Presentation is loading. Please wait.

Presentation is loading. Please wait.

USENIX Security Symposium, Baltimore, MD, 2005 1 Non-Control-Data Attacks Are Realistic Threats Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer.

Published byIan Gordon Modified over 10 years ago

Similar presentations

Presentation on theme: "USENIX Security Symposium, Baltimore, MD, 2005 1 Non-Control-Data Attacks Are Realistic Threats Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer."— Presentation transcript:

1 USENIX Security Symposium, Baltimore, MD, 2005 1 Non-Control-Data Attacks Are Realistic Threats Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign Department of Computer Science, North Carolina State University Department of Computer Science, North Carolina State University * Cybersecurity and Systems Management Group, Microsoft Research

2 USENIX Security Symposium, Baltimore, MD, 2005 2 Control Data Attack: Well-Known, Dominant Control data attack: corrupt function pointers, jump targets and return addresses to run malicious code Control data attack: corrupt function pointers, jump targets and return addresses to run malicious code E.g., code injection, mimicry attack and return-to-LibCE.g., code injection, mimicry attack and return-to-LibC Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] By exploiting many vulnerabilities such as buffer overflow, format string bug, integer overflow, double free, etc.By exploiting many vulnerabilities such as buffer overflow, format string bug, integer overflow, double free, etc. Many current defense techniques: to enforce control data integrity to provide security. Many current defense techniques: to enforce control data integrity to provide security.

3 USENIX Security Symposium, Baltimore, MD, 2005 3 Non-Control-Data Attack Non-control-data attacks: attacks not corrupting any control data Non-control-data attacks: attacks not corrupting any control data i.e., attacks preserving the integrity of control flow of the victim processi.e., attacks preserving the integrity of control flow of the victim process Currently very rare in reality Currently very rare in reality Very few instances documented in literature.Very few instances documented in literature. Several papers: theoretically possible to construct non-control-data attacks against synthetic programs.Several papers: theoretically possible to construct non-control-data attacks against synthetic programs. Not yet considered as a serious threatNot yet considered as a serious threat How applicable are such attacks against real- world software? How applicable are such attacks against real- world software? Why rare attackers incapability or lack of incentives?Why rare attackers incapability or lack of incentives? No focused investigation yet.No focused investigation yet.

4 USENIX Security Symposium, Baltimore, MD, 2005 4 Motivating Facts Random hardware memory errors could subvert the security of real-world systems. Random hardware memory errors could subvert the security of real-world systems. Boneh and DeMillo: random errors allow deriving secret keys in CRT-based RSA implementation. [Eurocrypt97]Boneh and DeMillo: random errors allow deriving secret keys in CRT-based RSA implementation. [Eurocrypt97] Our previous work: authentication of SSH and FTP servers, packet filtering of Linux firewalls can be compromised. [DSN01 and DSN02]Our previous work: authentication of SSH and FTP servers, packet filtering of Linux firewalls can be compromised. [DSN01 and DSN02] Govindavajhala and Appel: Java type system can be subverted. [S&P03]Govindavajhala and Appel: Java type system can be subverted. [S&P03] None of them is control-data attack. A wide range of real-world software susceptible.None of them is control-data attack. A wide range of real-world software susceptible. Software vulnerabilities are more deterministic and more amenable to attacks. Software vulnerabilities are more deterministic and more amenable to attacks. Many software vulnerabilities are essentially memory fault injectors: overwriting an arbitrary memory location Many software vulnerabilities are essentially memory fault injectors: overwriting an arbitrary memory location Heap overflowHeap overflow Double freeDouble free Format string bugFormat string bug Integer overflowInteger overflow

5 USENIX Security Symposium, Baltimore, MD, 2005 5 Our Claim: General Applicability of Non-Control-Data Attacks The claim: The claim: Many real-world software applications are susceptible to non-control-data attacks.Many real-world software applications are susceptible to non-control-data attacks. The severity of the attack consequences is equivalent to that due to control data attacks.The severity of the attack consequences is equivalent to that due to control data attacks. Goal of our project Goal of our project Experimentally validate the claimExperimentally validate the claim Construct non-control-data attacks to compromise the security of representative applications Construct non-control-data attacks to compromise the security of representative applications Discuss the implications of the claim on current defensive techniquesDiscuss the implications of the claim on current defensive techniques Call for comprehensive defensive techniquesCall for comprehensive defensive techniques

6 USENIX Security Symposium, Baltimore, MD, 2005 6 Selection of Target Applications Real-world applications, not synthetic applications. Real-world applications, not synthetic applications. Leading application categories Leading application categories CERT advisories (2000 – 2004)CERT advisories (2000 – 2004) 84% are server vulnerabilities 84% are server vulnerabilities HTTP service (18%), database service (10%), 6 remote login service (8%), mail service (5%), FTP service (4%). HTTP service (18%), database service (10%), 6 remote login service (8%), mail service (5%), FTP service (4%). Selection criteria Selection criteria Different types of vulnerabilities should be coveredDifferent types of vulnerabilities should be covered Different types of server applications should be studiedDifferent types of server applications should be studied Practical constraints for our selection Practical constraints for our selection Uncertainties in many vulnerability reports: really exploitable?Uncertainties in many vulnerability reports: really exploitable? Proprietary source codeProprietary source code Limited information about details of many vulnerabilitiesLimited information about details of many vulnerabilities Eventually, we selected Eventually, we selected Open-source FTP, SSH, Telnet, HTTP serversOpen-source FTP, SSH, Telnet, HTTP servers Stack buffer overflow, format string, heap corruption, integer overflow.Stack buffer overflow, format string, heap corruption, integer overflow.

