Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eran Tromer Slides credit: Avishai Wool, Tel Aviv University

Published byAbigail Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "Eran Tromer Slides credit: Avishai Wool, Tel Aviv University"— Presentation transcript:

1 Eran Tromer Slides credit: Avishai Wool, Tel Aviv University
Introduction to Information Security , Spring Lecture 2: Control Hijacking (2/2), Secure Architecture Principles, Access Control (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University

2 Preventing control-hijacking attacks
Fix bugs: Static analysis Tools: Coverity, Purify, PREfast/PREfix. .. Runtime analysis Tools: Valgrind Rewrite software in a type-safe languange (Java, ML) Difficult for existing (legacy) code … Concede overflow, but prevent code execution Add runtime code to detect overflows exploits Halt process when overflow exploit detected StackGuard, LibSafe, …

3 Control Hijacking Platform defense

4 Marking memory as non-execute (W^X)
Prevent attack code execution by marking stack and heap as non-executable. (von Neumann architecture ⇒ Harvard architecture) AMD: NX-bit (“No Execute”, from AMD Athlon 64) Intel: XD-bit (“Executable Disable”, from Intel P4 Prescott) NX bit in every Page Table Entry (PTE) Deployment: Linux (via PaX project); OpenBSD Windows: since XP SP2 (“DEP”) Boot.ini : /noexecute=OptIn or AlwaysOn Visual Studio: /NXCompat[:NO] Limitations: Some apps need executable heap (e.g. JITs). Does not defend against `return-to-libc’ exploits OptIn: Windows processes are protected. Other apps must OptIn for protection using sysdm.cpl program. /NXCOMPAT: tells linker that app is compatible with DEP. :NO indicates don’t use DEP. DEP: data execute prevention

5 Examples: DEP control in Windows
Computer > right-click Properties > Advanced system settings > Performance (Settings) > Data Execution Prevention DEP terminating a program

6 “return to libc” attack
Control hijacking without executing code stack libc.so args ret-addr exec() sfp printf() local buf “/bin/sh” NX wasted effort?

7 Defense against “return to libc”: randomization
ASLR: (Address Space Layout Randomization) Map shared libraries to random location in process memory  Attacker cannot jump directly to exec function Deployment on 32-bit OS: Windows Vista: 8 bits of randomness for DLLs aligned to 64K page in a 16MB region  256 choices Linux (via PaX): 16 bits of randomness for libraries More effective on 64-bit architectures Other randomization methods: System-call randomization: randomize system-call IDs Instruction Set Randomization (ISR) Combination of NX and ASLR is effective. /DynamicBase: Visual Studio flag to indicate that application works with ASLR. Generally: Software Diversity

8 ASLR Example Booting twice loads libraries into different locations:

9 Control Hijacking Runtime defense

10 Run time checking: StackGuard
Many run-time checking techniques … we only discuss methods relevant to overflow protection Solution 1: StackGuard Run time tests for stack integrity. Embed “canaries” in stack frames and verify their integrity prior to function return. Frame 2 Frame 1 top of stack local canary sfp ret args local canary sfp ret args

11 Canary Types Random canary:
Random string chosen at program startup. Insert canary string into every stack frame. Verify canary before returning from function. Exit program if canary changed. Turns potential exploit into DoS. To corrupt, attacker must learn current random string. Terminator canary: Canary = {0, newline, linefeed, EOF} String functions will not copy beyond terminator. Attacker cannot use string functions to corrupt stack.

12 StackGuard (Cont.) StackGuard implemented as a GCC patch.
Program must be recompiled. Small performance effects: (8% for Apache) Note: Canaries don’t provide full proof protection. Some stack smashing attacks leave canaries unchanged

13 StackGuard enhancements: ProPolice
ProPolice (IBM) gcc (-fstack-protector) Rearrange stack layout to prevent overflow into pointers. args String Growth ret addr Protects pointer args and local pointers from a buffer overflow SFP CANARY /ProPolice: replicates pointers in arguments to bottom of local vars area. ProPolicy: also called SSP – stack smashing protection. /GS: Arguments, return address, cookie, arrays, local variables, copies of some pointer arguments, alloca local string buffers Stack Growth pointers, but no arrays local non-buffer variables copy of pointer args

