Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin

Published byWarren Skinner Modified over 6 years ago

Similar presentations

Presentation on theme: "Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin"— Presentation transcript:

1 Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin

2 Recent Memory Error Exploits
Memory-corruption exploits are still being actively used. E.g., Heap spray, buffer overflow. Recent memory-corruption techniques are more sophisticated. Need to bypass widely-adopted defense mechanisms. A successful attack depends on multiple steps. Existing techniques of attack diagnosis mainly focus on diagnosing a single step of the process.

3 Simple Stack Buffer Overflow
An attacker overwrites vulnerable function return address, which points to shellcode on stack. Recent defense solutions make it hard to directly execute injected code. Security cookie, ALSR, DEP shellcode Stack growth return address Only one step buffer Attackers need a way to find the shellcode

4 Motivating Example: Structured Exception Handling
Structured Exception Handling (SEH) is a mechanism for handling exceptions on Windows. FS:[0] SEH frame Stack top TIB Stack bottom Stack growth ··· exception handler SEH Record prev DispatcherContext arguments prepared by OS for exception handler ContextRecord EstablisherFrame ExceptionRecord

5 Exploiting SEH Mechanism
step 2 exception handler SEH Record popd %eax popd %ebx ret eip prev eip eip eip return address Stack growth security cookie step 1 buffer DispatcherContext step 3 arguments prepared by OS for exception handler ContextRecord EstablisherFrame esp ExceptionRecord esp return address of exception handler function return address esp

6 Challenges Identifying key steps
The complete picture of an attack: all steps from the initial vulnerability exploit to the malicious code execution are necessary. Difficulty for dependency-based analysis Direct data dependency analysis cannot detect all key steps E.g., in step 3 in the above SEH exploit, the address to shellcode is provided by the OS

7 Our Observation Exploits usually use program features in an unintended way. Pointer misuses are often the basis of memory-corruption exploits. Pointer misuses in the SEH attack A corrupted return address raises an exception. A corrupted exception handler executes a pop-pop-return sequence (PPR slice) The PPR slice uses a pointer to exception registration record as the return address.

8 Key Technique Detect pointer misuses by inferring and checking data types on instruction operands Pointer misuses is detected as type conflicts during variable types inferring. Pointer misuse is one of the most important characteristics of key attack steps, so this approach detects misuses as key steps.

9 Our Solution PointerScope
Detecting key steps of sophisticated memory-corruption exploits Illustrating attacks’ big pictures using key-step graphs PointerScope complements dependency-based analysis. They can be combined to give more complete picture.

10 PointerScope Overview
OS Vulnerable Program Exploit Type Inference Engine Execution Monitor Execution Trace Diagnosis Report Diagnosis Engine

11 Variable And Variable Type
Variable in PointerScope Variables in PointerScope refer to memory locations and registers, which can be used as instruction operands. Variable type in PointerScope We defined several primitive types: integer (INT), control pointer (CTR), data pointer (DTR), other (OTR), etc. we keep the type system simple to avoid overwhelming type conflicts that may confuse security analysts.

12 Type Definitions any pointer non-pointer other integer control pointer
data pointer conflict

13 Instruction type constraints
Type assignment Instructions may directly generate constraints to the types of its operands. Type operations Certain instructions may propagate type from the source operand to the destination operand. Some instructions may also perform calculation between operands with different types.

14 Instruction Type Constraint Example 1
0x77d43e8b call 0x77d43eal first operand second operand Usage control pointer Usage control pointer call target return address

15 Instruction Type Constraint Example 2
0x804d4e53 rep movsd first operand second operand third operand Usage integer inherit counter

16 Challenges in Inferring Types (1)
Information from instruction addressing The x86 instruction set supports the addressing mode base-index with displacement, but compiler are not always follow the design. Solution: taking the register whose value is closest to the memory operand’s address as the base register movl $0x8( , ), %ecx %eax %edx address = displacement + base register + index register

17 Challenges in Inferring Types (2)
Equivalent instruction sequences Looking at individual instructions separately will not catch the instructions’ intention, and thus make wrong type assignments. Solution: recognizing the common patterns and treat them as special cases not %ebp or $0x3,%ebp and $0xfffffffc,%ebp

