Automatic Diagnosis and Response to Memory Corruption Vulnerabilities

1. Automatic Diagnosis and Response to Memory CorruptionVulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense Laboratory Department of Computer Science North Carolina State University Presenter: Radha Maldhure for CDA 6133 Spring’08

2. Overview • Memory Corruption • Address Space Randomization • System Overview • System Architecture • State Transition of Program • Diagnosis • Signature Generation • Experimental Evaluation • Contribution • Weakness • Suggestions • References

3. Memory Corruption • Memory Location are unintentionally modified due to programming errors • Attack: • Successful attack allows a remote code execution • Unsuccessful attack causes program crash or strange program behavior • Most popular means to take control of target system • Type: Buffer Overflow, Integer overflow

4. Memory Corruption: Example Code Memory Corruption by Buffer Overflow Attacker’s Packet Ret Addr Ret Addr Local Var Attacker’s code Ret Add Ret Add Ret Add Local Var Local Buffer Stack frame for User_input() For example: User_input( ) is some routine in X Process Memory layout for X

5. Address Space Randomization Code Code Argument Memory layout with Randomization-on Normal Memory Layout Argument Ret Addr Local Var Argument Argument Ret Addr Local Var Local Buffer Local Buffer 4000 2000

6. Example: Memory corruption with ASR Code Memory Corruption by Buffer Overflow The return address points to wrong Memory location CRASH!!! Ret Addr Ret Addr Argument Local Var Stack frame Local Buffer

7. System Overview

8. System Architecture

9. Terms needed for Model Some definitions: Memory attack = multiple corrupting instruction Corrupting Instruction( c ) = tricked to overwrite critical program data Initial Corrupting Instruction( i ) = Corrupting program data based on network input Take over Instruction( t ) = Control flow transfer Instruction Faulting Instruction( f ) = Cause process to crash

10. State Transition of a randomized program under memory corruption attack initial corrupting instr c t with correct addr prediction Security Compromise Normal Critical Data Corruption k t with incorrect addr prediction(t = f) t with incorrect addr prediction(t=f) initial corrupting instr c (c=f) Case 3 Case 4 Case 1 Inconsistent Execution faulting instr f Crash Case 2 : K= Non-takeover instr i with incorrect addr prediction( i=f )

11. Case1 Corrupting Instruction is the Faulting instruction( c = f ) Sample program int foo( int b, int *c ) { buf[10]; GetUserName(buf) (*c)++; return *c } b b c c dwgfbfns hhhwdhw vhdvhvdhjhdhvdhvddsadjvdvhvdqwdgggdggdggg buf Input to GetUserName( ) is large This causes buffer overflow and accesses illegal memory location and hence the system crashes!!!!

12. Case 2 The attack corrupts some critical data without crash. However, process crashes when executing non-takeover instruction int foo( int b, int *c ) { buf[10]; GetUserName(buf) (*c)++; return *c } b c 0000 Stack frame buf Program crashes as third statement executes!!

13. Case 3 Take-over instruction is the faulting instruction Invalid memory 4000 Ret addr b c 20 Stack frame 0000 buf Jmp 4000

14. Case 4 Successfully executes take-over instruction, and continues to execute for some time before crash Invalid memory 4000 Ret addr b c 20 Stack frame 0000 buf Jmp 4000

15. Diagnosis Who? By monitor & Diagnosis engine on memory access violation exception How? • Identifying faulting instruction • Converting case 4 crashes • Tracing corrupting instruction

16. Identifying faulting Instruction Goal: Find address of faulting Instruction ‘f’ Two cases: Simple case: f = preceding instruction of current PC Complex case: f = indirect control flow transfer instruction PC = invalid memory address that causes access violation If not Complex case then its Simple case!!

17. Complex case C = { m } = indirect control flow instructions in program Decode and compute target addr(a) for m Keep the instruction f = last instr before memory access violation Instr a a = Current PC register Use break points X x Y y

18. Converting Case 4 Eliminate the possibility of Case 4 crash • No way to differentiate cases • Uses random re-execution • Convert to other cases

19. Converting Case 4( condt.) Case3 Jmp 4000 Converted 4000 Memory access violation exception Case4 OR Case 1 or Case 2 Make invalid Jmp 4000 Jmp 4000 t Memory Layout-A Memory Layout-B

20. Tracing Corrupting Instruction Basic Idea • Trace back to the instruction that writes corrupted data until network input data Not Sure How it works!!

21. Signature Generation Two types Pure Message Signature • Use critical byte sequence from attack • Unacceptable false positive rate Correlate Message Signature with program execution state • Low false positive rate • Speeds up message filtering • High detection rate

22. Experimental Evaluation Effectiveness of Diagnosis

23. Contribution • Automation improves the efficiency of problem diagnosis • Model for defense and analysis of memory corruption attacks

24. Weaknesses • Address Space Randomization is susceptible to brute-force attacks • Implementation of the suggested prototype requires extensions • Gives little information about the type of occurred memory corruption • At some points, the explanation is difficult to understand

25. How To Improve • Explanation and Diagrams must be accompanied with examples • Few terms like memory corruption, address space randomization must be elaborated

26. References • Wikipedia • Address Space Layout Permutation, byChongkyung Kil

27. QUESTIONS????