Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experimental Computer Systems Lab A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks Manish Prasad, Tzi-cker Chiueh SUNY Stony Brook.

Published byOpal Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "Experimental Computer Systems Lab A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks Manish Prasad, Tzi-cker Chiueh SUNY Stony Brook."— Presentation transcript:

1 Experimental Computer Systems Lab A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks Manish Prasad, Tzi-cker Chiueh SUNY Stony Brook

2 Experimental Computer Systems Lab Roadmap Binary Translation Buffer Overflow and Return Address Defense (RAD) Static BT and RAD Experimental Results Conclusion

3 Experimental Computer Systems Lab Binary Translation Motivation To do things without access to source Traditional Applications Legacy Code Migration (HP Aries, UQBT) Program Optimization (Etch, IBM BOA) Approaches (and their limitations) Static – Lacks transparency, accuracy Dynamic – Less efficient

4 Experimental Computer Systems Lab Binary Translation and Software Security Legacy applications from outside vendor

5 Experimental Computer Systems Lab Binary Translation and Software Security Application A Vendor X NO SOURCE CODE CERT Advisory Application A Vendor X VULNERABILITY !!!

6 Experimental Computer Systems Lab Binary Translation and Software Security CERT Advisory Application A Vendor X VULNERABILITY !!!

7 Experimental Computer Systems Lab Has it been done yet ?? Dynamic Translation DynamoRIO [MIT] LibVerify [Bell-Labs] Hardware Support [UIUC]

8 Experimental Computer Systems Lab Why Static Binary Translation (SBT) ? Inferring legacy program behavior Application-specific security policies Use Static Analysis if you can Butler Lampson, Hints for Computer System Design

9 Experimental Computer Systems Lab Goals How far can we go with pure static BT ? Buffer Overflow protection Widespread Simple yet covers most SBT issues Foundation for general Win32/PE instrumentation framework

10 Experimental Computer Systems Lab Contributions Comprehensive Treatment of Static BT Why and where it fails ? Prototype implementation incorporating static BT state-of-the-art High disassembly precision Exhaustive experiments with several commercial grade Windows applications

11 Experimental Computer Systems Lab Buffer Overflow Attack 0 4G Stack Growth Stack Evolution on a Function Call Buffer Overflow and RAD

12 Experimental Computer Systems Lab Buffer Overflow Attack Function Arguments caller Stack Evolution on a Function Call Buffer Overflow and RAD 0 4G Stack Growth

13 Experimental Computer Systems Lab Buffer Overflow Attack Function Arguments Return Address CALL Stack Evolution on a Function Call Buffer Overflow and RAD 0 4G Stack Growth

14 Experimental Computer Systems Lab Buffer Overflow Attack Function Arguments Return Address Old Frame Pointer Local Variables Local Buffer Other Local Variables callee Stack Evolution on a Function Call Buffer Overflow and RAD 0 4G Stack Growth

15 Experimental Computer Systems Lab Buffer Overflow Attack Function Arguments Return Address Old Frame Pointer Local Variables Local Buffer Other Local Variables target Stack Evolution on a Function Call Buffer Overflow and RAD 0 4G Stack Growth

16 Experimental Computer Systems Lab Buffer Overflow Attack Function Arguments Return Address Old Frame Pointer Local Variables Local Buffer Other Local Variables A A A A Exp Attack Buffer A = addr of exploit Exp = Exploit Code Unbounded Buffer Copy Buffer Overflow and RAD 0 4G Stack Growth

17 Experimental Computer Systems Lab Buffer Overflow Attack Exploit Code Address of Exploit Other Local Variables return Overflow Aftermath Buffer Overflow and RAD 0 4G Stack Growth

18 Experimental Computer Systems Lab Return Address Defense (RAD) Arguments caller Return Addr CALL Stack Ret Addr Copy Return Address Repository (RAR) Prologue Return Address Save Buffer Overflow and RAD

19 Experimental Computer Systems Lab Return Address Defense (RAD) Arguments Return Addr Stack Ret Addr Copy Return Address Repository Local Variable Space callee Buffer Overflow and RAD

20 Experimental Computer Systems Lab Return Address Defense (RAD) Ret addr corrupted Stack Ret Addr Copy Return Address Repository Address Of Exploit Code Unsafe Buffer Copy Buffer Overflow and RAD

21 Experimental Computer Systems Lab Return Address Defense (RAD) Ret addr corrupted Stack Ret Addr Copy Return Address Repository Epilogue Return Address Check Buffer Overflow and RAD

