1 / 41

ROP is Still Dangerous: Breaking Modern Defenses

ROP is Still Dangerous: Breaking Modern Defenses. Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part of the slides from N. Carlini. Outline. Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker

lewis-chase
Download Presentation

ROP is Still Dangerous: Breaking Modern Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part of the slides from N. Carlini

  2. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  3. Background Code injection • Usually exploited in a buffer overrun vulnerability. • Inject malicious code • Overwrites return address of a function. • Return address -> malicious code

  4. Data Execution Prevention (DEP) Background Code injection • Security feature in modern OS • Ensures writable pages in memory are not executable • Stack is no longer executable • Code cannot be injected

  5. Data Execution Prevention (DEP) Return Oriented Programming (ROP) Background Code injection

  6. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  7. ROP Attacks Gadgets !

  8. ROP Attacks • Perform malicious computation by only controlling the execution flow • Each gadget performs small computation • Gadget chaining is achieved by influencing indirect jumps • Need to write appropriate values over the stack

  9. ROP Attacks • eax stores 4a304120 • ebs stores 00032400 • eax stores [4a304120] (OV) • eax stores (OV + 00032400) • ecx stores 4a304120 • [4a304120] stores (OV + 00032400)

  10. ROP Attacks Defend ROP

  11. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  12. Attack Primitives Three building blocks are useful in attacking ROP defenses • Call-Preceded ROP • Evasion Attack • History Flushing

  13. Call-Preceded ROP Call-Preceded Policy: Normally, every ret will return to an instruction that immediately follows a call

  14. Call-Preceded ROP • The call-preceded policy limit the choices of gadgets • Only 6% of gadgets are call-preceded • People believe the call-preceded policy significantly increases the difficulty of mounting a ROP. • However, the authors argue it is possible to mount ROP with this policy • Allow more complex gadgets. • 70KB of binary code

  15. Evasion Attacks Classification-based defense • Monitoring the runtime behavior of a process • Classify segments of execution as either “gadget” or “non-gadget” • Length-based classifier (instructions separated by indirect instructions • Long sequences of short gadgets -> ROP attack

  16. Evasion Attacks To break classification-based defense • Using gadgets that look like benign execution • An evasion attack is one that will be classified by the defense as normal. • Actually evasion attack allows the attacker to mount a ROP

  17. History flushing History inspection defense • Inspect program at different points throughout its execution • Limited amount of history • due to performance consideration, usually the inspection is invoked in certain points (issue a system call)

  18. History flushing To break History inspection defense • Fool the defense by hiding ROP attack • Perform ROP when not being watched • Insert effective no-op instructions, stop making progress when being watched

  19. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  20. Attack Goal and Threat Model Attack Goal: • Issue a single syscall • mprotect (Linux) or virtualprotect (windows), making a page in memory both executable and writable Threat Model: • Attacker has a known exploit to control the instruction pointer in the future • Typically it is a stack overflow

  21. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  22. kBouncer kBouncer: a scheme that uses indirect branch tracing to detect ROP attacks • Uses the Last Branch Record (LBR) to inspect the last 16 indirect branches each • Run when a system call is invoked • Low overhead • Check 2 properties • Call-preceded? • Are 8 most recent gadget-like? (<20 instructions before an indirect branch)

  23. kBouncer Detected !

  24. kBouncer History Hiding Attack • Uses history flushing to clear evidence of ROP • 3 steps • Initial exploitation: normal ROP attack (may not be call-preceded) until a syscall is about to be invoked • Hide the history: flush the history • Restore registers and issue the system call

  25. kBouncer Flush the history • Consists of a short flushing gadget and a long termination gadget • Short flushing gadget - satisfy call-proceded requirement • Repeat short flushing gadget 16 times • Termination gadget - at least 20 instructions (non-gadget)

  26. kBouncer - Flush History

  27. kBouncer Restore registers • Can be achieved with a few gadgets that pop register values off the stack • Other ways • Jump Oriented Programming (JOP) • Call Oriented Programming (COP) • etc

  28. kBouncer What happens if kBouncer keeps the whole execution history? - can still be broken • Initial phase will use only call-preceded gadget • No flushing gadget is needed • Break up short gadget chains with long termination gadget • 70KB of program will have enough call-preceded calls to finish such a ROP attack

  29. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  30. ROPecker ROPecker is a defense that builds on ideas found in kBouncer With a few differences • Inspect more frequently • Only a few pages are marked executable at one time • Will be invoked each time a page not in executable set is executed • Syscalls • It looks both history and future to detect attack • Future emulation will stop when there is not a short sequence of instruction leading to an indirect jump ROPecker: A generic and practical approach for defending against rop attacks. Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H Deng. NDSS, 2014.

  31. ROPecker Repeated History Hiding Attack • repeatedly invokes the history hiding primitives • 3 phases • Loading phase: load useful pages into executable set • Attack phase: invokes gadgets on these pages • Flushing phase: mounts the history hiding attack using only gadgets from these pages • May need to execute the 3 phases multiple time to achieve the goal

  32. ROPecker

  33. ROPecker Attack ROPecker is more complicated • Carefully pick tasks during each step • Flushing and Termination gadgets clober register states • Pick independent operations for each step • Pick pages that contain more gadgets

  34. ROPecker Evasion Attack • Let ROPecker inspect at any time • Insert a termination gadget in between every ten useful gadgets. • Threshold is 11 (past and future)

  35. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  36. Evaluation • A tool is built to find attacks on real-world exploits • The tool help find gadgets • Enumerate all potential call-preceded gadgets

  37. Evaluation Modify Real-world Exploits to bypass kBouncer • 4 real-world exploits are modified • MPlayer Lite r33063 • Stack-based buffer overflow, exploited by overwriting SEH pointer • Adobe Reader 9.3.4 • Adobe Flash 11.3.300 • Internet Explorer 8 • Half a day to cloak the attacks

  38. Evaluation Use exploitable version of hteditor source to bypass ROPecker • Evasion attack • Repeated history hiding attack • execv is issued eventually

  39. Outline Background ROP Attacks Attack Primitives Attack Goal and Threat Model kBouncer ROPecker Evaluation Related Work and Conclusion

  40. Related Work ● [Goktas, S&P14] discussed the existence of call-preceded ROP and use it to break many existing CFI defenses ● [Davi, Usenix14] and [Goktas, Usenix14] both independently and concurrently discovered very similar attacks on kBouncer & ROPecker

  41. Conclusion This paper has presented: • 3 building blocks for ROP attacks • Break state-of-art defenses - kBouncer and ROPecker • Implication • Do not rely on limited history • Call-preceded ROP is possible • Difficult to classify “gadget” and “non-gadget” • Focus on fundamental difference between normal and ROP execution

More Related