1 / 19

Control-Data Attack

Non-Control-Data Attacks Are Realistic Threats Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Presented by Stephen Karg October 12, 2005. Control-Data Attack. Control Data : Data loaded to program counter during execution. e.g. return address, function pointer…

sancha
Download Presentation

Control-Data Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Non-Control-Data Attacks Are Realistic ThreatsShuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. IyerPresented byStephen KargOctober 12, 2005

  2. Control-Data Attack • Control Data: Data loaded to program counter during execution. • e.g. return address, function pointer… • Currently the most dominant attack. • The common pattern of most memory attacks we’ve seen so far: • Hijack target programs. • Inject own code or out-of-context library. • Make system calls to spawn root shell.

  3. Non-Control-Data Attack(a.k.a. Pure Data Exploits) • Also memory corruption, but control-flow remains unaffected. • No shell code, no system calls. • Virtually unseen in the wild. Q: Why so rare? A: Harder to mount attack, requires application-specific semantic knowledge. Q: So why do we care? A: Necessity is the mother of invention.

  4. Thesis • As Control-Data defenses continue to improve, attackers will be more motivated to seek alternatives. • Non-Control-Data attacks result in security compromises just as severe as Control-Data attacks (i.e. root privilege escalation). • Inadequate protections currently in place.

  5. How do they work? • Use known exploits to overwrite NCD: • Stack Overflow • Format string vulnerabilities • Heap overflow • Signed integer overflow • NCD often associated with authentication or access control privileges. • Manual source-code analysis needed to expose NCD exploits.

  6. Security-Critical NCD • Configuration Data • User Input • User Identity Data • Decision-Making Data All can be corrupted to gain access to various well know network server applications.

  7. 1. Configuration Data Attack • Site-specific config. files in common server applications (ftp, ssh, http, etc.) can define access control policies. • E.g. Linux Null HTTPD server’s CGI-BIN configuration string: • restricts users from executing programs outside specified path. • Use heap corruption to transform string: /usr/local/httpd/cgi-bin\0  /bin\0 • Can then run /bin/sh as legitimate CGI program. • Root shell access with 3 POST commands!

  8. 2. User Identity Data Attack • Known format-string exploit on the popular WU-FTP server used to corrupt data structure so EUID can be reverted to 0 (yay!). • putand get commands invoke: • pw->pw_uid cached copy of user ID on heap.

  9. 3. User Input Data Attack • Stack overflow on GHTTPD used to gain root with a single GET command! GET AA…AA\xdc\xd7\xff\xbf <-<-/cgi-bin/../../../../bin/sh • Classic TOCTTOU attack with invalid path. • Server checks 1st part of command for the old “/..” trick. • Pointer to the now “ok” URL is then corrupted to reference illegal string in 2nd part of GET.

  10. 4. Decision-Making Data Attack • Integer Overflow exploit on multiple SSH servers allows attacker to log on as root. • Client responds to root password request with packet formulated to trigger overflow in the detect_attack() function :) • Overflow corrupts value of the boolean flag: authenticated to non-zero value. Done.

  11. Defensive Techniques that Don’t Work • StackSheild won’t work, no address change. • IDS System Call Tracing? Won’t work, unchanged. • Non-Executable-Memory protections? Irrelevant. No injected code. • Memory/Type Safety Enforcement Can prevent some NCD attacks but with very high overhead and migration costs, currently unsuitable for high-traffic network applications.

  12. Defensive Techniques & Mitigations • StackGuard and FormatGuard are still effective against both attacks using those initial exploits. • Minimize lifetime of critical data structures or reinitialize w/safe values (e.g. authenticated). • Encrypt sensitive configuration data.

  13. Other Potential Defenses/Research • PointGuard (pointer encryption compiler technique). Still needs work. • Address-Space randomization. • Helpful but will not stop determined attack. • Taintcheck - partially effective. • Brutal overhead cost (5-37x), false-positives • Extend IDS to include data-flow analysis (in addition to control-flow). • Heuristic analysis of function parameter signatures.

  14. Conclusions • IDS based on just Control Flow integrity insufficient. • Current defensive techniques are not comprehensive, and only provide partial coverage of NCD exploits. • No generic memory protection available at a reasonable (runtime) cost. • Safer running closed-source apps??

More Related