14 MS Visual Studio /GS [since 2003]
Compiler /GS option: Combination of ProPolice and Random canary. If cookie mismatch, default behavior is to call _exit(3) Function prolog: sub esp, // allocate 8 bytes for cookie mov eax, DWORD PTR ___security_cookie xor eax, esp // xor cookie with current esp mov DWORD PTR [esp+8], eax // save in stack Function epilog: mov ecx, DWORD PTR [esp+8] xor ecx, esp call add esp, 8 ANI bug happened because /GS was not applied to function LoadAniIcon() since it did not contain string buffers. Visual Studio 2010 applies /GS protection more aggressively. Enhanced /GS in Visual Studio 2010: /GS protection added to all functions, unless can be proven unnecessary

15 local non-buffer variables
/GS stack frame args String Growth ret addr Canary protects ret-addr and exception handler frame SFP exception handlers CANARY /GS: Arguments, return address, cookie, arrays, local variables, copies of some pointer arguments, alloca local string buffers Stack Growth pointers, but no arrays local non-buffer variables copy of pointer args

16 Control Hijacking Heap spray attacks

17 Heap-based control hijacking
Compiler generated function pointers (e.g. C++ code) Suppose vtable is on the heap next to a string object: method #1 FP1 FP2 method #2 ptr FP3 method #3 vtable data Object T buf[256] vtable ptr data object T

18 Heap-based control hijacking
Compiler generated function pointers (e.g. C++ code) After overflow of buf we have: method #1 FP1 FP2 method #2 ptr FP3 method #3 vtable data Object T shell code buf[256] vtable ptr data object T

19 A reliable exploit? <SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%..."); overflow-string = unescape(“%u2332%u4276%...”); cause-overflow( overflow-string ); // overflow buf[ ] </SCRIPT> Problem: attacker does not know where browser places shellcode on the heap ??? buf[256] vtable ptr shellcode data

20 Heap Spraying [SkyLined 2004]
Idea: 1. use Javascript to spray heap with shellcode (and NOP slides) 2. then point vtable ptr anywhere in spray area heap vtable NOP slide shellcode heap spray area

21 JavaScript heap spraying
var nop = unescape(“%u9090%u9090”) while (nop.length < 0x100000) nop += nop var shellcode = unescape("%u4343%u4343%..."); var x = new Array () for (i=0; i<1000; i++) { x[i] = nop + shellcode; } Pointing func-ptr almost anywhere in heap will cause shellcode to execute.

22 Vulnerable buffer placement
Placing vulnerable buf[256] next to object O: By sequence of JavaScript allocations and frees make heap look as follows: Allocate vulnerable buffer in Javascript and cause overflow Successfully used against a Safari PCRE overflow [DHM’08] object O free blocks heap

23 Many heap spray exploits
[RLZ’08] Improvements: Heap Feng Shui [S’07] Reliable heap exploits on IE without spraying Gives attacker full control of IE heap from Javascript

24 (partial) Defenses Protect heap function pointers (e.g. PointGuard)
Better browser architecture: Store JavaScript strings in a separate heap from browser heap OpenBSD heap overflow protection: Nozzle [RLZ’08] : detect sprays by prevalence of code on heap prevents cross-page overflows non-writable pages

25 Secure Architecture Principles: Isolation and Least Privilege

26 Basic idea: Isolation A Seaman's Pocket-Book, (public domain)

27 Principles of Secure Design
Compartmentalization Isolation Principle of least privilege Defense in depth Use more than one security mechanism Secure the weakest link Fail securely Keep it simple

28 Principle of Least Privilege
Ability to access or modify a resource Principle of Least Privilege A system module should only have the minimal privileges needed for intended purposes Requires compartmentalization and isolation Separate the system into independent modules Limit interaction between modules

29 Example: Android process isolation
Android application sandbox Isolation: Each application runs with its own UID in own VM Provides memory protection Communication protected using Unix domain sockets Only ping, zygote (spawn another process) run as root Interaction: reference monitor checks permissions on inter-component communication Least Privilege: Applications announces permission Whitelist model – user grants access Questions asked at install time, to reduce user interruption

30 Access control Concepts

31 ? Access control Assumptions Resource User process
System knows who the user is Authentication via name and password, other credential Access requests pass through gatekeeper (reference monitor) System must not allow monitor to be bypassed Reference monitor Resource ? User process access request policy

32 Access control matrix [Lampson]
Subjects users, processes Objects files, sockets, resources File 1 File 2 File 3 File n User 1 read write - User 2 User 3 User m

