Download presentation
Presentation is loading. Please wait.
Published byWarren Skinner Modified over 6 years ago
1
Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin
2
Recent Memory Error Exploits
Memory-corruption exploits are still being actively used. E.g., Heap spray, buffer overflow. Recent memory-corruption techniques are more sophisticated. Need to bypass widely-adopted defense mechanisms. A successful attack depends on multiple steps. Existing techniques of attack diagnosis mainly focus on diagnosing a single step of the process.
3
Simple Stack Buffer Overflow
An attacker overwrites vulnerable function return address, which points to shellcode on stack. Recent defense solutions make it hard to directly execute injected code. Security cookie, ALSR, DEP shellcode Stack growth return address Only one step buffer Attackers need a way to find the shellcode
4
Motivating Example: Structured Exception Handling
Structured Exception Handling (SEH) is a mechanism for handling exceptions on Windows. FS:[0] SEH frame Stack top TIB Stack bottom Stack growth ··· exception handler SEH Record prev DispatcherContext arguments prepared by OS for exception handler ContextRecord EstablisherFrame ExceptionRecord
5
Exploiting SEH Mechanism
step 2 exception handler SEH Record popd %eax popd %ebx ret eip prev eip eip eip return address Stack growth security cookie step 1 buffer DispatcherContext step 3 arguments prepared by OS for exception handler ContextRecord EstablisherFrame esp ExceptionRecord esp return address of exception handler function return address esp
6
Challenges Identifying key steps
The complete picture of an attack: all steps from the initial vulnerability exploit to the malicious code execution are necessary. Difficulty for dependency-based analysis Direct data dependency analysis cannot detect all key steps E.g., in step 3 in the above SEH exploit, the address to shellcode is provided by the OS
7
Our Observation Exploits usually use program features in an unintended way. Pointer misuses are often the basis of memory-corruption exploits. Pointer misuses in the SEH attack A corrupted return address raises an exception. A corrupted exception handler executes a pop-pop-return sequence (PPR slice) The PPR slice uses a pointer to exception registration record as the return address.
8
Key Technique Detect pointer misuses by inferring and checking data types on instruction operands Pointer misuses is detected as type conflicts during variable types inferring. Pointer misuse is one of the most important characteristics of key attack steps, so this approach detects misuses as key steps.
9
Our Solution PointerScope
Detecting key steps of sophisticated memory-corruption exploits Illustrating attacks’ big pictures using key-step graphs PointerScope complements dependency-based analysis. They can be combined to give more complete picture.
10
PointerScope Overview
OS Vulnerable Program Exploit Type Inference Engine Execution Monitor Execution Trace Diagnosis Report Diagnosis Engine
11
Variable And Variable Type
Variable in PointerScope Variables in PointerScope refer to memory locations and registers, which can be used as instruction operands. Variable type in PointerScope We defined several primitive types: integer (INT), control pointer (CTR), data pointer (DTR), other (OTR), etc. we keep the type system simple to avoid overwhelming type conflicts that may confuse security analysts.
12
Type Definitions any pointer non-pointer other integer control pointer
data pointer conflict
13
Instruction type constraints
Type assignment Instructions may directly generate constraints to the types of its operands. Type operations Certain instructions may propagate type from the source operand to the destination operand. Some instructions may also perform calculation between operands with different types.
