Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices. - YUUMA TAKI 1

Self introduction Yuuma Taki ・Hokkaido Information University Department of Information Media A Senior ・Interested in lower layer security around OS and CPU. Having Researched KASLR deployment using Prekern at SecHack365. A Japanese security Hackathon 2

Overview ・Investigate possibilities of ROP attacks against OSs and processors for embedded systems. → Execute vulnerable test programs on embedded system, launch ROP Attack(details later). →Emulate both high spec and low spec embedded devices using QEMU. 3

Background ・Radically Increase demand for embedded systems by proliferation of IoT devices. → Due to various restrictions in some embedded devices, cannot deploy rich security systems. ・Low Power ・Small Capacity ・Low Electricity Consumption ・High Power ・Large Capacity ・High Electricity Consumption 4

Background ・Evolution of Return Oriented Programming(ROP) Attacks →ROP attack is an attack combining code execution snippets inside a program to perform arbitrary processing. →Derivative techniques of ROP attacks are being researched. ・ROP attacks can be utilized to various architectures. 5

Previous Research A ROP countermeasure: Implementing security controls such as Control-Flow Integrity Drawback: High cost to execute the security controls. →Implementing security control in low-spec embedded devices is difficult. 6

This Research ・Investigate embedded devices that have no ROP countermeasures. ・Devising a new countermeasures which can be implemented to low spec embedded devices 7

ROP Overview ・What is ROP(Return Oriented Programming) ？ →Attack method devised to circumvent Nxbit security control. ・No eXecutable bit (NX bit) → Security control that disables code execution of code set in the heap or stack region. This can hinder shell code execution by exploiting stack overflow vulnerabilities. 8

Visualizing ROP ・ROP Attack →Trigger code execution by chaining code fragments called gadgets into a ROP chain. Command fragment 1 Command fragment 2 Command fragment 3 Command fragment 4 Command fragment 5 Command fragment 6 Ordinary Execution File Command Fragment 1 Command Fragment 3 Command Fragment 5 Command Fragment 6 ROP Chain Collect command fragments needed for attack Code Region Data Region Execution File ROP Chain Embed into ROP Chain 9

ROP on x86_64 ・Execute system(/bin/sh) to steal control Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ! ! ! Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address 10

・Write ROP chain by filling up to the return address with ‘A’ ROP on x86_64 Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 11 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ! ! ! Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address

ROP on x86_64 AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address ・After embedding ROP Chain Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 12 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address

ROP on x86_64 AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 13 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: 0x400100 rbp:0x4141414141414141 rsp: Store stack top address ・Right after processing functions (pop rbp; ret;)

ROP on x86_64 Stack top “/bin/sh” address gets stored into rdi at pop rdi execution ・pop rdi execution time Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 14 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Register rdi: “/bin/sh” address rsi: Store parameter 2 rdx: Store parameter 3 rip: 0x400102 rbp:0x4141414141414141 rsp: Store stack top address

ROP on x86_64 By ret command the ‘system’ actual address gets stored in rip ・ret execution time Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 15 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Register rdi: “/bin/sh” address rsi: Store parameter 2 rdx: Store parameter 3 rip: ‘system’ actual address rbp:0x4141414141414141 rsp: Store stack top address

Effective Security Countermeasures against ROP① Address Space Layer Randomization(ASLR): ASLR is a security measurement that randomize the address space where program code and data are stored, which makes access to specific code and data difficult. KASLR is ASLR deployed to the kernel 16

ASLR Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ! ! ! Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address 17 0x400100: 0x400102: : 0x400200: 0x400202: : 0x400300: 0x400302: : pop rdi ret pop rsi ret pop rdx ret ?????? ?????? ?????? ?????? ?????? ?????? Address of the instruction has been randomized, so building ROP chains is not possible.

Effective Security Countermeasures against ROP② 18 Control-Flow Integrity (CFI): Security measure that creates a model of normal control flow then compares that model to the flow at execution time to detect anomalous control flow.

CFI normal control flow main() ↓ function1() ↓ function2() ↓ function3() Jumping to Instructions in Other Functions with ROP main() ↓ function1() ↓ function3() Record normal control flow at compile time. ok!

