basic control hijacking attacks - stanford university · dan boneh what is needed • understanding...
TRANSCRIPT
![Page 1: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/1.jpg)
DanBoneh
ControlHijacking
BasicControlHijackingAttacks
![Page 2: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/2.jpg)
DanBoneh
Controlhijackingattacks• Attacker’sgoal:
– Takeovertargetmachine(e.g.webserver)• Executearbitrarycodeontargetbyhijackingapplicationcontrolflow
• Examples.– Bufferoverflowattacks– Integeroverflowattacks– Formatstringvulnerabilities
![Page 3: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/3.jpg)
DanBoneh
Example1: bufferoverflows• ExtremelycommonbuginC/C++programs.
– Firstmajorexploit:1988InternetWorm.fingerd.
Source:web.nvd.nist.gov
![Page 4: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/4.jpg)
DanBoneh
Whatisneeded• UnderstandingCfunctions,thestack,andtheheap.• Knowhowsystemcallsaremade• Theexec()systemcall
• AttackerneedstoknowwhichCPUandOSusedonthetargetmachine:
– Ourexamplesareforx86runningLinuxorWindows– DetailsvaryslightlybetweenCPUsandOSs:
• Littleendianvs.bigendian(x86 vs. Motorola)• StackFramestructure(Unixvs.Windows)
![Page 5: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/5.jpg)
DanBoneh
Linuxprocessmemorylayout
unused 0x08048000
runtimeheap
sharedlibraries
userstack
0x40000000
0xC0000000
%esp
brk
Loadedfromexec
0
![Page 6: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/6.jpg)
DanBoneh
exceptionhandlers
StackFrame
arguments
returnaddressstackframepointer
localvariables
SP
StackGrowth
high
lowcallee savedregisters
![Page 7: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/7.jpg)
DanBoneh
Whatarebufferoverflows?void func(char *str) {
char buf[128];
strcpy(buf, str);do-something(buf);
}
Supposeawebservercontainsafunction:
Whenfunc()iscalledstacklookslike:
argument:strreturnaddress
stackframepointer
charbuf[128]
SP
![Page 8: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/8.jpg)
DanBoneh
Whatarebufferoverflows?void func(char *str) {
char buf[128];
strcpy(buf, str);do-something(buf);
}
Whatif*str is136byteslong?Afterstrcpy:
argument:strreturnaddress
stackframepointer
charbuf[128]
SP
*str Problem:nolengthcheckinginstrcpy()
![Page 9: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/9.jpg)
DanBoneh
charbuf[128]
returnaddress
BasicstackexploitSuppose*str issuchthat
afterstrcpy stacklookslike:
ProgramP:exec(“/bin/sh”)
Whenfunc() exits,theusergetsshell!Note:attackcodePrunsinstack.
(exact shell code by Aleph One)
ProgramP
low
high
![Page 10: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/10.jpg)
DanBoneh
TheNOPslideProblem:howdoesattacker
determineret-address?
Solution:NOPslide• Guessapproximatestackstate
whenfunc() iscalled
• InsertmanyNOPsbeforeprogramP:nop ,xor eax,eax ,inc ax
charbuf[128]
returnaddress
NOPSlide
ProgramP
low
high
![Page 11: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/11.jpg)
DanBoneh
Detailsandexamples• Somecomplications:
– ProgramPshouldnotcontainthe‘\0’character.– Overflowshouldnotcrashprogrambeforefunc()exists.
• (in)Famousremote stacksmashingoverflows:– OverflowinWindowsanimatedcursors(ANI).LoadAniIcon()– PastoverflowinSymantecvirusdetection
test.GetPrivateProfileString "file", [long string]
![Page 12: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/12.jpg)
DanBoneh
Manyunsafelibc functionsstrcpy (char*dest,const char*src)strcat (char*dest,const char*src)gets (char*s)scanf (const char*format,…)andmanymore.
• “Safe”libc versionsstrncpy(),strncat()aremisleading– e.g.strncpy()mayleavestringunterminated.
• WindowsCruntime(CRT):– strcpy_s (*dest,DestSize,*src):ensurespropertermination
![Page 13: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/13.jpg)
DanBoneh
Bufferoverflowopportunities• Exceptionhandlers:(WindowsSEHattacks)
– Overwritetheaddressofanexceptionhandlerinstackframe.