22 Experimental Computer Systems Lab Return Address Defense (RAD) Ret addr corrupted Stack Ret Addr Copy Return Address Repository Attack !! Buffer Overflow and RAD

23 Experimental Computer Systems Lab Static BT & RAD – Central Issues Disassembly Code Instrumentation Static BT and RAD Binary File DisassemblerInstrumentation

24 Experimental Computer Systems Lab Disassembly Core component for static analysis of binaries Principal Approaches Linear Sweep Recursive Traversal Static BT and RAD

25 Experimental Computer Systems Lab Disassembly Core component for static analysis of binaries Principal Approaches Linear Sweep Recursive Traversal First Byte valid inst invalid inst Static BT and RAD

26 Experimental Computer Systems Lab Disassembly Core component for static analysis of binaries Principal Approaches Linear Sweep Recursive Traversal Entry Point CALL fn fn RET Static BT and RAD

27 Experimental Computer Systems Lab Disassembly Core component for static analysis of binaries Principal Approaches Linear Sweep Recursive Traversal RET Entry Point CALL fn fn RET Static BT and RAD

28 Experimental Computer Systems Lab Disassembly Core component for static analysis of binaries Principal Approaches Recursive Traversal Linear Sweep RET Entry Point CALL fn fn RET Static BT and RAD

29 Experimental Computer Systems Lab Disassembly – Impediments Code/Data distinction Variable x86 instruction size Indirect Branches Functions without explicit CALL PIC Static BT and RAD

30 Experimental Computer Systems Lab Disassembly – Impediments Code/Data distinction Variable x86 instruction size Indirect Branches Functions without explicit CALL PIC 0x0F 0x85 0xC0 0x0F 0x85 …. JNE offset 0x0F // data TEST eax, eax JNE offset 0x0F 0x85 0xC0 0x0F 0x850x0F0x0F 0x85 ….. Static BT and RAD

31 Experimental Computer Systems Lab Disassembly – Impediments Code/Data distinction Variable x86 instruction size Indirect Branches Functions without explicit CALL PIC 0x0F 0x85 0xC0 0x0F 0x85 …. JNE offset 0x0F // data TEST eax, eax JNE offset 0x0F 0x85 0xC0 0x0F 0x850x0F0x0F 0x85 ….. Static BT and RAD

32 Experimental Computer Systems Lab Disassembly – Impediments Code/Data distinction Variable x86 instruction size Indirect Branches Functions without explicit CALL PIC Static BT and RAD

33 Experimental Computer Systems Lab Disassembler – Approach Recursive Traversal Accurately code/data identification Linear Sweep Reach areas not covered by recursive traversal Compiler-independent heuristics Recover from errors Static BT and RAD

34 Experimental Computer Systems Lab Disassembly Accuracy Static BT and RAD

35 Experimental Computer Systems Lab Code Instrumentation Add desired functionality Preserve original program semantics Static BT and RAD

36 Experimental Computer Systems Lab Code Instrumentation – RAD Add buffer overflow protection Preserve original program semantics Static BT and RAD

37 Experimental Computer Systems Lab What to instrument ? Function boundary identification Prologue and epilogue must be both instrumented/uninstrumented False alarms Pattern matching (for ‘interesting’ functions) Stack frame allocation and deallocation Static BT and RAD

38 Experimental Computer Systems Lab What to instrument ? Binary File Disassembler Core Binary Rewrite Engine RAD Each Instruction If ‘interesting’ function Prototype

39 Experimental Computer Systems Lab Inserting Checking Code JMP at prologue and epilogue to RAD code Replace 5 byte worth instructions Should not disturb branch targets Stack frame allocation (at prologue) >= 5 bytes Stack frame deallocation possible in 2 – 4 bytes Return address check in INT 3 handler Static BT and RAD Prologue Epilogue JMP (save ret addr) JMP (check ret addr)

40 Experimental Computer Systems Lab Inserting Checking Code JMP at prologue and epilogue to RAD code Replace 5 byte worth instructions Should not disturb branch targets Stack frame allocation (at prologue) >= 5 bytes Stack frame deallocation possible in 2 – 4 bytes Return address check in INT 3 handler PUSH EBP // 1 byte MOV EBP, ESP // 2 byte SUB ESP, x // 3-6 bytes ADD ESP, x // 3-6 bytes POP EBP // 1 byte RET // 1 byte MOV ESP, EBP // 2 bytes POP EBP // 1 byte RET // 1 byte LEAVE // 1 byte RET // 1 byte INT 3 // 1 byte Static BT and RAD