ASLR Weaknesses ・In less than 32 bit address space, address leaks can be triggered by brute force attacks. →Not realistic to implement in low spec embedded devices with narrow address space. 20

CFI Weakness ・Resource intensive for the processor, therefore, requires high capability CPU →Difficult to implement into low spec embedded devices. 21

Details regarding the ROP evaluation in this research ・Using simple ROP attacks. →Find embedded devices that can be overtaken with simple ROP ・Use QEMU to emulate embedded devices. →QEMU enables us to check the register and memory content in the guest environment. 22

R0P examination using QEMU The schematics is as following: 23

ROP Examination ・Conducted ROP Examination in the following three environments. - CentOS6 on i686 - Raspberry Pi OS on Arm Cortex-a53 24

ROP demo on CentOS6 on i686 ・Emulate CentOS6 on i686 using QEMU and launch ROP attack against vulnerable test server. Attack 25

Attack Target Environment OS: CentOS6.0 Arch: x86 Server program source code: http://kozos.jp/samples/rop-sample.html Security measures: ・NX bit: Active ・SSP: Inactive ・ASLR: Inactive ・CFI: Inactive 26

ROP Demo against CentOS6 on i686 27

Examination Results ・Because many security measures such as SSP and ASLR are active by default, unless those are made inactive a simple ROP attack will not result in gaining control. 28

ROP against Raspi OS on Arm Cortex-a53 ・Emulate Raspi OS on Arm Cortex-a53 using QEMU and launch ROP attack against vulnerable test server. 29

Attack Target Environment OS: Raspberry Pi OS Arch: Armv8-A Server program source code: http://kozos.jp/samples/rop-sample.html Processor execution state: AArch32 Security Measures: ・NX bit: Active ・SSP: Inactive ・ASLR: Inactive ・CFI: Inactive 30

ROP demo against Raspi OS on Arm Cortex-a53 31

Exploit code (ROP chain part) R0 register: store parameter 1 pc register: Program counter register r4 register: Not used here 32

Examination Results ・Raspberry Pi 3B+ is a high spec embedded device and many security measures are available, therefore without disabling these security measures ROP attack was unsuccessful. 33

Verification summary so far Security※ Target NX bit ASLR SSP CFI CentOS6 on i686 〇 〇 〇 × RaspiOS on Arm Cortex-A53 〇 〇 〇 × ZephyrOS on Arm Cortex-M0 ？ ？ ？ ？ ※Enabled by default

ROP attack to low spec embedded device Investigate possibilities of ROP attacks against ZephyrOS on Arm Cortex-M0. →Survey results, ZephyrOS on Arm Cortex-M0 may not have countermeasures against ROP.

ZephyrOS ・An Embedded OS that can run on boards with strict restrictions. ・ZephyrOS can be utilized to various boards. e.g. Arduino-mega2560, microbit, STM32F0 series…

Memory protection in ZephyrOS The following Memory protection are implemented. ・Stack protection ・Memory isolation ・Thread isolation Requires MPU

Memory Protection Unit(MPU) ・In, low-spec processors that cannot implement MMU, Critical hardware for Memory protection ・Divide the address space into several areas, set access rights for each area.

Arm Cortex-M0 ・As a low-power processor, it is used in STM32F0 series board and microbit. ・Memory Protection Unit(MPU) is not implemented, security using MPU used in many OS cannot be applied.

ROP attack countermeasure on low spec embedded devices. ・In Computer Security Symposium2022, I received the following proposal. 40 ・Stack protection →Detecting Return address errors ・Simplified CFI →Detecting ROP-specific memory violations by monitoring control flow. Invalid function calls occur after ROP.

Conclusion ・When CFI and ASLR are not applied in the program gaining control is possible with a simple ROP attack. ・Consider implementing ROP countermeasures in low spec embedded devices, implement security measures if necessary. 41

Acknowledgements ・Special thanks to the National Institute of Information and Communications Technology organized SecHack365 and its trainer Hiroaki Sakai , who showed the basics of program execution and debug methods, which this research is founded upon. Thank you Mr.Sakai and all SecHack365 staff. 42

Thank You For Your Kind Attention. 43