7 USENIX Security Symposium, Baltimore, MD, 2005 7 Non-Control-Data Attack against WU-FTPD Server (via a format string bug) int x; FTP_service(...) { authenticate(); x = user ID of the authenticated user; seteuid(x); while (1) { get_FTP_command(...); if (a data command?) getdatasock(...); } getdatasock(... ) { seteuid(0); setsockopt(... ); seteuid(x); } x=109, run as EUID 0 x uninitialized, run as EUID 0 x=109, run as EUID 109. Lose the root privilege! x=0, run as EUID 0 When return to service loop, still runs as EUID 0 (root). Allow us to upload /etc/passwd We can grant ourselves the root privilege! Only corrupt an integer, not a control data attack. Get a data command (e.g., PUT) Get a special SITE EXEC command. Exploit a format string vulnerability. x= 0, still run as EUID 109.

8 USENIX Security Symposium, Baltimore, MD, 2005 8 /usr/local/httpd/exe Non-Control-Data Attack against NULL-HTTP Server (via a heap overflow bug) Attack the configuration string of CGI-BIN path. Attack the configuration string of CGI-BIN path. Mechanism of CGI Mechanism of CGI suppose server name = www.foo.com CGI-BIN =suppose server name = www.foo.com CGI-BIN = Requested URL = http://www.foo.com/cgi-binRequested URL = http://www.foo.com/cgi-bin The server executesThe server executes Our attack Our attack Exploit the vulnerability to overwrite CGI-BIN to /binExploit the vulnerability to overwrite CGI-BIN to /bin Request URL http://www.foo.com/cgi-bin/shRequest URL http://www.foo.com/cgi-bin/sh The server executesThe server executes The server gives me a root shell! Only overwrite four characters in the CGI-BIN string. /usr/local/httpd/exe /bin /sh /bar /bar

9 USENIX Security Symposium, Baltimore, MD, 2005 9 Non-Control-Data Attack against SSH Communications SSH Server (via an integer overflow bug) void do_authentication(char *user,...) { int auth = 0;... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) {... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case... } if (auth) break; } /* Perform session preparation. */ do_authenticated(…); } auth = 0 Password incorrect, but auth = 1 auth = 1 Logged in without correct password auth = 1

10 USENIX Security Symposium, Baltimore, MD, 2005 10 More Non-Control-Data Attacks Against NetKit Telnet server (default Telnet server of Redhat Linux) Against NetKit Telnet server (default Telnet server of Redhat Linux) Exploit a heap overflow bugExploit a heap overflow bug Overwrite two strings: /bin/login –h foo.com -p (normal scenario) /bin/sh –h –p -p (attack scenario)Overwrite two strings: /bin/login –h foo.com -p (normal scenario) /bin/sh –h –p -p (attack scenario) The server runs /bin/sh when it tries to authenticate the user.The server runs /bin/sh when it tries to authenticate the user. Against GazTek HTTP server Against GazTek HTTP server Exploit a stack buffer overflow bugExploit a stack buffer overflow bug Send a legitimate URL http://www.foo.com/cgi-bin/bar Send a legitimate URL http://www.foo.com/cgi-bin/bar The server checks that /.. is not embedded in the URL The server checks that /.. is not embedded in the URL Exploit the bug to change the URL to http://www.foo.com/cgi-bin/../../../../bin/sh Exploit the bug to change the URL to http://www.foo.com/cgi-bin/../../../../bin/sh The server executes /bin/sh The server executes /bin/sh

11 USENIX Security Symposium, Baltimore, MD, 2005 11 What Non-Control-Data Attacks Imply? Control flow integrity is not a sufficiently accurate approximation to software security. Control flow integrity is not a sufficiently accurate approximation to software security. Many types of non-control data critical to security Many types of non-control data critical to security User identify data, configuration data, user input data and decision-making dataUser identify data, configuration data, user input data and decision-making data Once attackers have the incentive, they are likely to succeed in non-control-data attacks. Once attackers have the incentive, they are likely to succeed in non-control-data attacks.