41 Experimental Computer Systems Lab INT 3 Statistics Static BT and RAD

42 Experimental Computer Systems Lab Experimental Evaluation Goals of experiments Effect on program correctness Resilience to buffer overflow attacks Performance and space overhead Experimental Evaluation

43 Experimental Computer Systems Lab Space Overhead Micro-Benchmark Macro-Benchmark Experimental Evaluation

44 Experimental Computer Systems Lab Execution Time Overhead Overhead = Execution Time with RAD – Execution Time without RAD Execution Time without RAD Experimental Evaluation

45 Experimental Computer Systems Lab Resilience to Buffer Overflow Attack Windows Help (Winhlp32.exe) Windows NT 4.0 with Service Pack 4.0 Content file (.CNT) with long heading string Published exploit code Resists Attack !! Experimental Evaluation

46 Experimental Computer Systems Lab Known Limitations Disassembly Limitations Hand-crafted Assembly RAD Limitations Multi-Threaded Applications Self-Modifying Code

47 Experimental Computer Systems Lab Known Limitations Disassembly Limitations Indirect branches Hand-crafted Assembly RAD Limitations Multi-Threaded Applications Self-Modifying Code

48 Experimental Computer Systems Lab Indirect Branches and Control Flow Analysis

49 Experimental Computer Systems Lab Known Limitations Disassembly Limitations Hand-crafted Assembly Inter-procedural jumps, multiple function entry points RAD Limitations Multi-Threaded Applications Self-Modifying Code

50 Experimental Computer Systems Lab Known Limitations Disassembly Limitations Hand-crafted Assembly RAD Limitations Memory Pointer corruption Multi-Threaded Applications Self-Modifying Code

51 Experimental Computer Systems Lab Known Limitations Disassembly Limitations Hand-crafted Assembly RAD Limitations Multi-Threaded Applications Per-thread RAR needed Self-Modifying Code

52 Experimental Computer Systems Lab Known Limitations Disassembly Limitations Hand-crafted Assembly RAD Limitations Multi-Threaded Applications Self-Modifying Code Beyond static analysis

53 Experimental Computer Systems Lab Conclusions First study to implement Static BT state-of-the-art into a working system High disassembly accuracy Demonstrated effectiveness on commercial grade Windows applications Qualified success as a security tool Basis for a general Win32/PE Instrumentation framework

54 Experimental Computer Systems Lab Looking Ahead Support for DLLs Dynamic translation to ameliorate static BT deficiencies Automatic application-specific security policy generation Copy and Tamper resistant software

55 Experimental Computer Systems Lab Project Page http://www.ecsl.cs.sunysb.edu/brew.htm Disassembler Sources http://www.ecsl.cs.sunysb.edu/disassembler.tgz

56 Experimental Computer Systems Lab Questions ??

57 Experimental Computer Systems Lab … and I’m looking for work !!!

58 Experimental Computer Systems Lab Disassembler – Passes DATA : : CALL 0x40011C JMP 0x400110 : RET MOV EAX, 0x40012E; PUSH 0x400100 CALL EAX RET MOV EAX, ECX CALL 0X400140 0x400100 0x400110 0x40011C RET 0x40012E Static BT and RAD

59 Experimental Computer Systems Lab

60 Disassembler – Passes DATA : : CALL 0x40011C JMP 0x400110 : RET MOV EAX, 0x40012E; PUSH 0x400100 CALL EAX RET MOV EAX, ECX CALL 0X400140 0x400100 0x400110 0x40011C RET 0x40012E Pass 1 Recursive Traversal Entry Point Inter-Procedural Call Graph Static BT and RAD

61 Experimental Computer Systems Lab Disassembler – Passes DATA : : CALL 0x40011C JMP 0x400110 : RET MOV EAX, 0x40012E; PUSH 0x400100 CALL EAX RET MOV EAX, ECX CALL 0X400140 0x400100 0x400110 0x40011C RET 0x40012E Pass 1 Recursive Traversal Entry Point Inter-Procedural Call Graph Function Body Function Control Flow Graph Backward Edge Static BT and RAD

62 Experimental Computer Systems Lab Disassembler – Passes DATA : : CALL 0x40011C JMP 0x400110 : RET MOV EAX, 0x40012E; PUSH 0x400100 CALL EAX RET MOV EAX, ECX CALL 0X400140 0x400100 0x400110 0x40011C RET 0x40012E Pass 1 Recursive Traversal Entry Point Function Body Static BT and RAD

63 Experimental Computer Systems Lab DATA : : CALL 0x40011C JMP 0x400110 : RET MOV EAX, 0x40012E; PUSH 0x400100 CALL EAX RET MOV EAX, ECX CALL 0X400140 0x400100 0x400110 0x40011C RET 0x40012E Pass 2 Linear Sweep Function Body Legal inst. Bytes as code Disassembler – Passes Static BT and RAD

