Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.

Slides:

Advertisements

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Advertisements

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Review: Software Security David Brumley Carnegie Mellon University.

PC hardware and x86 3/3/08 Frans Kaashoek MIT

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

Accessing parameters from the stack and calling functions.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.

6.828: PC hardware and x86 Frans Kaashoek

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison

Andrew Bernat, Bill Williams Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 New Features in Dyninst

1 Malware Analysis and Instrumentation Andrew Bernat and Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011.

1 Malware Analysis and Instrumentation Andrew Bernat and Kevin Roundy Paradyn Project Center for Computing Science June 14, 2011.

The Deconstruction of Dyninst: Experiences and Future Directions Drew Bernat, Madhavi Krishnan, Bill Williams, Bart Miller Paradyn Project 1.

1 UCR Code Reuse Attacks (II) Slide credits: some slides and figures adapted from David Brumley, AC Chen, and others.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.

Paradyn Project Petascale Tools Workshop Madison, Wisconsin Aug 4-Aug 7, 2014 Binary Code is Not Easy Xiaozhu Meng, Emily Gember-Jacobson, and Bill Williams.

University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Exploitation possibilities of memory related vulnerabilities

AMD64/EM64T – Dyninst & ParadynMarch 17, 2005 The AMD64/EM64T Port of Dyninst and Paradyn Greg Quinn Ray Chen

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

Introduction to Information Security ROP – Recitation 5.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Binary Concolic Execution for Automatic Exploit Generation Todd Frederick.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

Compiler Construction Code Generation Activation Records

CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 Paradyn Project Deconstruction of Dyninst: Best Practices and Lessons Learned Bill.

1 Assembly Language: Function Calls Jennifer Rexford.

Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 unstrip: Restoring Function Information to Stripped Binaries Using Dyninst Emily.

ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.

Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

ICS51 Introductory Computer Organization Accessing parameters from the stack and calling functions.

Introduction to Information Security

Remix: On-demand Live Randomization

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

Machine-Level Programming 2 Control Flow

Jump-Oriented Programming

C function call conventions and the stack

The Hardware/Software Interface CSE351 Winter 2013

Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*

Introduction to Information Security

Exploiting & Defense Day 2 Recap

Introduction to Compilers Tim Teitelbaum

Q: Exploit Hardening Made Easy

Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

New Features in Dyninst 6.1 and 6.2

Hiding Malware Rootkits

Machine Level Representation of Programs (IV)

Week 2: Buffer Overflow Part 2.

RopSteg: Program Steganography with Return Oriented Programming

Computer Organization and Assembly Language

Computer Architecture and System Programming Laboratory

Return-to-libc Attacks

Presentation transcript:

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew Bernat, and Bill Williams

o Attack goal: effect some malicious intent by hijacking program control flow o Historically, accomplished via code injection Threat Model 2 Detecting Code Reuse Attacks Using Dyninst Components entry point code process address space stack heap injected shellcode

o W X prevents code injection o Alternative: construct an exploit using code that already exists within the program’s address space entry point code process address space stack heap injected shellcode Threat Model 3 Detecting Code Reuse Attacks Using Dyninst Components “code reuse attacks”

7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c0 30 e7 c a d9 83 a1 37 1b 2f b c 22 8e de a2 87 ad f d2 d2 02 b0 18 b5 f1 b1 fb bb 1f c d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be Anatomy of a Code Reuse Attack 4 Detecting Code Reuse Attacks Using Dyninst Components xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx Select gadgets from within the address space of the process Chain gadgets together with indirect control flow Usually a short attack with the goal of escaping the confining W X environment exec(“/bin/sh”) code

Anatomy of a Code Reuse Attack 5 Detecting Code Reuse Attacks Using Dyninst Components entry point code process address space stack heap xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) add %edi,%ebp jmp *-0x39(%ebp) add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx sysenter … pop %ebx code injection attackcode reuse attack entry point code process address space stack heap injected shellcode

Previous Code Reuse Attack Defenses o Detect using heuristics based on attack behaviors [Chen et al. 2009,2010], [Davi et al. 2011], [Huang et al. 2012], [Kayaalp et al. 2012] o Enforce control flow integrity at runtime [Abadi et al. 2009], [Bletsch et al. 2011], [Zhang et al. 2013] In the next talk, Tugrul will talk about another interesting defense technique. 6 Detecting Code Reuse Attacks Using Dyninst Components

Our Approach o Define conformant program execution (CPE) as a set of requirements on program states o Valid program counter o Valid callstack o Enforce CPE by monitoring program at runtime 7 Detecting Code Reuse Attacks Using Dyninst Components

Model Component #1 Valid program counter (PC): PC must point to instruction in the original program 8 Detecting Code Reuse Attacks Using Dyninst Components b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret CFG 0xb7fe3424 PC

Model Component #2 Valid callstack: For each frame: 1.frame must have valid stack frame height 2.(caller  current frame) must represent a valid control flow transfer in the program 9 Detecting Code Reuse Attacks Using Dyninst Components stack pointer stack height caller frame: foo current frame: bar foo push %ecx push %edx push %ebp mov %esp, %ebp sysenter pop %ebp … push %ecx push %edx push %ebp mov %esp, %ebp sysenter pop %ebp … callstack CFG

Program Validation Design decision: when do we validate? o Option 1: At all instructions o “Conformant program execution” o Disadvantage: inefficient o Option 2: At system calls o “Observed conformant program execution”(OCPE) o Effective because attacks must use the system call interface to modify overall machine state 10 Detecting Code Reuse Attacks Using Dyninst Components

ROPStop Implementation 11 Detecting Code Reuse Attacks Using Dyninst Components binary running process Initialization 1.Attach to running process or launch new process from binary 2.Parse program binary 3.Register callbacks at system calls 4.Continue process At each system call 1.Validate current program counter 2.Perform robust stackwalk and validate the current callstack ParseAPI A Dyninst Component ProcControlAPI A Dyninst Component InstructionAPI A Dyninst Component StackwalkerAPI A Dyninst Component DataflowAPI A Dyninst Component ROPStop or

Accuracy Evaluation 12 Detecting Code Reuse Attacks Using Dyninst Components Overhead

Results: Real Code Reuse Attacks 13 Detecting Code Reuse Attacks Using Dyninst Components 100% accuracy using real ROP and JOP exploits

Results: SPEC CPU Detecting Code Reuse Attacks Using Dyninst Components 100% accuracy (0 false positives), 5.42% overhead (geometric mean)

Open Questions o Data-driven attacks (orthogonal type of attack) [Chen et al. 2005], [Demay et al. 2011] o Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006], [Wagner and Soto 2002] 15 Detecting Code Reuse Attacks Using Dyninst Components

Conclusion o We defined conformant program execution and an efficient approximation, observed conformant program execution o We built a tool to enforce OCPE, ROPStop, on top of Dyninst components 16 Detecting Code Reuse Attacks Using Dyninst Components

Questions? o For more details, our paper is available at: ftp://ftp.cs.wisc.edu/paradyn/papers/Jacobson13ROPStop.pdf o Come see the demo on Tuesday 17 Detecting Code Reuse Attacks Using Dyninst Components