Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
PC hardware and x86 3/3/08 Frans Kaashoek MIT
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Accessing parameters from the stack and calling functions.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Address Space Layout Permutation
SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.
Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.
6.828: PC hardware and x86 Frans Kaashoek
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
1 Malware Analysis and Instrumentation Andrew Bernat and Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011.
1 UCR Code Reuse Attacks (II) Slide credits: some slides and figures adapted from David Brumley, AC Chen, and others.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Paradyn Project Petascale Tools Workshop Madison, Wisconsin Aug 4-Aug 7, 2014 Binary Code is Not Easy Xiaozhu Meng, Emily Gember-Jacobson, and Bill Williams.
Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.
Exploitation possibilities of memory related vulnerabilities
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Introduction to Information Security ROP – Recitation 5.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Compiler Construction Code Generation Activation Records
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
1 Assembly Language: Function Calls Jennifer Rexford.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
ICS51 Introductory Computer Organization Accessing parameters from the stack and calling functions.
Introduction to Information Security
Remix: On-demand Live Randomization
Jump-Oriented Programming
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*
Introduction to Information Security
Exploiting & Defense Day 2 Recap
Introduction to Compilers Tim Teitelbaum
Q: Exploit Hardening Made Easy
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Continuous, Low Overhead, Run-Time Validation of Program Executions
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
        Jefferson’s Polygraph
Hiding Malware Rootkits
RopSteg: Program Steganography with Return Oriented Programming
Computer Organization and Assembly Language
Computer Architecture and System Programming Laboratory
Return-to-libc Attacks
Presentation transcript:

Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer Sciences Department University of Wisconsin ESSoS 2014 Munich, Germany February 27, 2014

Attack goal: effect some malicious intent by hijacking program control flow Historically, accomplished via code injection Threat Model Detecting Code Reuse Attacks with a Model of Conformant Program Execution heap entry point code process address space stack injected shellcode 2

W X prevents code injection So, code cannot be executed from the stack or heap Alternative: construct an exploit using code that already exists within the program’s address space Threat Model code reuse attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution heap entry point code process address space stack injected shellcode 3

7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e Anatomy of a Code Reuse Attack xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) code Detecting Code Reuse Attacks with a Model of Conformant Program Execution Example based on exploit presented in Bletsch et al indirect jump instructions  “jump-oriented programming” (JOP)

Anatomy of a Code Reuse Attack Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Detecting Code Reuse Attacks with a Model of Conformant Program Execution 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) Example based on exploit presented in Bletsch et al

Existing Defenses Against Code Reuse Attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Making gadget discovery difficult: ASLR software diversification removal of useful instruction sequences [Li et al. 2010] [Onarlioglu et al. 2010] [Hiser et al. 2012] [Pappas et al. 2012] [Wartell et al. 2012] [Davi et al. 2013] Make discovery difficult, not impossible Detecting control flow manipulations: shadow stack matched call/return pairs [Davi et al. 2009] [Francillon et al. 2009] [Chen et al. 2010] [Huang et al. 2012] [Kayaalp et al. 2012] [Davi et al. 2013] Defeated by JOP Enforcing control flow integrity: [Abadi et al. 2009] [Zhang et al. 2012] [Zhang et al. 2013] Require binary rewriting of all code 6

Our Approach Define security policy based on well-defined behaviors of the program binary Does not rely on behavior of known attacks Use static analysis of binary to extract the model Does not require learning phase or expert knowledge Enforce expected behavior Protects against new exploit variations Detecting Code Reuse Attacks with a Model of Conformant Program Execution 7

Our Approach Define conformant program execution (CPE) as a set of requirements on program states Valid program counter Valid callstack Enforce CPE by monitoring program at runtime Monitor is protected from being exploited because it’s in a separate process Detecting Code Reuse Attacks with a Model of Conformant Program Execution 8

Model Component #1 Valid program counter (PC): PC must point to a valid instruction in the original program Detecting Code Reuse Attacks with a Model of Conformant Program Execution b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret 0xb7fe3424 PC CFG 9

Model Component #2 Detecting Code Reuse Attacks with a Model of Conformant Program Execution Valid callstack: For each frame: 1.frame must have valid stack frame height 2.(caller  current frame) must represent a valid control flow transfer in the program stack pointer callstack CFG expected stack frame push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret pop %ebp pop %edx pop %ecx ret pop %ebp pop %edx pop %ecx ret invalid return address valid control flow transfer? 10

Program Validation Design decision: when do we validate? Option 1: At all instructions “Conformant program execution” Disadvantage: inefficient Option 2: At system calls “Observed conformant program execution”(OCPE) Effective because attacks must use the system call interface to modify overall machine state Disadvantage: relies on attack being observable at system calls Detecting Code Reuse Attacks with a Model of Conformant Program Execution 11

ROPStop Implementation Detecting Code Reuse Attacks with a Model of Conformant Program Execution Operating System running process (monitored application) running process (monitored application) system calls intercept via ptrace binary running process ROPStop 1.Attach to running process or launch new process from binary 2.Parse program binary 3.Register callbacks at system calls 4.Continue process At each system call: 1.Validate current program counter 2.Perform robust stackwalk and validate the current callstack or 12

Accuracy Evaluation Overhead False negatives? False positives? Detecting Code Reuse Attacks with a Model of Conformant Program Execution 13

Results: Real Code Reuse Attacks 100% accuracy using real ROP and JOP exploits Detecting Code Reuse Attacks with a Model of Conformant Program Execution 14

Results: Real Code Reuse Attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution CFG push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret pop %ebp pop %edx pop %ecx ret pop %ebp pop %edx pop %ecx ret stack pointer callstack expected stack frame invalid return address 15

Results: SPEC CPU % accuracy (0 false positives), 5.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 16

Results: SPEC CPU2006 Where does the overhead come from? PC validity Callstack validity Monitor context switching (~frequency of system calls) Detecting Code Reuse Attacks with a Model of Conformant Program Execution system calls/ second 2.0 system calls/ second 17

Results: Apache HTTP Server 100% accuracy (0 false positives), 6.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 18

Open Questions Data-driven attacks (orthogonal type of attack) [Chen et al. 2005] [Demay et al. 2011] Exploits that modify program data (e.g., system call arguments) to effect an attack May not have visible effects on the program states we monitor Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006] [Wagner and Soto 2002] Exploits that evade system call monitoring by ensuring program state is restored before system call check takes place Are designed to have no visible effects on the program states we monitor Detecting Code Reuse Attacks with a Model of Conformant Program Execution 19

Conclusion Approach for detecting code reuse attacks We defined conformant program execution and an efficient and adoptable approximation, observed conformant program execution We built a tool to enforce OCPE, ROPStop Detecting Code Reuse Attacks with a Model of Conformant Program Execution 20

Questions? Detecting Code Reuse Attacks with a Model of Conformant Program Execution 21

Overhead breakdown Benchmark System call rate (calls/second)% Overhead Imposed% Instruction Validity% Callstack Validity% Context Switching perlbench bzip bwaves gamess mcf milc zeusmp gromacs cactusADM leslie3d namd gobmk soplex povray hmmer sjeng GemsFDTD libquantum h264ref tonto lbm omnetpp astar wrf sphinx

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.