture support To automatically derive predicates to be checked by processor at runtime To automatically derive predicates to be checked by processor at runtime Reliability and security support for embedded systems Migrate our current techniques to embedded systems Migrate our current techniques to embedded systems New topics: cell phone virus, reduced power consumption, tamper-resistance hardware, crypto and authentication hardware/software New topics: cell phone virus, reduced power consumption, tamper-resistance hardware, crypto and authentication hardware/software

28