Experiments on ROP Attack with Various Instruction Set Architectures

Transcript

1. Experiments on ROP Attack with Various Instruction Set Architectures 1

   GMO Cybersecurity by Ierae Yuma Taki University of Nagasaki Masayuki Fukumitsu Hokkaido Information University Tsubasa Yumura

2. Abstract Background ・Increasing the ROP attacks ・Implementing countermeasures e.g. CFI

   ・Developing gadget search tools e.g. RiscyROP[16] →Reconsidering the possibility of ROP attacks Contribution ・Investigating the latest trends in ROP ・Experimenting and verifying the possibility of ROP attacks to three types of target environments ・Discussing a simple architectural design which can mitigate ROP attack 2

3. Background Evolution of ROP ・Although progress is being made in

   implementing security mechanisms, a response is required on the architecture side. Difficulty in ROP attacks due to differences in architecture design ・The difficulty of ROP attacks is greatly influenced by architectural design differences such as function calling conventions. 3 [16] T. Cloosters, D. Paaßen, J. Wang, O. Draissi, P. Jauernig, E. Stapf, L. Davi, and A.-R. Sadeghi, "Riscyrop: Automated return-oriented programming attacks on risc-v and arm64," in RAID '22. pp. 30‒42, 2022. ROP attack will be explained later

4. 4 Threat Bypass of Security mechanisms Arbitrary Code Execution Target

   x86 AArch32 AArch64 Versatility Blind ROP, kROP, etc. Diverse derived techniques Danger of ROP Attack

5. About ROP Attack ・Attack using stack buffer overflow attack ・Can

   perform arbitrary processing ・Bypass NXbit NX bit: Security mechanism that prohibits code execution outside the specified area ・Connect a bunch of assembly instructions (code snippet) to be attacked, build a ROP chain and embed it in the stack area 5

6. Principle of ROP Attack Code Segment Snippets3 ROP Chain Collect

   Snippets needed for attack Binary ROP Chain Code Segment Data Segment 6 … … 0x10694: pop {r4, r5, r6, r7, r8, sb, sl, pc} 0x103ac: pop {r3, pc} 0x10684: mov r0, r7 0x10688: blx r3 0x1067c: mov r2, r9 0x10680: mov r1, r8 0x103ac: pop {r3, pc} 0x10684: mov r0, r7 0x10688: blx r3 0x10694: pop {r4, r5, r6, r7, r8, sb, sl, pc} Data to assign to registers 0x103ac: pop {r3, pc} 0x10684: mov r0, r7 0x10688: blx r3 0x10694: pop {r4, r5, r6, r7, r8, sb, sl, pc} Snippets2 Snippets1 Data to assign to registers Data to assign to registers Data to assign to registers

7. Func2 Security Countermeasures against ROP Control-Flow Integrity (CFI) ・Monitor control

   flow and prevent ROP attacks ・Armv8-M architecture advances CFI implementation [12] ArmPAC ・Embed the authentication code in the first 16 bits of the function pointer to detect ROP attacks 7 [12] T. Kawada, S. Honda, Y. Matsubara, and H. Takada, "Study on multitasking-aware control-flow integrity based on trustzone for armv8-m," in Embedded System Symposium, pp. 71‒74, 2018. (in Japanese) Func1 Func3 Func1 CFI

8. Our Contributions ・Investigated the latest trends in ROP attack and

   demonstrated. ・Confirmed that ROP attacks can be mitigated using only the function call method. 8 Target Possibility ROP Attack (A) x86 environment ? (B) ARM32 environment ? (C) ARM64 environment ?

9. Our Experiments 9

10. Experiments Overview ・Three types of attack environments were prepared and

    ROP attacks were verified. ・The environment was constructed using QEMU so as not to affect the outside world. ・To focus on differences in architecture, disable security mechanisms provided by the OS and compiler 10 Attacker side Target Exploit Code Vulnerable Test Program Attack Host Guest to steal the shell…

11. Research Ethical Considerations ・Due to QEMU settings, the compromised environment

    is blocking communication with anything other than the host environment. ・Attack verification is performed on the test program, it does not affect specific products or services. 11

