Download presentation
Presentation is loading. Please wait.
Published byAlexia Bridges Modified over 9 years ago
1
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton Presented at the 39 th International Symposium on Computer Architecture (ISCA), June 11 th 2012
2
Attack Classification from NIST Database *2009 – 2010 CVE Records (Vulnerability level 8 – 10) ISCA 20122 48%
3
Buffer Overflow and Code Injection Attack: Example main (int argc, char **argv) {... vulnerable(argv[1]);... } vulnerable(char *str1) { char str2[100]; strcpy(str2,str1); return; } 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() return address str2 malicious input (str2) xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return ISCA 20123
4
Existing Protection from Code Injection Attacks: No Execute Bit (NX) 0x0000 0xFFFF WRITABLE NOT EXECUTABLE xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return Mark memory pages as –Either WRITABLE –Or EXECUTABLE –But not both Standard technique in current processors and operating systems –Intel XD bit –AMD XN bit –Windows DEP –Linux PaX ISCA 20124 Stack growth
5
Next Frontier: Code Reuse Attacks (CRAs) Key Idea: Reuse existing library code instead of code injection CRA timeline –Return-into-libc attack (1997) –Return Oriented Programming (2007) –Jump Oriented Programming (2010) All bypass NX ISCA 20125
6
Return Oriented Programming (ROP) 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return xor ecx, ecx ret lea ebx, [esp+8] ret mov al, 11 int 0x80 mul ecx ret ISCA 20126 Page marked as EXECUTABLE
7
Protecting Against ROP: Secure Call Stack Semantics of return instruction – ret expects an address pushed by a call Keep a copy of return addresses in a separate memory space –Secured by OS/Hardware On each return: –Compare two copies of the return addresses –Generate exception if they mismatch Citations to these works are in the paper ISCA 20127
8
Example of a Secure Call Stack main (int argc, char **argv) {... vulnerable(argv[1]);... } vulnerable(char *str1) { char str2[100]; strcpy(str2,str1); return; } 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() return address str2 malicious input return addressmalicious return ≠ ISCA 20128
9
Defeating Secure Call Stacks Initiating an attack –Overwrite a function pointer, –Overwrite a longjmp buffer, –Exploit a format string vulnerability Performing an attack –Use indirect jumps instead of returns Jump Oriented Programming Need a special gadget to orchestrate control ISCA 20129
10
Jump Oriented Programming 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return pop edi jmp edi lea ebx, [esp+8] jmp esi mov al, 11 int 0x80 mul ecx jmp esi xor ecx, ecx jmp esi popa jmp esi ISCA 201210 Page marked as EXECUTABLE Dispatcher Gadget
11
Defending Against JOP Attacks Use solutions preventing buffer overflows –Bounds Checking –Information Flow Tracking Can ensure the legitimacy of jump targets at runtime –Difficult to do Need to construct a Control Flow Graph –Control Flow Integrity (CFI) Abadi et al, USENIX Security 2005 ISCA 201211
12
Control Flow Integrity Generate Control Flow Graph –Unique labels for edges Instrument the code with checks –Each indirect branch checks target for a label... cmp [ecx], 12345678h jne error_label lea ecx, [ecx+4] jmp ecx... mov eax, [esp+4]... jmp ecx... mov eax, [esp+4]... SourceDestination CFI instrumentation ISCA 201212 Added instructions
13
CFI Limitations Need to construct Control Flow Graph –No publicly available tools for constructing CFG from binaries Need access to source code Runtime performance overhead due to extra instructions –About 20% for SPEC 2K6 Benchmarks Problems with dynamic linking Does not handle unintended instructions ISCA 201213
14
Where Do Jump Targets Go? Typical use of indirect jump instruction –To efficiently implement switch-case statements Target is in the same function –To support dynamic linking Target is a function entry point Key Observation: Legitimate jump targets ARE NOT in the middle of another function ISCA 201214
15
Our Proposal: Branch Regulation Enforce the following rules: –Returns go to the correct addresses –Jumps target same functions or function entry points –Calls target function entry points Use hardware checks for enforcement –Low performance overhead (around 2%) –Unintended instructions are handled –No CFG needed –Requires minimal binary annotations Security shown for common libraries ISCA 201215
16
How Does BR Mitigate JOP Attacks? 0x0000 0xFFFF Stack growth Stack frame for main() Stack frame for vulnerable() xor ecx, ecx mul ecx lea ebx, [esp+8] mov al, 11 int 0x80 malicious return pop edi jmp edi lea ebx, [esp+8] jmp esi mov al, 11 int 0x80 mul ecx jmp esi xor ecx, ecx jmp esi popa jmp esi function1() function2() NOT ALLOWED ISCA 201216
17