• Functionpointers:(e.g.PHP4.0.2,MSMediaPlayer Bitmaps)
– Overflowingbuf willoverridefunctionpointer.
• Longjmp buffers:longjmp(pos)(e.g.Perl5.003)– Overflowingbuf nexttoposoverridesvalueofpos.
Heapor
stackbuf[128] FuncPtr
![Page 14: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/14.jpg)
DanBoneh
Corruptingmethodpointers• Compilergeneratedfunctionpointers(e.g.C++code)
• Afteroverflowofbuf :
ptr
data
ObjectT
FP1FP2FP3
vtable
method#1method#2method#3
ptrbuf[256] data
objectT
vtable
NOPslide
shellcode
![Page 15: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/15.jpg)
DanBoneh
Findingbufferoverflows• Tofindoverflow:
– Runwebserveronlocalmachine– Issuemalformedrequests(endingwith“$$$$$”)
• Manyautomatedtoolsexist(calledfuzzers – nextweek)– Ifwebservercrashes,
searchcoredumpfor“$$$$$”tofindoverflowlocation
• Constructexploit(noteasygivenlatestdefenses)
![Page 16: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/16.jpg)
DanBoneh
ControlHijacking
MoreControlHijackingAttacks
![Page 17: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/17.jpg)
DanBoneh
MoreHijackingOpportunities
• Integeroverflows:(e.g. MS DirectX MIDI Lib)
• Doublefree:doublefreespaceonheap– Cancausememorymgr towritedatatospecificlocation– Examples:CVSserver
• Use after free: using memory after it is freed
• Format string vulnerabilities
![Page 18: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/18.jpg)
DanBoneh
IntegerOverflows(seePhrack 60)Problem:whathappenswhenint exceedsmaxvalue?
int m;(32bits)shorts;(16bits)charc;(8bits)
c=0x80+0x80=128+128 ⇒ c=0
s=0xff80+0x80 ⇒ s=0
m=0xffffff80+0x80 ⇒ m=0
Canthisbeexploited?
![Page 19: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/19.jpg)
DanBoneh
Anexamplevoidfunc(char*buf1,*buf2,unsignedint len1,len2){
char temp[256];if (len1 + len2 > 256) {return -1} // length checkmemcpy(temp, buf1, len1); // cat buffersmemcpy(temp+len1, buf2, len2);do-something(temp); // do stuff
}
Whatiflen1=0x80,len2=0xffffff80?⇒ len1+len2=0
Secondmemcpy()willoverflowheap!!
![Page 20: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/20.jpg)
DanBoneh
0
20
40
60
80
100
120
140
1996 1998 2000 2002 2004 2006Source:NVD/CVE
Integeroverflowexploitstats
![Page 21: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/21.jpg)
DanBoneh
Formatstringbugs
![Page 22: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/22.jpg)
DanBoneh
Formatstringproblemint func(char *user) {fprintf( stderr, user);
}
Problem:whatif*user = “%s%s%s%s%s%s%s” ??– Mostlikelyprogramwillcrash:DoS.– Ifnot,programwillprintmemorycontents.Privacy?– Fullexploitusinguser=“%n”
Correctform: fprintf( stdout, “%s”, user);
![Page 23: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/23.jpg)
DanBoneh
VulnerablefunctionsAnyfunctionusingaformatstring.
Printing:printf,fprintf,sprintf,…vprintf,vfprintf,vsprintf,…
Logging:syslog,err,warn
![Page 24: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/24.jpg)
DanBoneh
Exploit• Dumpingarbitrarymemory:
– Walkupstackuntildesiredpointerisfound.
– printf(“%08x.%08x.%08x.%08x|%s|”)
• Writingtoarbitrarymemory:
– printf(“hello%n”,&temp)-- writes‘6’intotemp.
– printf(“%08x.%08x.%08x.%08x.%n”)
![Page 25: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/25.jpg)
DanBoneh
ControlHijacking
PlatformDefenses
![Page 26: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/26.jpg)
DanBoneh
Preventinghijackingattacks1. Fixbugs:
– Auditsoftware• Automatedtools:Coverity,Prefast/Prefix.
