Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis.

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.
Smashing the Stack for Fun and Profit
ByteWeight: Learning to Recognize Functions in Binary Code
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14.
Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Defending against Return-Oriented Programming
Review: Software Security David Brumley Carnegie Mellon University.
Framing Signals— A Return to Portable Shellcode
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
Accessing parameters from the stack and calling functions.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
0wning Antivirus Alex Wheeler Neel Mehta
Application Security Tom Chothia Computer Security, Lecture 14.
SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Computer Security 2014 – Ymir Vigfusson Some slides borrowed from David Brumley’s lectures at CMU, and Vitaly Shmatikov’s CS380S.
Hello ASM World: A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
CS457 – Introduction to Information Systems Security Projects Elias Athanasopoulos
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Exploitation possibilities of memory related vulnerabilities
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
CNIT 127: Exploit Development Ch 1: Before you begin.
Introduction to Information Security ROP – Recitation 5.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 unstrip: Restoring Function Information to Stripped Binaries Using Dyninst Emily.
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Lecture 18: ROP - Continued CS 2011 Spring 2016, Dr. Rozier.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Dissecting complex code-reuse attacks with ROPMEMU
Exploiting & Defense Day 1 Recap
Introduction to Information Security
Remix: On-demand Live Randomization
Static and dynamic analysis of binaries
Overview Firefox exploit Instrumentation: Finding values
Introduction to Information Security
Exploiting & Defense Day 2 Recap
Introduction to Compilers Tim Teitelbaum
CSC 495/583 Topics of Software Security Return-oriented programming
A System for Protecting the Integrity of Virtual Function Tables
asum.ys A Y86 Programming Example
Q: Exploit Hardening Made Easy
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Defeating Instruction Set Randomization Nora Sovarel
Hiding Malware Rootkits
Week 2: Buffer Overflow Part 2.
X86 Assembly Review.
RopSteg: Program Steganography with Return Oriented Programming
0wning Antivirus Alex Wheeler
ICS51 Introductory Computer Organization
Return-to-libc Attacks
Presentation transcript:

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University

Machine Code-Level Attacks & Defenses 5/23/2012Vasilis Pappas - Columbia University2 Code Injection W⊗XW⊗X W⊗XW⊗X Code-reuse ASLR

Information Leaks Break ASLR [Ser12] 5/23/2012Vasilis Pappas - Columbia University3

ASLR is Not Fully Adopted Executable programs in Ubuntu Linux – Only 66 out of 1,298 binaries in /usr/bin [SAB11] Popular third-party Windows applications – Only 2 out of 16 [Pop10] 5/23/2012Vasilis Pappas - Columbia University4

This Work Code randomization Applicable on third-party applications (Practically) Zero performance overhead 5/23/2012Vasilis Pappas - Columbia University5

Overview Background In-place code randomization Results Summary 5/23/2012Vasilis Pappas - Columbia University6

Return-Oriented Programming 0xb x xb x xb xb x xb Stack Code 0xb : pop eax ret... 0xb : pop ebx ret... 0xb : add eax, ebx ret... 0xb : mov [ebx], eax ret esp Actions eax = 1 ebx = 2 eax += ebx ebx = 0x *ebx = eax Vasilis Pappas - Columbia University5/23/20127

ROP Defenses Performance Overhead Low High Program binary Source code Requires ROPdefender [DSW11] DROP [CXS+09] DROP++ [CXH+11] Vasilis Pappas - Columbia University5/23/20128 G-Free [OBL+10] Return-less [LWJ+10] CFL [BJF11]

Why In-Place? Randomization usually changes the code size – Need to update the control-flow graph (CFG) But, accurate static disassembly of stripped binaries is hard ➔ Incomplete CFG (data vs. code) ➔ Code resize not an option Must randomize in-place! 5/23/2012Vasilis Pappas - Columbia University9

Randomizations Instruction Substitution Instruction Reordering – Intra Basic Block – Register Preservation Code Register Reassignment 5/23/2012Vasilis Pappas - Columbia University10

Instruction Substitution 5/23/201211Vasilis Pappas - Columbia University mov al,0x1 cmp al,bl lea eax,[ebp-0x80] add [edx],edi ret mov al,0x1 cmp bl,al lea eax,[ebp-0x80] add [eax],edi fmul [ebp+0x ] B0B0 013A3A C3C3 8D8D B0B0 0138D8D8 8D8D

Instruction Reordering (Intra BBL) 5/23/201212Vasilis Pappas - Columbia University 8B mov eax,[ecx+0x10] 53 push ebx 8B 59 0C mov ebx,[ecx+0xC] 3B C3 cmp eax,ebx mov [ecx+0x8],eax 7E 4E jle 0x5c 59 push ebx 0C 3B or al,0x3B C3 ret

