The Evolution of Stack Control Flow Attacks

Slide 1

Slide 1 text

The Evolution of Stack Control Flow Attacks Xiaokui Shu 10/16/2013

Slide 2

Slide 2 text

Stack Control Flow Attacks The Evolution A1. Smashing the stack Need shellcode A2. Return into library No shellcode A3. Return Oriented Programming (ROP) No argument assumption A4. ROP without returns No suspicious ret on stack

Slide 3

Slide 3 text

Stack Control Flow Attacks Basic Ideas Foundation Stack overflow Ultimate goal Hijacking control flow Security perspective Compromising Control Flow Integrity (CFI)

Slide 4

Slide 4 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address Just in main() EBP ESP

Slide 5

Slide 5 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address main(), start execute foo(1) subl $4, %esp EBP ESP

Slide 6

Slide 6 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address main(), start execute foo(1) movl $1, (%esp) EBP ESP parameter

Slide 7

Slide 7 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address main(), start execute foo(1) call foo EBP ESP parameter ret addr

Slide 8

Slide 8 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address foo(), start execute pushl %ebp EBP ESP parameter ret addr frame ptr

Slide 9

Slide 9 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address foo(), start execute movl %esp, %ebp EBP ESP parameter ret addr frame ptr

Slide 10

Slide 10 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address foo(), prepare printf() subl $8, %esp EBP ESP parameter ret addr frame ptr

Slide 11

Slide 11 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address foo(), start to return leave EBP ESP parameter ret addr frame ptr leave == movl %ebp, %esp; pop %ebp;

Slide 12

Slide 12 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address foo(), returning ret EBP ESP parameter ret addr frame ptr EIP

Slide 13

Slide 13 text

Calling and Returning void foo(int x) { printf("%d", x); } int main() { foo(1); return 0; } Main Scope High Address Low Address main(), post-return stuff addl $4, %esp EBP ESP parameter ret addr frame ptr

Slide 14

Slide 14 text

A1. Smashing The Stack Main Scope High Address Low Address parameter ret addr frame ptr overwrite ret addr NOP-sled ret addr shell code

Slide 15

Slide 15 text

What if the stack is non-executable? What if the shellcode is too long? Assumption: shellcode execution on the stack

Slide 16

Slide 16 text

A2. Return Into Library Main Scope High Address Low Address parameter ret addr frame ptr ret addr parameter main() foo() libc::system() foo() libc::exit() libc::system() foo()

Slide 17

Slide 17 text

A2. Return Into Library Main Scope High Address Low Address parameter ret addr frame ptr overwrite ret addr Don’t care addr3 addr1 parameter addr2 Don’t care libc::system() libc::exit() “/sh/bash” ret addr

Slide 18

Slide 18 text

A2. Return Into Library High Address Low Address Don’t care addr3 addr1 addr2 Don’t care ret addr EBP ESP frame ptr system(), start execute pushl %ebp foo(), start to return leave foo(), returning ret system(), start execute movl %esp, %ebp

Slide 19

Slide 19 text

A2. Return Into Library High Address Low Address Don’t care addr3 frame ptr addr2 Don’t care ret addr EBP ESP frame ptr system(), start execute pushl %ebp foo(), start to return leave foo(), returning ret system(), start execute movl %esp, %ebp

Slide 20

Slide 20 text

A2. Return Into Library High Address Low Address Don’t care parameter frame ptr ret addr Don’t care ret addr EBP ESP frame ptr libc::exit() “/sh/bash” We are now inside library call system() #include int system(const char *cmd);

Slide 21

Slide 21 text

What if the arguments are in registers? What if system() is not available? Assumption: arguments are on the stack Assumption: system()

Slide 22

Slide 22 text

A3. Return Oriented Programming Main Scope High Address Low Address parameter ret addr frame ptr overwrite ret addr Don’t care addr5 parameter addr4 ins; ins; ret; ins; ret; ret addr addr2 addr1 ins; ins; ret; ins; ret; ins; ret; Every ret pops the next addr into EIP All ins’ are executed in a line to make up a shellcode data1 data2 addr3

Slide 23

Slide 23 text

A3. Return Oriented Programming Gadgets What are they? Consecutive instructions followed by ret Where to find? Any loaded .text section in the memory Why is it feasible? Because libraries are huge How powerful are they? Turing-complete instruction set

Slide 24

Slide 24 text

A3. Return Oriented Programming Gadget Categories load-store lea esi, [ebx + 8*eax + 4] arithmetic & logic v1++ v1 = v2 & v3 control flow jump T1 system calls call syscall with arguments

Slide 25

Slide 25 text

A3. Return Oriented Programming root@kali:/tmp# msfrop -v metsrv.dll Collecting gadgets from metsrv.dll Found 4829 gadgets metsrv.dll gadget: 0x10001057 0x10001057: leave 0x10001058: ret metsrv.dll gadget: 0x10001241 0x10001241: leave 0x10001242: ret metsrv.dll gadget: 0x1000132e 0x1000132e: leave 0x1000132f: ret metsrv.dll gadget: 0x1000138c 0x1000138c: leave 0x1000138d: ret …

Slide 26

Slide 26 text

A3. Return Oriented Programming p += pack("

Slide 27

Slide 27 text

Tim Kornau, A gentle introduction to return-oriented programming

Slide 28

Slide 28 text

What if ret is under inspection? Assumption: no anomaly detection on stack

Slide 29

Slide 29 text

A4. ROP Without Returns Besides ret What does ret do? movl %esp, %eip addl $4, %esp What is its equivalent? an update-load-branch sequence What is an x86 example? pop %eax; jmp *%eax; How to deal with the rarity of it? Use it as a trampoline

Slide 30

Slide 30 text

A4. ROP Without Returns Reserve a register to store the address of the trampoline Stephen Checkoway, Return-Oriented Programming without Returns

Slide 31

Slide 31 text

A4. ROP Without Returns Demonstrating its feasibility The goal Turing-complete instruction set Environment Debian GNU/Linux 5.0.4 (“Lenny”) Libraries GNU libc 2.7 (1294572 bytes) Mozilla’s libxul (11857460 bytes) libphp5 (5450680 bytes)

Slide 32

Slide 32 text

A4. ROP Without Returns Demonstrating its feasibility Gadgets found 34 instruction sequences ending with jmp x Gadgets Categories load immed move load store add add immed substract negate and and immed or or immed xor xor immed complement branch uncond branch cond set less than func call

Slide 33

Slide 33 text

A4. ROP Without Returns • Two stack overflows • None of them overwrites the return address • First overflow: store ROP addresses and data • Second overflow: overwrite a function pointer Current Scope High Address Low Address Completely stop using ret in the ROP attack EBP ESP ret addr Disused Scope 1st Overflow 2nd Overflow

Slide 34

Slide 34 text

A4. ROP Without Returns No-return exploits Stack buffer overflow Needs two Vtable overwritten Open problem setjmp and longjmp Needs a ROP buffer

Slide 35

Slide 35 text

Stack Control Flow Attacks References A1. Smashing the stack Smashing The Stack For Fun And Profit A2. Return into library On the Expressiveness of Return-into-libc Attacks A3. Return Oriented Programming (ROP) The Geometry of Innocent Flesh on the Bone: Return- into-libc without Function Calls A4. ROP without returns Return-Oriented Programming without Returns

Slide 36

Slide 36 text

THANK YOU!