Robert Rudd1, Richard Skowyra1, David Bigelow1, Veer Dedhia1, Thomas Hobson1, Stephen Crane2, Christopher Liebchen4, Per Larsen3, Lucas Davi5, Michael Franz3,

Ahmad-Reza Sadeghi4, Hamed Okhravi1

1: MIT Lincoln Laboratory 2: Immunant, Inc. 3: UC Irvine 4: TU Darmstadt 5: University of Duisburg-Essen

Address-Oblivious Code Reuse: On the Effectiveness of Leakage-Resilient Diversity

This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Assistant Secretary of Defense for Research and Engineering.

© 2016 Massachusetts Institute of Technology. Delivered to the US Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.

2

•  Code diversity techniques are vulnerable to information leakage

•  Recent leakage-resilient techniques employ “execute-only” memory

permissions to prevent information leakage

•  We present a generic type of attack called Address-Oblivious Code

Reuse (AOCR) that can bypass recent leakage-resilient techniques

•  We provide 3 real-world exploits

Bottom-Line Upfront

3

Memory Corruption Attacks

Spatial Memory Violation Temporal Memory Violation

Heap

Buffer

Function Pointer

Attacker

Heap

Object Function Pointer

Attacker

4

Code Diversification Techniques

Address Space Layout Randomization (ASLR)

Heap

Stack

Libraries

Program Image

Source Code

Compiler

Diverse binaries

Diversifier

Diverse binaries

Binary

Compile-Time Diversity Binary Rewriting †

‡ J. Hiser, et al. "ILR: Where'd My Gadgets Go?.” IEEE S&P, 2012

† T. Jackson, et al. "Compiler-generated software diversity." Moving Target Defense. Springer, 2011

‡

Heap

Stack

Libraries

Program Image

Heap

Stack

Libraries

Program Image

5

Information Leakage (Direct Memory Disclosure)

Diversified Code Attacker

Buffer

6

Information Leakage (Indirect Memory Disclosure)

Code

Attacker Code

Code

Code

Stack

*fptr 1

ret

7

Memory Permissions

Diversified Code

Data

Readable Executable

(RX)

Readable Writable

(RW)

8

Leakage Resilient Diversity

Diversified Code

Data

Executable Only (X)

Readable Writable

(RW)

Attacker Direct Leakage

9

Indirect Leakage Prevention

Diversified Code

Executable Only (X)

Readable Writable

(RW)

Diversified Code

Stack

Executable Only (X)

Readable Writable

(RW)

Indirect code pointer

Stack

Trampoline

Diversified Code

Trampoline

*fptr 1

10

•  Indirect code pointers create a surrogate for code

•  Can attackers reuse code at the granularity of indirect code pointers?

•  Can they accurately identify the corresponding functions?

•  Can they chain indirect code pointers together?

Research Questions

11

•  Goal: identify the function corresponding to each indirect code pointer

Profiling Indirect Code Pointers

Diversified Code

Stack

*open()

Attacker’s Local Copy of Target Application

Attacker

Diversified Code

Stack

Executable Only (X)

Readable Writable

(RW) icptr

Trampoline

Remote Target Application

Leakage *open() icptr

≡

12

Address-Oblivious Code Reuse

Diversified Code

Stack

Executable Only (X)

Readable Writable

(RW)

icptr

Trampoline

Remote Target Application

Trampoline

Address-Oblivious Code Reuse (AOCR) Gadget

Diversified Code

13

Accurate Profiling

Stack

Readable Writable

(RW)

icptr 1

Remote Target Application

Is it too volatile? icptr 2

icptr 3

icptr 4

icptr 5

14

Accurate Profiling using Malicious Thread Blocking (MTB)

time

•  A thread can force another threat to halt by maliciously setting a mutex •  Mutexes are readily accessible is memory

Thread A

Thread B

Maliciously blocked with stable stack!

15

Chaining Gadgets Together using Malicious Loop Redirection (MLR)

while (task) {! task->fptr(task->arg);! task = task->next;!}!

Data

X

RW

Func tramp 1

fptr arg next

fptr arg next

Func tramp 2

Normal Loop Maliciously Redirected Loop

Data

X

RW

Func tramp 1

Func tramp 2

Write tramp

Open tramp

… …

fptr arg next

fptr arg next

16

1.  Locate a mutex for MTB

2.  Profile an indirect code pointer for open (1st AOCR gadget)

3.  Profile an indirect code pointer for _IO_new_file_overflow (2nd AOCR gadget)

4.  Corrupt Nginx’s task queue to call our profiled trampolines using MLR

Nginx Proof-of-Concept Exploit

17

•  Forged Direct Memory Access (FDMA) –  A malicious application forges a software-based DMA call to kernel

–  Uses O_DIRECT flag in Linux

–  DMA request bypasses memory permissions

•  Procfs –  Ubiquitous facility in Linux

–  Provides memory maps and addresses

–  Blocking it breaks many benign applications

–  Protections such as GRSecurity’s permissions will not block it

Implementation Challenges of Execute-Only Permissions

18

Impact on Leakage-Resilient Diversity Techniques

Direct Leak Indirect Leak TLB-mediated

(Buffer Overread) Non-TLB-mediated

(Forged DMA) Code Pointer Leak (Ret address leak)

Indirect Code Pointer Leak (AOCR)

PointGuard

Oxymoron

Isomeron

XnR

HideM

Readactor

Heisenbyte

NEAR

ASLR-Guard

TASR

19

•  Complete memory safety

•  Data randomization

•  Authentication of indirect calls and returns

–  Use HMAC tokens to disallow redirection of indirect code pointers

–  Similar to cryptographically-enforced CFI (CCFI)

Possible Countermeasures

20

•  Code pointers pose a major challenge to leakage-resilient diversity

•  AOCR attacks bypass code pointer obfuscation by profiling indirect code pointers

•  Malicious threat blocking (MTB) allows accurate profiling

•  Malicious loop redirection (MLR) allows chaining AOCR gadgets

•  Effective defenses should incorporate aspects of diversification and enforcement

Conclusion

21

Questions?