170 likes | 369 Views
Detecting Code Reuse Attacks Using Dyninst Components. Emily Jacobson, Drew Bernat, and Bill Williams. Threat Model. Attack goal: effect some malicious intent by hijacking program control flow Historically, accomplished via code injection . process address space. stack. heap.
E N D
Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew Bernat, and Bill Williams
Threat Model • Attack goal: effect some malicious intent by hijacking program control flow • Historically, accomplished via code injection process address space stack heap injected shellcode code entry point Detecting Code Reuse Attacks Using Dyninst Components
Threat Model • W X prevents code injection • Alternative: construct an exploit using code that already exists within the program’s address space process address space stack heap injected shellcode code entry point “code reuse attacks” Detecting Code Reuse Attacks Using Dyninst Components
Anatomy of a Code Reuse Attack code 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be Select gadgets from within the address space of the process xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) Chain gadgets together with indirect control flow mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) Usually a short attack with the goal of escaping the confining W X environment add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx exec(“/bin/sh”) Detecting Code Reuse Attacks Using Dyninst Components
Anatomy of a Code Reuse Attack process address space stack heap process address space code xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) stack entry point add %edi,%ebp jmp *-0x39(%ebp) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) heap injected shellcode add %edi,%ebp jmp *-0x39(%ebp) sysenter … pop %ebx code entry point code injection attack code reuse attack Detecting Code Reuse Attacks Using Dyninst Components
Previous Code Reuse Attack Defenses • Detect using heuristics based on attack behaviors [Chen et al. 2009,2010], [Davi et al. 2011], [Huang et al. 2012], [Kayaalp et al. 2012] • Enforce control flow integrity at runtime [Abadi et al. 2009], [Bletsch et al. 2011], [Zhang et al. 2013] In the next talk, Tugrul will talk about another interesting defense technique. Detecting Code Reuse Attacks Using Dyninst Components
Our Approach • Define conformant program execution (CPE) as a set of requirements on program states • Valid program counter • Valid callstack • Enforce CPE by monitoring program at runtime Detecting Code Reuse Attacks Using Dyninst Components
Model Component #1 Valid program counter (PC): PC must point to instruction in the original program 0xb7fe3424 PC b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret CFG Detecting Code Reuse Attacks Using Dyninst Components
Model Component #2 Valid callstack: For each frame: • frame must have valid stack frame height • (caller current frame) must represent a valid control flow transfer in the program foo caller frame: foo push %ecx push %edx push %ebp mov %esp, %ebp sysenter pop %ebp … bar current frame: bar stack height stack pointer CFG callstack Detecting Code Reuse Attacks Using Dyninst Components
Program Validation Design decision: when do we validate? • Option 1: At all instructions • “Conformant program execution” • Disadvantage: inefficient • Option 2: At system calls • “Observedconformant program execution”(OCPE) • Effective because attacks must use the system call interface to modify overall machine state Detecting Code Reuse Attacks Using Dyninst Components
ROPStop Implementation ROPStop or running process Initialization Attach to running process or launch new process from binary Parse program binary Register callbacks at system calls Continue process ParseAPI A Dyninst Component ProcControlAPI A Dyninst Component InstructionAPI A Dyninst Component StackwalkerAPI A Dyninst Component DataflowAPI A Dyninst Component binary At each system call Validate current program counter Perform robust stackwalk and validate the current callstack Detecting Code Reuse Attacks Using Dyninst Components
Evaluation Overhead Accuracy Real code reuse attacks SPEC CPU2006 SPEC CPU2006 Detecting Code Reuse Attacks Using Dyninst Components
Results: Real Code Reuse Attacks • 100% accuracy using real ROP and JOP exploits Detecting Code Reuse Attacks Using Dyninst Components
Results: SPEC CPU2006 • 100% accuracy (0 false positives), • 5.42% overhead (geometric mean) Detecting Code Reuse Attacks Using Dyninst Components
Open Questions • Data-driven attacks (orthogonal type of attack) [Chen et al. 2005], [Demay et al. 2011] • Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006], [Wagner and Soto 2002] Detecting Code Reuse Attacks Using Dyninst Components
Conclusion • We defined conformant program execution and an efficient approximation, observed conformant program execution • We built a tool to enforce OCPE, ROPStop, on top of Dyninst components Detecting Code Reuse Attacks Using Dyninst Components
Questions? • For more details, our paper is available at: ftp://ftp.cs.wisc.edu/paradyn/papers/Jacobson13ROPStop.pdf • Come see the demoon Tuesday Detecting Code Reuse Attacks Using Dyninst Components