– Rewritesoftwareinatypesafelanguange (Java,ML)• Difficultforexisting(legacy)code…
2. Concedeoverflow,butpreventcodeexecution
3. Addruntimecode todetectoverflowsexploits– Haltprocesswhenoverflowexploitdetected– StackGuard,LibSafe,…
![Page 27: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/27.jpg)
DanBoneh
Markingmemoryasnon-execute(DEP)
Preventattackcodeexecutionbymarkingstackandheapasnon-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott– NXbitineveryPageTableEntry(PTE)
• Deployment:– Linux(viaPaX project);OpenBSD– Windows:sinceXPSP2(DEP)
• VisualStudio:/NXCompat[:NO]
• Limitations:– Someappsneedexecutableheap(e.g.JITs).– Doesnotdefendagainst̀ ReturnOrientedProgramming’exploits
![Page 28: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/28.jpg)
DanBoneh
Examples:DEPcontrolsinWindows
DEPterminatingaprogram
![Page 29: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/29.jpg)
DanBoneh
Attack:ReturnOrientedProgramming(ROP)
• Controlhijackingwithoutexecutingcode
argsret-addr
sfp
local buf
stack
exec()printf()
“/bin/sh”
libc.so
![Page 30: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/30.jpg)
DanBoneh
Response:randomization• ASLR:(AddressSpaceLayoutRandomization)
– Mapsharedlibrariestorandlocationinprocessmemory⇒ Attackercannotjumpdirectlytoexecfunction
– Deployment:(/DynamicBase)• Windows 7: 8bitsofrandomnessforDLLs
– alignedto64Kpageina16MBregion⇒ 256choices• Windows8: 24bitsofrandomnesson64-bitprocessors
• Otherrandomizationmethods:– Sys-callrandomization:randomizesys-callid’s– InstructionSetRandomization(ISR)
![Page 31: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/31.jpg)
DanBoneh
ASLRExampleBooting twice loads libraries into different locations:
Note:everythinginprocessmemorymustberandomizedstack, heap, sharedlibs, baseimage
• Win8ForceASLR:ensuresallloadedmodulesuseASLR
![Page 32: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/32.jpg)
DanBoneh
Moreattacks:JiT sprayingIdea: 1.ForceJavascript JiT tofillheap with
executableshellcode
2.thenpointSFPanywhereinsprayarea
heap
vtable
NOPslide shellcodeexecuteenabledexecuteenabled
executeenabled executeenabled
![Page 33: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/33.jpg)
DanBoneh
ControlHijackingDefenses
Hardeningtheexecutable
![Page 34: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/34.jpg)
DanBoneh
Runtimechecking:StackGuard• Manyrun-timecheckingtechniques…
– weonlydiscussmethodsrelevanttooverflowprotection
• Solution1:StackGuard– Runtimetestsforstackintegrity.– Embed“canaries”instackframesandverifytheirintegritypriortofunctionreturn.
strretsfplocaltopof
stackcanarystrretlocal canaryFrame1Frame2
sfp
![Page 35: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/35.jpg)
DanBoneh
CanaryTypes• Randomcanary:
– Randomstringchosenatprogramstartup.– Insertcanarystringintoeverystackframe.– Verifycanarybeforereturningfromfunction.
• Exitprogramifcanarychanged.TurnspotentialexploitintoDoS.– Tocorrupt,attackermustlearncurrentrandomstring.
• Terminatorcanary: Canary={0,newline,linefeed,EOF}
– Stringfunctionswillnotcopybeyondterminator.– Attackercannotusestringfunctionstocorruptstack.
![Page 36: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/36.jpg)
DanBoneh
StackGuard(Cont.)• StackGuard implementedasaGCCpatch
– Programmustberecompiled
• Minimalperformanceeffects:8%forApache
• Note:Canariesdonotprovidefullprotection– Somestacksmashingattacksleavecanariesunchanged
• Heapprotection:PointGuard– Protectsfunctionpointersandsetjmp buffersbyencryptingthem:
e.g.XORwithrandomcookie– Lesseffective,morenoticeableperformanceeffects
![Page 37: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/37.jpg)
DanBoneh
StackGuard enhancements:ProPolice• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrangestacklayouttopreventptr overflow.
argsretaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
Protectspointerargs andlocalpointersfromabufferoverflow
![Page 38: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/38.jpg)
DanBoneh
MSVisualStudio/GS[since2003]Compiler/GSoption:
– CombinationofProPolice andRandomcanary.– Ifcookiemismatch,defaultbehavioristocall_exit(3)
Functionprolog:subesp,8//allocate8bytesforcookiemov eax,DWORDPTR___security_cookiexor eax,esp //xor cookiewithcurrentespmov DWORDPTR[esp+8],eax //saveinstack
Functionepilog:mov ecx,DWORDPTR[esp+8]xor ecx,espcall@__security_check_cookie@4addesp,8
Enhanced/GSinVisualStudio2010:– /GSprotectionaddedtoallfunctions,unlesscanbeprovenunnecessary
![Page 39: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/39.jpg)
DanBoneh
/GSstackframeargs
retaddrSFP
CANARYlocalstringbuffers
localnon-buffervariablesStackGrowth pointers,butnoarrays
StringGrowth
copyofpointerargs
exceptionhandlers
Canaryprotectsret-addr andexceptionhandlerframe
![Page 40: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/40.jpg)
DanBoneh
Evading/GSwithexceptionhandlers• Whenexceptionisthrown,dispatcherwalksupexceptionlist
untilhandlerisfound(elseusedefaulthandler)
highmemnext handlernext handlernext handler
0xffffffff
buf
SEHframeSEHframe
Afteroverflow:handlerpointstoattacker’scodeexceptiontriggered⇒ controlhijack
ptr toattackcode
Mainpoint:exceptionistriggeredbeforecanaryischecked
next
![Page 41: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/41.jpg)
DanBoneh
Defenses:SAFESEHandSEHOP• /SAFESEH:linkerflag
– Linkerproducesabinarywithatableofsafeexceptionhandlers– Systemwillnotjumptoexceptionhandlernotonlist
• /SEHOP:platformdefense(sincewinvistaSP1)– Observation:SEHattackstypicallycorruptthe“next”entryinSEHlist.– SEHOP:addadummyrecordattopofSEHlist– Whenexceptionoccurs,dispatcherwalksuplistandverifiesdummy
recordisthere.Ifnot,terminatesprocess.
![Page 42: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/42.jpg)
DanBoneh
Summary:Canariesarenotfullproof• Canariesareanimportantdefensetool,butdonotpreventall
controlhijackingattacks:
– Heap-basedattacksstillpossible
– Integeroverflowattacksstillpossible
– /GSbyitselfdoesnotpreventExceptionHandlingattacks(alsoneedSAFESEHandSEHOP)
![Page 43: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/43.jpg)
DanBoneh
Whatifcan’trecompile:Libsafe• Solution2:Libsafe (AvayaLabs)
– Dynamicallyloadedlibrary(noneedtorecompileapp.)
– Interceptscallstostrcpy (dest,src)• Validatessufficientspaceincurrentstackframe:
|frame-pointer– dest|>strlen(src)
• Ifso,doesstrcpy. Otherwise,terminatesapplication
destret-addrsfptopof
stacksrc buf ret-addrsfp
Libsafe strcpy main
![Page 44: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/44.jpg)
DanBoneh
HowrobustisLibsafe?
strcpy()canoverwriteapointerbetweenbuf andsfp.