12 USENIX Security Symposium, Baltimore, MD, 2005 12 Discussions on Current Defensive Techniques Defenses based on control flow integrity Defenses based on control flow integrity Monitor system call sequencesMonitor system call sequences Protect control dataProtect control data Non-executable stack and heapNon-executable stack and heap Pointer encryption PointGuard Pointer encryption PointGuard Identifying pointers in low level code is really challengingIdentifying pointers in low level code is really challenging Address space randomization Address space randomization Challenge: need to randomize every program segmentChallenge: need to randomize every program segment Limitation: 32-bit address space cannot provide sufficient entropyLimitation: 32-bit address space cannot provide sufficient entropy Memory safety enforcement Memory safety enforcement Promising direction, e.g., CCured, Cyclone, CREDPromising direction, e.g., CCured, Cyclone, CRED Currently difficult to migrate existing large code bases to memory safe version. Incur runtime overhead. Difficult to ensure memory safety for low-level code.Currently difficult to migrate existing large code bases to memory safe version. Incur runtime overhead. Difficult to ensure memory safety for low-level code. Still open: to design a generic and secure defense Still open: to design a generic and secure defense

13 USENIX Security Symposium, Baltimore, MD, 2005 13 Mitigating Factors Requiring application-specific semantic knowledge Requiring application-specific semantic knowledge Control-data attack unrelated to the semantics of the victim process (hijack the control flow, do whatever you like)Control-data attack unrelated to the semantics of the victim process (hijack the control flow, do whatever you like) Non-control-data attack rely on the semantics of the victim processNon-control-data attack rely on the semantics of the victim process Not a fundamental constraintNot a fundamental constraint Semantics of widely used applications will be well understood, if attackers have strong incentives Semantics of widely used applications will be well understood, if attackers have strong incentives The more instances attackers see, the easier they can clone new ones. A matter of experiences. The more instances attackers see, the easier they can clone new ones. A matter of experiences. Lifetime of security-critical data Lifetime of security-critical data Attacks are not possible if the vulnerabilities exist outside the lifetime of the target data.Attacks are not possible if the vulnerabilities exist outside the lifetime of the target data. Programs can be modified to reduce data lifetime to enhance security.Programs can be modified to reduce data lifetime to enhance security.

14 USENIX Security Symposium, Baltimore, MD, 2005 14 Reducing Data Lifetime for Security Original WU-FTPD lifetime of x is global siteexec() { } getdatasock() { seteuid(0); seteuid(0); setsockopt(... ); setsockopt(... ); seteuid(x); seteuid(x);} Modified WU-FTPD siteexec() { } getdatasock() { tmp = geteuid(); tmp = geteuid(); seteuid(0); seteuid(0); setsockopt(... ); setsockopt(... ); seteuid(tmp); seteuid(tmp);} Lifetime of seteuid() argument

15 USENIX Security Symposium, Baltimore, MD, 2005 15 Reducing Data Lifetime for Security Original SSHD do_authentication() { int auth = 0; while (!auth) { while (!auth) { type = packet_read(); type = packet_read(); switch (type) { switch (type) { case CMSG_AUTH_PASSWORD: case CMSG_AUTH_PASSWORD: if (auth_password(passwd)) if (auth_password(passwd)) auth = 1; auth = 1; case... case... } if (auth) break; if (auth) break; } do_authenticated(pw); do_authenticated(pw);} Modified SSHD do_authentication() { int auth = 0; while (!auth) { while (!auth) { type = packet_read(); type = packet_read(); auth = 0; auth = 0; switch (type) { switch (type) { case CMSG_AUTH_PASSWORD: case CMSG_AUTH_PASSWORD: if (auth_password(passwd)) if (auth_password(passwd)) auth = 1; auth = 1; case... case... } if (auth) break; if (auth) break; } do_authenticated(pw); do_authenticated(pw);} Lifetime of auth flag

16 USENIX Security Symposium, Baltimore, MD, 2005 16 Conclusions Major claim: many real-world software applications are susceptible to attacks that do not hijack program control flow. Major claim: many real-world software applications are susceptible to attacks that do not hijack program control flow. Constructing a generic and secure defensive technique to defeat both control-data attacks and non-control-data attacks is still an open problem. Constructing a generic and secure defensive technique to defeat both control-data attacks and non-control-data attacks is still an open problem. Reducing data lifetime is a secure programming practice to increase software resilience to attacks. Reducing data lifetime is a secure programming practice to increase software resilience to attacks.

17 USENIX Security Symposium, Baltimore, MD, 2005 17 Links DEPEND Research Group, Univ. of Illinois DEPEND Research Group, Univ. of Illinois http://www.crhc.uiuc.edu/DEPENDhttp://www.crhc.uiuc.edu/DEPEND Prof. Jun Xus Research Group. North Carolina State University Prof. Jun Xus Research Group. North Carolina State University http://www.csc.ncsu.edu/faculty/junxu/http://www.csc.ncsu.edu/faculty/junxu/ Cybersecurity and Systems Management Group, Microsoft Research (a.k.a. the Strider team) Cybersecurity and Systems Management Group, Microsoft Research (a.k.a. the Strider team) http://research.microsoft.com/csmhttp://research.microsoft.com/csm

Download ppt "USENIX Security Symposium, Baltimore, MD, 2005 1 Non-Control-Data Attacks Are Realistic Threats Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.
Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001.

Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001.
1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and.

1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk † and Ravi K. Iyer † ‡

Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk † and Ravi K. Iyer † ‡
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Similar presentations

Ads by Google