240 likes | 556 Views
Best Student Paper Award. Framing Signals— A Return to Portable Shellcode. Erik Bosman and Herbert Bos Vrije Universiteit , Amsterdam 35 th Security and Privacy (May, 2014). Outline. Introduction Signal Delivery on UNIX Systems SROP Turing-Complete Interpreter Mitigation.
E N D
Best Student Paper Award Framing Signals—A Return to Portable Shellcode Erik Bosman and Herbert Bos VrijeUniversiteit, Amsterdam 35th Security and Privacy (May, 2014)
Outline • Introduction • Signal Delivery on UNIX Systems • SROP • Turing-Complete Interpreter • Mitigation A Seminar at Advanced Defense Lab
Introduction User Space Kernel Space System Kernel Application System Call, Interrupt Signal A Seminar at Advanced Defense Lab
In This Paper… • While each flavor handles signals in slightly differentways, the different implementationsare all very similar. • We show that the implementation can be used as an attack method in exploits and backdoors. A Seminar at Advanced Defense Lab
Stack Smashing Attacks Stack • But… • W^X (OpenBSD) • Exec Shield (Linux) • DEP (Windows) Return Address Buffer Shellcode A Seminar at Advanced Defense Lab
Code Reuse Attacks Code Stack Return Address Return Address Return Address Buffer A Seminar at Advanced Defense Lab
Ret-to-libc vs. ROP A Seminar at Advanced Defense Lab
Signal Delivery on Early UNIX Systems Code Stack ip sp User Context User Code Signal Handler Signal Frame Signal Parameters Kernel Code Return Address Signal Dispatcher A Seminar at Advanced Defense Lab
UNIX V6 Interrupt Routine A Seminar at Advanced Defense Lab
sigreturn System call (4.3BSD) Code Stack ip sp User Context User Code Signal Handler Invoke sigreturn Signal Parameters Kernel Code Return Address Signal Dispatcher A Seminar at Advanced Defense Lab
A Signal Frame in Linux x86-64 A Seminar at Advanced Defense Lab
SROP Code Stack ip sp User Context User Code Signal Handler Invoke sigreturn Signal Parameters Kernel Code Return Address Signal Dispatcher A Seminar at Advanced Defense Lab
A example of sigreturn chain in SROP Stack Code rip: syscall ip ip ip movsigreturn, %rax syscall ret rax: sys_yyynum sp sp sp sp sp Other register: Syscall arguments Ret: sigreturn rip: syscall rax: sys_xxxnum rax Other register: Syscall arguments sigreturn sys_xxx sys_yyy Ret: sigreturn A Seminar at Advanced Defense Lab
SROP Pre-conditions • The attacker should have control over the instruction pointer. • The stack pointer should be located on attacker controlled data and NULL bytes must be allowed. • The attacker knows the address of a piece of data controlled by the attacker. • The attacker knows the location of code calling sigreturn, or syscall. A Seminar at Advanced Defense Lab
Finding a sigreturn Gadget A Seminar at Advanced Defense Lab
Linux x86-64 vsyscall page A Seminar at Advanced Defense Lab
A Linux x86-64 SROP Exploit A Seminar at Advanced Defense Lab
SROP as a Backdoor A Seminar at Advanced Defense Lab
A SROP syscall proxy on iOS A Seminar at Advanced Defense Lab
Turing-Complete Interpreter A Seminar at Advanced Defense Lab
Mitigation • Signal Frame Canaries A Seminar at Advanced Defense Lab
Q & A A Seminar at Advanced Defense Lab