Instruction Reordering (Intra BBL) 5/23/201213Vasilis Pappas - Columbia University 8B mov eax,[ecx+0x10] 53 push ebx 8B 59 0C mov ebx,[ecx+0xC] 3B C3 cmp eax,ebx mov [ecx+0x8],eax 7E 4E jle 0x5c 41 inc ecx B C3 adc [ecx-0x3CC4F7BF],cl

Register Preservation Code Reordering 5/23/2012Vasilis Pappas - Columbia University14 push ebx push esi mov ebx,ecx push edi mov esi,edx. pop edi pop esi pop ebx ret push edi push ebx push esi mov ebx,ecx mov esi,edx. pop esi pop ebx pop edi ret Prolog Epilog

Register Reassignment 5/23/2012Vasilis Pappas - Columbia University15 eax edi Live regions function: push esi push edi mov edi,[ebp+0x8] mov eax,[edi+0x14] test eax,eax jz 0x4A80640B mov ebx,[ebp+0x10] push ebx lea ecx,[ebp-0x4] push ecx push edi call eax... function: push esi push edi mov eax,[ebp+0x8] mov edi,[edi+0x14] test edi,edi jz 0x4A80640B mov ebx,[ebp+0x10] push ebx lea ecx,[ebp-0x4] push ecx push eax call edi...

Implementation – Orp Focused on the Windows platform – Could be integrated in Microsoft’s EMET CFG is extracted using IDA Pro – Implicitly used registers – Liveness analysis (intra and inter-function) – Register categorization (arg., preserved, etc.) – Randomizations – Binary rewriting (relocations fixing, etc.) 5/23/2012Vasilis Pappas - Columbia University16

Evaluation Correctness and performance – Execute Wine’s test suite using randomized versions of Windows DLLs Randomization Coverage Real-World Exploits ROP Compilers 5/23/2012Vasilis Pappas - Columbia University17

Randomization Coverage 5/23/2012Vasilis Pappas - Columbia University18 Dataset: 5,235 PE files (~0.5GB code) from Windows, Firefox, iTunes and Reader

Real-World Exploits 5/23/2012Vasilis Pappas - Columbia University19 Exploit/Reusable PayloadUnique GadgetsModifiableCombinations Adobe Reader v Integard Pro v K Mplayer Lite r M msvcr71.dll (While Phosphorus)1493.3M msvcr71.dll (Corelan)1681.7M mscorie.dll (White Phosphorus)10425K mfc71u.dll (Corelan)116170K Modifiable gadgets were not always directly replaceable!

ROP Compilers Mona.py constructs DEP+ASLR bypassing code – Allocate a WX buffer, copy shellcode and jump Q [SAB11] is the state-of-the-art ROP compiler – Designed to be robust against small gadget sets Is it possible to create a randomization- resistant payload? 5/23/2012Vasilis Pappas - Columbia University20

ROP Compilers Results Non-ASLR Code BaseMona Orig. Rand. Q Orig. Rand. Adobe Reader v9.3.4 ✓✗✓✗ Integard Pro v2.2.0 ✗✗✓✗ Mplayer Lite r33064 ✓✗✓✗ msvcr71.dll ✗✗✓✗ mscorie.dll ✗✗✗✗ mfc71u.dll ✓✗✓✗ 5/23/2012Vasilis Pappas - Columbia University21 Both failed to construct payloads from non-randomized code!

Summary In-place code randomization – Requires no source code or debug symbols – (Practically) Zero performance overhead – Breaks 80% of gadgets – Prevented real exploits and ROP compilers Get the code (Python): 5/23/2012Vasilis Pappas - Columbia University22

References 5/23/2012Vasilis Pappas - Columbia University23 [Ser12] Fermin J. Serna. The case of the perfect info leak, [SAB11] Edward J. Schwartz et al. Q: exploit hardening made easy. USENIX Security, [Pop10] Alin Rad Pop. Dep/aslr implementation progress in popular third-party windows applications, http: //secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf. [Sha07] Hovav Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). CCS, [CDD+10] Stephen Checkoway et al. Return-oriented programming without returns. CCS, 2010 [BJFL11] Tyler Bletsch et al. Jump-oriented programming: a new class of code-reuse attack. ASIACCS, [LZWG11b] Kangjie Lu et al. Packed, printable, and polymorphic return-oriented programming, RAID, [DSW11] Lucas Davi et al. Ropdefender: a detection tool to defend against return-oriented programming attacks. ASIACCS, 2011 [CXS+09] Ping Chen et al. Drop: Detecting return-oriented programming malicious code, ICISS, [CXH+11] Ping Chen et al. Efficient detection of the return-oriented programming malicious code, ICISS, [OBL+10] Kaan Onarlioglu et al. G-free: defeating return-oriented programming through gadget-less binaries. ACSAC, [LWJ+10] Jinku Li et al. Defeating return-oriented rootkits with “return-less” kernels. EuroSys, [BJF11] Tyler Bletsch et al. Mitigating code-reuse attacks with control-flow locking. ACSAC, 2011.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.