Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dissecting complex code-reuse attacks with ROPMEMU

Similar presentations


Presentation on theme: "Dissecting complex code-reuse attacks with ROPMEMU"— Presentation transcript:

1 Dissecting complex code-reuse attacks with ROPMEMU
Mariano Graziano Cisco Talos

2 whoami Security researcher at Cisco Talos
Ph.D. from Telecom ParisTech/Eurecom Hackademic Malware analysis / Memory forensics / Mitigations

3 CODE INJECTION ATTACKS

4 CODE INJECTION ATTACKS

5 CODE INJECTION ATTACKS
Attackers inject or load malicious code (or modify the existing one)

6 CODE-REUSE ATTACKS - ROP

7 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

8 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

9 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

10 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

11 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

12 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

13 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

14 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

15 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30) ?!?

16 HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption

17 HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption Persistent ROP rootkit – Vogl et al. [NDSS 14] ROP as an obfuscation technique (malware in the wild) All existing tools cope with injected code No tools to dissect ROP payloads

18 ROP ROOTKITS

19 CHUCK - CHALLENGES Memory region for the persistent control structure
Overwrites protection: Interrupts Self-overwriting Resume original/normal control flow Activate the persistent component

20 CHUCK - CHALLENGES Memory region for the persistent memory region
Overwrites protection: Interrupts Self-overwriting Resume original/normal control flow Activate the persistent component

21 CHUCK - PERSISTENCE CVE-2013-2094 sysenter IA32_SYSENTER_ESP (0x175)
IA32_SYSENTER_EIP (0x176)

22 CHUCK - PERSISTENCE CVE-2013-2094 sysenter
IA32_SYSENTER_ESP (0x175) – Copy chain IA32_SYSENTER_EIP (0x176) - ret

23 1 https://www.sec.in.tum.de/persistent-data-only-malware/
CHUCK PoC1: LPE: CVE OS: Ubuntu Server 3.8 with secure boot Hooks: sys_read sys_getdents Chains: Copy chain (persistent) Dispatcher chain Payload chain 1

24 CHALLENGES

25 CHALLENGES [C1] Verbosity

26 CHALLENGES [C1] Verbosity [C2] Lack of immediate values

27 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining

28 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches

29 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions

30 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains

31 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition

32 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition

33 CHALLENGES - Lu et al. – ACSAC12 - Yadegari et al. – S&P15 - Stancill et al. – RAID13 - Lu et al. – ACSAC12 [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition

34 APPROACH ROPMEMU framework adopts many techniques: Memory forensics
Code emulation Multi-path exploration CFG recovery Compiler transformations

35 IMPLEMENTATION Standalone scripts (bash and python):
Volatility plugins (ropemu and unchain) depend on: Capstone Unicorn nasm Standalone scripts (bash and python): GDB python pygraphviz

36 ROPMEMU

37 ROPMEMU

38 DEMO 0x01 DEMO 0x01

39 ROPMEMU

40 DEMO 0x02 DEMO 0x02

41 ROPMEMU

42 DEMO 0x03 DEMO 0x03

43 ROPMEMU

44 ROPMEMU

45 EXPERIMENT CHAINS INSTRUCTIONS GADGETS BLOCKS BRANCHES FUNCTIONS CALLS
COPY 414275 184126 1 - DISPATCHER 63515 18874 7 3 5 PAYLOAD 6320 2913 34 26 9 17

46 RESULTS - CFG

47 RESULTS - CFG

48 RESULTS - IDA

49 DEMO 0x04 DEMO 0x04

50 LIMITATIONS Prone to anti-acquisition Prone to anti-emulation
Lack of completeness on arbitrary inputs

51 CONCLUSIONS Source code: https://github.com/vrtadmin/ROPMEMU
First public tool to analyze code-reuse payloads Tested on the most complex public threat

52 QUESTIONS? Mariano Graziano @emd3l


Download ppt "Dissecting complex code-reuse attacks with ROPMEMU"

Similar presentations


Ads by Google