Implementing Branch Regulation Use a Secure Call Stack Annotate function entry points with function size info Compare jump targets with function bounds and allow if checks pass Store bounds in secure call stack Cache a few secure stack entries for performance ISCA 201217
18
Inserting Code Annotations ISCA 201218 080483e4 : 80483e4: push ebp 80483e5: mov ebp, esp... 80483f9: mov eax, 0 80483fe: leave 80483ff: ret... 08048410 g F.text 005a __libc_csu_init 080483e4 g F.text 001c main 080482b8 g F.init 0000 _init... 080483d2 : 80483d2: 80483e4: push ebp 80483e5: mov ebp, esp... 80483f9: mov eax, 0 80483fe: leave 80483ff: ret Original Code Annotated Code Symbol Table
19
Executing Call Instruction calleax. 8048232: call eax. 80482bc: 0x98 80482be: push esp 80482C0: …. 8048300: jmp ecx. 8048354: ret. FetchDecodeExecute Commit Instruction Cache call eax … | … | … Base | Bound | Return … | … | … BR Check Function Bounds Stack 0098 80482bc 0098 (function size) 80482bc | 8048354 | 8048236 ISCA 201219
20
Executing Jump Instruction jmpecx. 0x8048232: call eax. 0x80482BC: 0x98 0x80482BE: push esp 0x80482C0: …. 0x8048300: jmp ecx. 0x8048354: ret. FetchDecodeExecute Commit Instruction Cache jmp ecx … | … | … Base | Bound | Return … | … | … BR Check Function Bounds Stack 0x80483AA 0x80482BC | 0x8048354 | 0x8048236 0x80482BC > 0x8048354 > ISCA 201220
21
Executing Return Instruction ret. 0x8048232: call eax. 0x80482BC: 0x98 0x80482BE: push esp 0x80482C0: …. 0x8048300: jmp ecx. 0x8048354: ret. FetchDecodeExecute Commit Instruction Cache ret … | … | … Base | Bound | Return … | … | … BR Check Function Bounds Stack 0x8048236 0x80482BC | 0x8048354 | 0x8048236 0x8048236 = Return Address from Stack ISCA 201221
22
Security of Branch Regulation Effectively reduces the exploitable code base to the current function An attacker needs to find in same function: –A vulnerability to exploit –Sufficient functional gadgets –Dispatcher gadget –A system call instruction ISCA 201222
23
Number of Vulnerable Functions Library libc libm libcrypto libgcrypt libssl ISCA 201223 Functions with Dispatcher Gadget and System Call 0 0 0 0 0 Functions with Dispatcher Gadget 12 0 3 2 0 Total Number of Functions 7775 1077 7991 1135 1017
24
Additional Security Analysis in the Paper Analysis of available gadgets Dispatcher gadget discovery algorithms Gadget trie example Analysis of gadget side effects –Gadget length –Impact of unintended gadgets ISCA 201224
25
Increase of Executable Size ISCA 201225
26
Impact of Secure Stack Cache Size ISCA 201226
27
BR Performance with 4-Entry Cache ISCA 201227
28
Conclusions ISCA 201228 Emerging Code Reuse Attacks bypass existing defenses against code injection New low overhead solutions are needed We proposed Branch Regulation –Uses hardware checks to enforce a limited set of rules –Incurs 2% performance overhead and 1% increase in code size –Handles unintended instructions –Does not rely on Control Flow Graph of the program –Can protect legacy binaries with minimal effort We demonstrated security of Branch Regulation for a variety of common libraries
29
Thank you! Questions? ISCA 201229
30
Backup Slides ISCA 201230
31
Unintended Instructions 08048484: E8 33 FE FF FF 08048489: 8D BB 18 FF FF FF 0804848F: 8D 83 18 FF FF FF 08048495: 29 C7 08048488: FF 8D BB 18 FF FF 0804848E: FF 8D 83 18 FF FF 08048494: FF 29 Code Snippet from __libc_csu_init function 08048484: E8 33 FE FF FF 08048489: 8D BB 18 FF FF FF 0804848F: 8D 83 18 FF FF FF 08048495: 29 C7 Unintended Code Snippet from __libc_csu_init function call lea edi, [ebx-e8h] lea eax, [ebx-e8h] sub, edi, eax dec [ebp-e745h] dec [ebp-e77dh] jmp [ecx] FF 8D BB 18 FF FF FF 8D 83 18 FF FF FF 29 ISCA 201231
32
Dispatcher Gadgets Replacement of return for JOP attacks Advance a register/memory to represent program counter Dispatcher Gadget Potential (DGP) –If able to write to the target of indirect jump –If not, not Turing-complete Dispatcher Gadget Confirmed (DGC) –If found a potential dispatcher gadget –Still a system call is needed for harmful attack (DGC-SYS) ISCA 201232
33
Identifying Dispatcher Gadgets If memory indirect branch –Find an iterator If register indirect branch –Find a loader and an iterator mov / pop etc. loads add / sub / lea / pop etc. iterates ISCA 201233
34
Dispatcher Gadget Examples Instruction Type loader and iterator register indirect jump iterator memory indirect jump iterator loader register indirect jump iterator conveyor memory indirect jump Dispatcher Gadget pop r1 jmp r1 add r1, r2 jmp [r1] lea r1, [r1 + r2] mov r3, [r1] jmp r3 sub r1, 4 mov r2, [r1] mov r3, r2 jmp [r3] ISCA 201234
35
Unintended Instructions Mostly garbage instructions Usually more side effects than intentional 246894925 ISCA 201235
36
Gadget Length Long gadget means more intermediate instructions ISCA 201236
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.