14
Instruction Type Constraint Example 1
0x77d43e8b call 0x77d43eal first operand second operand Usage control pointer Usage control pointer call target return address
15
Instruction Type Constraint Example 2
0x804d4e53 rep movsd first operand second operand third operand Usage integer inherit counter
16
Challenges in Inferring Types (1)
Information from instruction addressing The x86 instruction set supports the addressing mode base-index with displacement, but compiler are not always follow the design. Solution: taking the register whose value is closest to the memory operand’s address as the base register movl $0x8( , ), %ecx %eax %edx address = displacement + base register + index register
17
Challenges in Inferring Types (2)
Equivalent instruction sequences Looking at individual instructions separately will not catch the instructions’ intention, and thus make wrong type assignments. Solution: recognizing the common patterns and treat them as special cases not %ebp or $0x3,%ebp and $0xfffffffc,%ebp
18
Challenges in Inferring Types (3)
Special usage of LEA It is designed to load effective addresses, but it is often used as an optimized way to carry out numerical calculation. Solution: taking lea as normal polynomial operations and perform type calculation. Similar situation with SHL and SHR This two instructions are widely used to optimize the multiplication and division operation. lea $0x8(%eax,%edx,4), %ecx %ecx=%eax+%edx×4+$0x8
19
Challenges in Inferring Types (4)
Handling memory copy operations Memory copy operations may break the integrity of variables inherit type information depend on rep movsb Variable A Variable B,C,D,E Variable F
20
0x42050faf add %edx,0xfffffa90(%ebp)
Key-step Graph key-step graph illustrates the big picture of an exploit Following graph is generated from a simple format string attack analysis 0x42050faf add %edx,0xfffffa90(%ebp) Type Origin (NTR) temporal Type Usage (CTR) 0x080484b0 ret
21
Evaluation Implementation Evaluation setup
Prototyped on the Linux system. The execution monitor component is based on the TEMU component of BitBlaze. The data type scope and diagnosis engine are implemented as standalone utilities, in about 3.6K line of C code. Evaluation setup We evaluated our approach using a few real-world exploits on both the Windows and the Linux platform. For sample collection, we selected recent non-trivial memory corruption attacks that have exploits available in the MetaSploit framework.
22
Summary of Effectiveness
CVE Attack Technique Runtime Conflicts Trace Size Slice Size CVE Uninitialized memory; heap spray 18m23s, 8m30s 11 307,987,560 48,404,242 CVE Incorrect variable initialization; heap-spray 3m10s, 31s 2 22,759,299 955,325 CVE 25m, 21m16s 6 411,323,083 44,792,770 CVE Heap overflow; heap spray 3m5s, 1s 3 808,392 34,883 CVE Stack overflow; SEH exploit 4m59s, 1m33s 64,355,691 1,334,253 CVE Integer overflow; heap spray 1m45s, 40s 2,632,241 1,669,751 CVE Incorrect variable initialization; heap spray 11m58s, 13s 8,336,193 29,520 CVE Stack overflow vulnerability; SEH exploit 18m53s, 7m24s 1 236,331,307 814,305 CVE 10m36, 15s 9,281,019 78,704
23
Case Study: SEH Attack
24
Case Study: CVE This is a real world exploit for vulnerable version of IE Browser This attack is caused by a vulnerability in the class CDispNode’s member function SetExpandedClipRect
25
The First Type Conflict
[ ] 0x749120f2 or $0x2, %eax Type Origin (NTR) Type Usage (PTR) [ ] 0x7490e854 call *0x2c(%eax)
26
The Second Type Conflict
[ ] 0x749120f2 call *0x2c(%eax) [ ] 0x74943a14 call *0x30(%eax) Type Origin (CTR) Type Origin (CTR) Type Usage (CTR) Type Usage (CTR) [ ] 0x7490e854 call *0x2c(%eax)
27
Final Result
28
Eliminating False Positives
Code from __sbh_alloc_block_from_page which is a function in mshtml.dll It is too complicit to create a pattern, cannot be handled by PointerScope’s type operation algorithm. This is a compiler optimization that convert division into multiplication We employ white list to handle false positives mov 0x8(%ebp), %ecx mov (%ecx), %edi mov %edi, 0x8(%ebp) lea 0xf8(%ecx), %esi add %edx, (%ecx) sub %edx, 0x4(%ecx) imul $0xf, %ecx, %ecx lea 0x8(%edi), %eax shl $0x4,%eax sub %ecx, %eax
29
Related Work Attack Diagnosis Techniques
BackTracker : builds up a dependency graph between OS objects, such as processes, files, sockets, and so on Dynamic taint analysis: keeps track of the data de-pendency originated from untrusted user input at instruction level Defense and evasion techniques CFI, DFI, WIT
30
Conclusion Our insight: the key steps of sophisticated memory corruption attacks are often pointer misuses. We propose to identify and analyze pointer misuses as a generic approach for diagnosing sophisticated memory exploits. Inferring types and detecting type conflicts on binaries Presenting big pictures of attacks as key-step graphs PointerScope: a prototype implementation
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.