33 Two implementation concepts
Access control list (ACL) Store column of matrix with the resource Capability User holds a “ticket” for each resource Two variations store row of matrix with user, under OS control unforgeable ticket in user space File 1 File 2 User 1 read write - User 2 User 3 User m Read Access control lists are widely used, often with groups Some aspects of capability concept are used in many systems

34 ACL vs Capabilities Access control list Capabilities
Associate list with each object Check user/group against list Relies on authentication: need to know user Capabilities Capability is unforgeable ticket Random bit sequence, or managed by OS Can be passed from one process to another Reference monitor checks ticket Does not need to know identify of user/process

35 ACL vs Capabilities User U Process P Process P Capabilty c,d,e User U
Process Q Process Q Capabilty c,e User U Process R Capabilty c Process R

36 ACL vs Capabilities Delegation Revocation
Cap: Process can pass capability at run time ACL: Try to get owner to add permission to list? More common: let other process act under current user Revocation ACL: Remove user or group from list Cap: Try to get capability back from process? Possible in some systems if appropriate bookkeeping OS knows which data is capability If capability is used for multiple resources, have to revoke all or none … Indirection: capability points to pointer to resource If C  P  R, then revoke capability C by setting P=0

37 Roles (also called Groups)
Role = set of users Administrator, PowerUser, User, Guest Assign permissions to roles; each user gets permission Role hierarchy Partial order of roles Each role gets permissions of roles below List only new permissions given to each role Administrator PowerUser User Guest

38 Role-Based Access Control
Individuals Roles Resources engineering Server 1 Server 2 marketing Server 3 human res Advantage: users change more frequently than roles

39 Access control Unix

40 Unix access control File has access control list (ACL)
Grants permission to user ids Owner, group, other Process has user id Inherit from creating process Process can change id Restricted set of options Special “root” id Bypass access control restrictions File 1 File 2 User 1 read write - User 2 User 3 User m Read

41 Unix file access control list
Each file has owner and group Permissions set by owner Read, write, execute Owner, group, other Represented by vector of four octal values (rwxr-xr-x)  public directory or executable (rw-r--r--)  public file (rw )  private file Only owner, root can change permissions This privilege cannot be delegated or shared Setid bits – Discuss in a few slides setid - rwx rwx rwx ownr grp othr

42 Owner can have fewer privileges than other
Question Owner can have fewer privileges than other What happens? Owner gets access? Owner does not? Prioritized resolution of differences if user = owner then owner permission else if user in group then group permission else other permission

43 Process effective user id (EUID)
Each process has three Ids (+ more under Linux) Real user ID (RUID) same as the user ID of parent (unless changed) used to determine which user started the process Effective user ID (EUID) from set user ID bit on the file being executed, or sys call determines the permissions for process file access and port binding Saved user ID (SUID) So previous EUID can be restored Real group ID, effective group ID, used similarly

44 Process Operations and IDs
Root ID=0 for superuser root; can access any file Fork and Exec Inherit three IDs, except exec of file with setuid bit Setuid system calls seteuid(newid) can set EUID to Real ID or saved ID, regardless of current EUID Any ID, if EUID=0 Details are actually more complicated Several different calls: setuid, seteuid, setreuid

45 setid bits on executable Unix file
Three setid bits Setuid – set EUID of process to ID of file owner Setgid – set EGID of process to GID of file Sticky Off: if user has write permission on directory, can rename or remove files, even if not owner On: only file owner, directory owner, and root can rename or remove file in the directory

46 setuid example Owner 18 RUID 25 SetUID …; program exec( ); Owner 18
i=getruid() setuid(i); -rw-r--r-- RUID 25 file read/write EUID 18 Owner 25 RUID 25 -rw-r--r-- read/write EUID 25 file

47 setuid programming Be Careful with Setuid 0 !
Root can do anything; don’t get tricked Principle of least privilege – change EUID when root privileges no longer needed

Download ppt "Eran Tromer Slides credit: Avishai Wool, Tel Aviv University"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Basic Control Hijacking Attacks

Basic Control Hijacking Attacks
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.

Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Defenses from Malware. Preventing exploits Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses from Malware. Preventing exploits Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Secure Architecture Principles Isolation and Least Privilege

Secure Architecture Principles Isolation and Least Privilege

Similar presentations

Ads by Google