destret-addrsfphigh
memorysrc buf ret-addrsfp
Libsafe strcpy main
lowmemory
![Page 45: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/45.jpg)
DanBoneh
Moremethods…Ø StackShield
§ Atfunctionprologue,copyreturnaddressRET andSFP to“safe”location(beginningofdatasegment)
§ Uponreturn,checkthatRET andSFP isequaltocopy.§ Implementedasassemblerfileprocessor(GCC)
Ø ControlFlowIntegrity (CFI)§ Acombinationofstaticanddynamicchecking
§ Staticallydetermineprogramcontrolflow§ Dynamicallyenforcecontrolflowintegrity
![Page 46: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/46.jpg)
DanBoneh
ControlFlowGuard(CFG)(Windows10)
Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid
functionentrypointsinexecutable
ensurestargetistheentrypointofafunction
![Page 47: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/47.jpg)
DanBoneh
ControlFlowGuard(CFG)(Windows10)
Poorman’sversionofCFI:• Protectsindirectcallsbycheckingagainstabitmaskofallvalid
functionentrypointsinexecutable
ensurestargetistheentrypointofafunction
• Doesnotpreventattackerfromcausingajumptoavalidwrong function
![Page 48: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/48.jpg)
DanBoneh
ControlHijacking
AdvancedHijackingAttacks
![Page 49: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/49.jpg)
DanBoneh
HeapSprayAttacks
Areliablemethodforexploitingheapoverflows
![Page 50: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/50.jpg)
DanBoneh
Heap-basedcontrolhijacking• Compilergeneratedfunctionpointers(e.g.C++code)
• Supposevtable isontheheapnexttoastringobject:
ptr
data
ObjectT
FP1FP2FP3
vtable
method#1method#2method#3
ptrbuf[256] data
objectT
vtable
![Page 51: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/51.jpg)
DanBoneh
Heap-basedcontrolhijacking• Compilergeneratedfunctionpointers(e.g.C++code)
• Afteroverflowofbuf wehave:
ptr
data
ObjectT
FP1FP2FP3vtable
method#1method#2method#3
ptrbuf[256] data
objectT
vtable
shellcode
![Page 52: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/52.jpg)
DanBoneh
Areliableexploit?<SCRIPTlanguage="text/javascript">shellcode =unescape("%u4343%u4343%...");overflow-string =unescape(“%u2332%u4276%...”);
cause-overflow(overflow-string);//overflowbuf[]</SCRIPT>
Problem: attackerdoesnotknowwherebrowserplacesshellcode ontheheap
ptrbuf[256] datashellcodevtable
???
![Page 53: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/53.jpg)
DanBoneh
HeapSpraying[SkyLined 2004]Idea: 1.useJavascript tosprayheap
withshellcode (andNOPslides)
2.thenpointvtable ptr anywhereinsprayarea
heap
vtable
NOPslide shellcode
heapsprayarea
![Page 54: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/54.jpg)
DanBoneh
Javascript heapsprayingvar nop = unescape(“%u9090%u9090”)while (nop.length < 0x100000) nop += nop
var shellcode = unescape("%u4343%u4343%...");
var x = new Array ()for (i=0; i<1000; i++) {
x[i] = nop + shellcode;}
• Pointingfunc-ptr almostanywhereinheapwillcauseshellcode toexecute.
![Page 55: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/55.jpg)
DanBoneh
Vulnerablebufferplacement• Placingvulnerablebuf[256] nexttoobjectO:
– BysequenceofJavascriptallocationsandfreesmakeheaplookasfollows:
– Allocatevuln.bufferinJavascriptandcauseoverflow
– SuccessfullyusedagainstaSafariPCREoverflow[DHM’08]
objectO
freeblocks
heap
![Page 56: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/56.jpg)
DanBoneh
Manyheapsprayexploits
• Improvements:HeapFeng Shui [S’07]
– ReliableheapexploitsonIEwithoutspraying– GivesattackerfullcontrolofIEheapfromJavascript
[RLZ’08]
![Page 57: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/57.jpg)
DanBoneh
(partial) Defenses• Protectheapfunctionpointers(e.g.PointGuard)
• Betterbrowserarchitecture:– StoreJavaScriptstringsinaseparateheapfrombrowserheap
• OpenBSD heapoverflowprotection:
• Nozzle[RLZ’08]:detectspraysbyprevalenceofcodeonheap
non-writablepages
preventscross-pageoverflows
![Page 58: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/58.jpg)
DanBoneh
Referencesonheapspraying[1] HeapFeng Shui inJavascript,
byA.Sotirov,Blackhat Europe2007
[2] EngineeringHeapOverflowExploitswithJavaScriptM.Daniel,J.Honoroff,andC.Miller,WooT 2008
[3] Nozzle:ADefenseAgainstHeap-sprayingCode InjectionAttacks,byP.Ratanaworabhan,B.Livshits,andB.Zorn
[4] InterpreterExploitation:PointerinferenceandJiT spraying,byDionBlazakis
![Page 59: Basic Control Hijacking Attacks - Stanford University · Dan Boneh What is needed • Understanding C functions, the stack, and the heap. • Know how system calls are made • The](https://reader034.vdocuments.mx/reader034/viewer/2022050717/5e143341442fbf1abf54229f/html5/thumbnails/59.jpg)
DanBoneh
EndofSegment