18 Challenges in Inferring Types (3)
Special usage of LEA It is designed to load effective addresses, but it is often used as an optimized way to carry out numerical calculation. Solution: taking lea as normal polynomial operations and perform type calculation. Similar situation with SHL and SHR This two instructions are widely used to optimize the multiplication and division operation. lea $0x8(%eax,%edx,4), %ecx %ecx=%eax+%edx×4+$0x8

19 Challenges in Inferring Types (4)
Handling memory copy operations Memory copy operations may break the integrity of variables inherit type information depend on rep movsb Variable A Variable B,C,D,E Variable F

20 0x42050faf add %edx,0xfffffa90(%ebp)
Key-step Graph key-step graph illustrates the big picture of an exploit Following graph is generated from a simple format string attack analysis 0x42050faf add %edx,0xfffffa90(%ebp) Type Origin (NTR) temporal Type Usage (CTR) 0x080484b0 ret

21 Evaluation Implementation Evaluation setup
Prototyped on the Linux system. The execution monitor component is based on the TEMU component of BitBlaze. The data type scope and diagnosis engine are implemented as standalone utilities, in about 3.6K line of C code. Evaluation setup We evaluated our approach using a few real-world exploits on both the Windows and the Linux platform. For sample collection, we selected recent non-trivial memory corruption attacks that have exploits available in the MetaSploit framework.

22 Summary of Effectiveness
CVE Attack Technique Runtime Conflicts Trace Size Slice Size CVE Uninitialized memory; heap spray 18m23s, 8m30s 11 307,987,560 48,404,242 CVE Incorrect variable initialization; heap-spray 3m10s, 31s 2 22,759,299 955,325 CVE 25m, 21m16s 6 411,323,083 44,792,770 CVE Heap overflow; heap spray 3m5s, 1s 3 808,392 34,883 CVE Stack overflow; SEH exploit 4m59s, 1m33s 64,355,691 1,334,253 CVE Integer overflow; heap spray 1m45s, 40s 2,632,241 1,669,751 CVE Incorrect variable initialization; heap spray 11m58s, 13s 8,336,193 29,520 CVE Stack overflow vulnerability; SEH exploit 18m53s, 7m24s 1 236,331,307 814,305 CVE 10m36, 15s 9,281,019 78,704

23 Case Study: SEH Attack

24 Case Study: CVE This is a real world exploit for vulnerable version of IE Browser This attack is caused by a vulnerability in the class CDispNode’s member function SetExpandedClipRect

25 The First Type Conflict
[ ] 0x749120f2 or $0x2, %eax Type Origin (NTR) Type Usage (PTR) [ ] 0x7490e854 call *0x2c(%eax)

26 The Second Type Conflict
[ ] 0x749120f2 call *0x2c(%eax) [ ] 0x74943a14 call *0x30(%eax) Type Origin (CTR) Type Origin (CTR) Type Usage (CTR) Type Usage (CTR) [ ] 0x7490e854 call *0x2c(%eax)

27 Final Result

28 Eliminating False Positives
Code from __sbh_alloc_block_from_page which is a function in mshtml.dll It is too complicit to create a pattern, cannot be handled by PointerScope’s type operation algorithm. This is a compiler optimization that convert division into multiplication We employ white list to handle false positives mov 0x8(%ebp), %ecx mov (%ecx), %edi mov %edi, 0x8(%ebp) lea 0xf8(%ecx), %esi add %edx, (%ecx) sub %edx, 0x4(%ecx) imul $0xf, %ecx, %ecx lea 0x8(%edi), %eax shl $0x4,%eax sub %ecx, %eax

29 Related Work Attack Diagnosis Techniques
BackTracker : builds up a dependency graph between OS objects, such as processes, files, sockets, and so on Dynamic taint analysis: keeps track of the data de-pendency originated from untrusted user input at instruction level Defense and evasion techniques CFI, DFI, WIT

30 Conclusion Our insight: the key steps of sophisticated memory corruption attacks are often pointer misuses. We propose to identify and analyze pointer misuses as a generic approach for diagnosing sophisticated memory exploits. Inferring types and detecting type conflicts on binaries Presenting big pictures of attacks as key-step graphs PointerScope: a prototype implementation

Download ppt "Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin"

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,

Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.

Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Similar presentations

Ads by Google