12. Three Types of Target Environments 12 Env. name Processor Architecture

    OS Execution State (A) x86 i686 x86 CentOS6 - (B) ARM32 Arm Cortex-A53 Armv8-A RaspiOS AArch32 (C) ARM64 Arm Cortex-A53 Armv8-A Nuttx AArch64

13. Test Program Test program used for x86, ARM32 Sakai’s ROP

    verification program [18] 13 Test program used for ARM64 Self-made test program [18] H. Sakai, "Sample of rop experiment," https://kozos.jp/samples/rop-sample.html, (in Japanese, Accessed on August 1, 2023). Prepared for ROP attack verification ・have buffer overflow vulnerabilities

14. Attacker Side Assumptions of the attacker ・Has the executable file

    of the attack target program and can perform various analyzes Search for code snippets ・Use analysis tools (rp++, ropper) to search for code snippets that can be used for attacks Creating exploit code ・Create a ROP chain according to the target architecture ・Create attack code to embed ROP chain using Pwntools 14

15. Env. (A): x86 Environment 15 Target OS Architecture Design LR

    Instruction size PC (A) x86 Environment CentOS6 N/A Variable Unrewritable ROP Possibility Possible

16. Env. (A): Function calls on x86 Processing in caller The

    call instruction pushes the return address and jumps to the function. Processing in callee After pushing the caller's stack base pointer, allocate a buffer. 16 buffer caller EBP Return address buffer caller EBP Return address

17. Env. (A): Exploit Code 17

18. Operating now Operating now To steal The shell x86 environment

    Attack! 18

19. Env. (B): ARM32 Environment 19 Target OS Architecture Design LR

    Instruction size PC (B) ARM32 Environment Raspi OS Available Fixed Rewritable Execution state: AArch32 ROP Possibility Possible

20. Env. (B): Function Calls on ARM32 Processing in caller The

    bl instruction stores the return address in the link register and jumps to the function. Processing in callee Basically, there is a push {fp, lr} instruction during the function prologue, after which the buffer is allocated. 20 buffer saved fp Return Address buffer saved fp Return Address

21. Env. (B): Exploit Code 21

22. ARM32 environment Operating now Operating now To steal the shell

    Attack! 22

23. Env. (C): ARM64 Environment 23 Execution state: AArch64 Target OS

    Architecture Design LR Instruction Size PC (C) ARM64 Environment Nuttx N/A Fixed Unrewritable ROP Possibility Impossible

24. Env. (C): Function Calls on ARM64 24 Processing in caller

    The bl instruction stores the return address in the link register and jumps to the function. Processing in callee Pushing the link register is performed at any timing. Therefore, the return address may be placed above the buffer to be prepared. buffer1 Saved Registers Return Address buffer2

25. Env. (C): Exploit Code 25

26. Env. (C): Analysis Demonstration 26 Analysis memory by GDB Debugger

    ・Setting breakpoint to confirm stack memory ・Just before jumping to roptest_main(function with buffer overflow vulnerable) Push as return address

27. Analysis Demonstration 27 Stack area after jumping to roptest_main Stack

    area after buffer overflow

28. Experiment Results Confirmed that ROP attacks can be mitigated using

    only the function call method 28 Target OS Architecture Design Possibility ROP Attack LR Instrcution size PC (A) x86 environment CentOS6 N/A Variable Unrewritable Possible (B) ARM32 environment RaspiOS Available Fixed Rewritable Possible (C) ARM64 environment Nuttx Available Fixed Unrewritable Impossible

29. Discussion Possibility of ROP attack in x86/ARM32 environment ・When a

    security mechanism is applied - ASLR and SSP can be avoided depending on the environment - Difficult to bypass properly implemented CFI →Implementing CFI is important 29

30. Discussion Possibility of ROP attack in ARM64 environment ・Security mechanisms

    added from ARMv8 - ArmPAC: Embed the authentication code in the first 16 bits of the function pointer to detect ROP attacks ・Architectural design that makes ROP attacks difficult - Fixed instruction size - Unrewritable PC registers - Arbitrary timing of return address push 30

31. Conclusion ・Investigated the latest trends in ROP attack and demonstrated.

    ・We confirmed that ROP attacks can be mitigated using only the function call method. 31 Target Possibility ROP Attack (A) x86 environment Possible (B) ARM32 environment Possible (C) ARM64 environment Impossible