1 / 22

Detecting Code Reuse Attacks with a Model of Conformant Program Execution

Detecting Code Reuse Attacks with a Model of Conformant Program Execution. Emily R. Jacobson, Andrew R. Bernat , William R. Williams, Barton P. Miller Computer Sciences Department University of Wisconsin ESSoS 2014 Munich, Germany February 27, 2014. Threat Model.

glynn
Download Presentation

Detecting Code Reuse Attacks with a Model of Conformant Program Execution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer Sciences Department University of Wisconsin ESSoS 2014 Munich, Germany February 27, 2014

  2. Threat Model process address space • Attack goal: effect some malicious intent by hijacking program control flow • Historically, accomplished via code injection heap stack injected shellcode code entry point Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  3. Threat Model process address space • W X prevents code injection • So, code cannot be executed from the stack or heap • Alternative: construct an exploit using code that already exists within the program’s address space heap stack injected shellcode code entry point code reuse attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  4. Anatomy of a Code Reuse Attack code 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 Select gadgets from within the address space of the process xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) Chain gadgets together with indirect control flow mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) • indirect jump instructions •  “jump-oriented programming” (JOP) Usually a short attack with the goal of escaping the confining W X environment add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx exec(“/bin/sh”) Example based on exploit presented in Bletsch et al. 2011 Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  5. Anatomy of a Code Reuse Attack 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 Select gadgets from within the address space of the process xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) Chain gadgets together with indirect control flow mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) Usually a short attack with the goal of escaping the confining W X environment add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx exec(“/bin/sh”) Example based on exploit presented in Bletsch et al. 2011 Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  6. Existing Defenses Against Code Reuse Attacks Select gadgets from within the address space of the process • Making gadget discovery difficult: • ASLR • software diversification • removal of useful instruction sequences • [Li et al. 2010] [Onarlioglu et al. 2010] [Hiser et al. 2012] [Pappas et al. 2012] [Wartell et al. 2012] [Davi et al. 2013] • Make discovery difficult, not impossible Detecting control flow manipulations: • shadow stack • matched call/return pairs [Davi et al. 2009] [Francillon et al. 2009] [Chen et al. 2010] [Huang et al. 2012] [Kayaalp et al. 2012] [Davi et al. 2013] Defeated by JOP Enforcing control flow integrity: [Abadi et al. 2009] [Zhang et al. 2012] [Zhang et al. 2013] Require binary rewriting of all code Chain gadgets together with indirect control flow Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  7. Our Approach • Define security policy based on well-defined behaviors of the program binary Does not rely on behavior of known attacks • Use static analysis of binary to extract the model Does not require learning phase or expert knowledge • Enforce expected behavior Protects against new exploit variations Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  8. Our Approach • Define conformant program execution (CPE) as a set of requirements on program states • Valid program counter • Valid callstack • Enforce CPE by monitoring program at runtime • Monitor is protected from being exploited because it’s in a separate process Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  9. Model Component #1 Valid program counter (PC): PC must point to a valid instruction in the original program 0xb7fe3424 PC b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret CFG Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  10. Model Component #2 Valid callstack: For each frame: • frame must have valid stack frame height • (caller current frame) must represent a valid control flow transfer in the program valid control flow transfer? invalid return address push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret expected stack frame callstack pop %ebp pop %edx pop %ecx ret stack pointer CFG Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  11. Program Validation Design decision: when do we validate? • Option 1: At all instructions • “Conformant program execution” • Disadvantage: inefficient • Option 2: At system calls • “Observed conformant program execution”(OCPE) • Effective because attacks must use the system call interface to modify overall machine state • Disadvantage: relies on attack being observable at system calls Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  12. ROPStop Implementation ROPStop Attach to running process or launch new process from binary Parse program binary Register callbacks at system calls Continue process or running process (monitored application) running process binary At each system call: Validate current program counter Perform robust stackwalk and validate the current callstack intercept via ptrace system calls Operating System Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  13. Evaluation Overhead Accuracy Real code reuse attacks SPEC CPU2006 Apache HTTP Server SPEC CPU2006 Apache HTTP Server False negatives? False positives? Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  14. Results: Real Code Reuse Attacks • 100% accuracy using real ROP and JOP exploits Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  15. Results: Real Code Reuse Attacks invalid return address push %ecx push %edx push %ebp mov %esp, %ebp sysenter … jmp b7fe3417 pop %ebp pop edx pop ecx ret expected stack frame pop %ebp pop %edx pop %ecx ret callstack stack pointer CFG Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  16. Results: SPEC CPU2006 • 100% accuracy (0 false positives), • 5.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  17. Results: SPEC CPU2006 Where does the overhead come from? • PC validity • Callstack validity • Monitor context switching (~frequency of system calls) 241.5 system calls/second 2.0 system calls/second Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  18. Results: Apache HTTP Server • 100% accuracy (0 false positives), • 6.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  19. Open Questions • Data-driven attacks (orthogonal type of attack) [Chen et al. 2005] [Demay et al. 2011] • Exploits that modify program data (e.g., system call arguments) to effect an attack • May not have visible effects on the program states we monitor • Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006] [Wagner and Soto 2002] • Exploits that evade system call monitoring by ensuring program state is restored before system call check takes place • Are designed to have no visible effects on the program states we monitor Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  20. Conclusion • Approach for detecting code reuse attacks • We defined conformant program execution and an efficient and adoptable approximation, observed conformant program execution • We built a tool to enforce OCPE, ROPStop Detecting Code Reuse Attacks with a Model of Conformant Program Execution

  21. Questions? jacobson@cs.wisc.edu www.paradyn.org Detecting Code Reuse Attacks with a Model of Conformant Program Execution

More Related