Download presentation
Presentation is loading. Please wait.
Published byDavin Tarbell Modified over 9 years ago
1
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos elathan@ics.forth.gr
2
Defending ROP Randomization - Address Space Layout Randomization (ASLR) - Fine-grained Randomization (Smashing the gadgets, Binary Stirring) Control Flow Integrity (CFI) Run-time Detection - Based on H/W features (kBouncer) CS-457Elias Athanasopoulos2
3
Control-flow Graph CS-457Elias Athanasopoulos3 Direct call of sort() Indirect call of lt()/gt() All ret instructions are indirect branches! Can you spot other indirect branches?
4
Enforcing CFI (1) Things we don’t care about CS-457Elias Athanasopoulos4 Direct call of sort() Direct calls: cannot controlled by attacker (fixed targets) Do nothing!
5
Enforcing CFI (2) Forward Edges CS-457Elias Athanasopoulos5 Indirect call of lt()/gt() R: target Legitimate targets: lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget R: target Legitimate targets: lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget Attach label to indirect call: l7 Check label on function entry points Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort() Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort()
6
Implementation Example CS-457Elias Athanasopoulos6
7
Enforcing CFI (3) Backward Edges CS-457Elias Athanasopoulos7 All ret instructions are indirect branches! Call site (instruction after a call) (1) Add labels to call sites (2) check if we return from the correct returns (1) Add labels to call sites (2) check if we return from the correct returns Call site (instruction after a call)
8
Ideal CFI CS-457Elias Athanasopoulos8 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks
9
Coarse-grained (loose) CFI CS-457Elias Athanasopoulos9 Two labels only: 1)One for ensuring an indirect call enters a function entry point 2)One for ensuring a ret returns to a call site Two labels only: 1)One for ensuring an indirect call enters a function entry point 2)One for ensuring a ret returns to a call site
10
Gadgets under coarse-grained CFI CS-457Elias Athanasopoulos10
11
Linking Gadgets under CFI CS-457Elias Athanasopoulos11
12
Exploitation under CFI CS-457Elias Athanasopoulos12
13
CS-457Elias Athanasopoulos13
14
Last Branch Record (LBR) 16 pairs of H/W registers Used for debugging They store the last occurred branches Can be configured to store only indirect branches CS-457Elias Athanasopoulos14
15
kBouncer CS-457Elias Athanasopoulos15
16
Normal vs ROP CS-457Elias Athanasopoulos16
17
kBouncer Checks call-ret pairing - Coarse-grained CFI Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos17
18
kBouncer Heuristics CS-457Elias Athanasopoulos18
19
Bypassing kBouncer CS-457Elias Athanasopoulos19
20
kBouncer bypass PoC CS-457Elias Athanasopoulos20
21
Other Software Vulnerabilities Use-after-free and dangling pointers Integer overflows CS-457Elias Athanasopoulos21
22
Use-after-free CS-457Elias Athanasopoulos22 P1 P2 Object A t0: P1 and P2 point to A t1: P1 is freed Free space NULL P2 still points to, it is a dangling pointer New Object t2: attacker allocates space New Object t3: P2 now points to a new Object! New Object 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object
23
Integer Overflows off_t j, pg_start = /* from user space */; size_t i, page_count =... ; int num_entries =... ; if (pg_start + page_count > num_entries) return –EINVAL;... for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; CS-457Elias Athanasopoulos23
24
Integer Overflows (fix) off_t j, pg_start = /* from user space */; size_t i, page_count =... ; int num_entries =... ; if ((pg_start + page_count > num_entries) || (pg_start + page_count < pg_start)) return –EINVAL;... for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; CS-457Elias Athanasopoulos24
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.