64 Experimental Computer Systems Lab Disassembler – Passes DATA : : CALL 0x40011C JMP 0x400110 : RET MOV EAX, 0x40012E; PUSH 0x400100 CALL EAX RET MOV EAX, ECX CALL 0X400140 0x400100 0x400110 0x40011C RET 0x40012E Pass 3 Error Recovery Heuristics Function Body Code sequence not ending with JMP/RET => not code Static BT and RAD

65 Experimental Computer Systems Lab Execution Time Micro-benchmark Experimental Evaluation Penalty = Additional RAD Overhead Original Run Time

66 Experimental Computer Systems Lab WattProbe Linux-based experimental platform for low- power computing Power vs. Performance measurements Fine Grained High Resolution Across Multiple Resources Power characterization of interactive applications Application-specific low power modes

67 Experimental Computer Systems Lab Caching Infrastructure for Stackable File Systems (FAST ’03 WIP) Cache coherence support Transparent to native and stackable file systems Minimal changes to the page cache code Hooks into a cache manager Prototype Linux implementation

68 Experimental Computer Systems Lab Communication and Membership Management for Linux Clusters Low-latency link-level semi-reliable transport layer (Springer LNCS, HiPC ’02) No hardware support Membership Management Cluster-wide consistent membership view Scalable failure detection

69 Experimental Computer Systems Lab Thanks

70 Experimental Computer Systems Lab

71

72 Disassembly Limitations False Negatives (Functions Missed) False Positives (Falsely Identified Functions) Prototype

73 Experimental Computer Systems Lab Disassembly Limitations False Negatives (Functions Missed) Partly/fully misidentified as data Identified fully as code False Positives (Falsely Identified Functions Prologue Epilogue Data Function Body Uninstrumented Prologue Identified as Data Instrumented Security HoleRAR Overflow Prototype

74 Experimental Computer Systems Lab Disassembly Limitations False Negatives (Functions Missed) Partly/fully misidentified as data Identified fully as code False Positives (Falsely Identified Functions Prologue Epilogue Identified as Data Fn1 Fn2 Instrumented RAR overflow Uninstrumented Security Hole Prototype

75 Experimental Computer Systems Lab Disassembly Limitations False Negatives (Functions Missed) Partly/fully misidentified as data (pop up) Identified fully as code False Positives (Falsely Identified Functions) Data Interesting Prolog Function Body Identified as Code Security Hole Prototype

76 Experimental Computer Systems Lab Disassembly Limitations False Negatives (Functions Missed) False Positives (Falsely Identified Functions) Code following data/unconditional branch Missed attacks RAR overflow Indirect Jump Data Jump TargetFunction Entry Pt Prototype

77 Experimental Computer Systems Lab Indirect Branches and Control Flow Analysis Prototype

78 Experimental Computer Systems Lab RAD Limitations Attacks resisted Return Address Frame Pointer Does not protect Memory pointer attacks Function pointer corruption Import table overwrites Prototype

79 Experimental Computer Systems Lab Multi-Threaded Applications RAR shared between threads Possible Solution Thread Information Block (TIB) access using FS register Thread Local Storage (TLS) slots in TIB Separate RAR for each thread Thread-specific RAR addresses in TLS slots Prototype

80 Experimental Computer Systems Lab Hand-Crafted Assembly Quirks No interesting prolog No interesting epilog Interesting prolog Interesting epilog Fn 1 Fn 2 JNE label label Inter-procedural jump in MSAccess Fn1 entered Return address not saved Exit from Fn2 Return address check made False Alarm Prototype

81 Experimental Computer Systems Lab Software Architecture & Flow of Control Binary File Disassembler Core Binary Rewrite Engine RAD PE-specific component Initialization New PE Section Set up RAD mine zones Prototype Instrumentation

Download ppt "Experimental Computer Systems Lab A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks Manish Prasad, Tzi-cker Chiueh SUNY Stony Brook."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Pipelined Profiling and Analysis on Multi-core Systems Qin Zhao Ioana Cutcutache Weng-Fai Wong PiPA.

Pipelined Profiling and Analysis on Multi-core Systems Qin Zhao Ioana Cutcutache Weng-Fai Wong PiPA.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
CS 536 Spring 20011 Code generation I Lecture 20.

CS 536 Spring Code generation I Lecture 20.
Run time vs. Compile time

Run time vs. Compile time
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.

Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Similar presentations

Ads by Google