Address-Oblivious Code Reuse: On the Effectiveness of...
Transcript of Address-Oblivious Code Reuse: On the Effectiveness of...
![Page 1: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/1.jpg)
Robert Rudd1, Richard Skowyra1, David Bigelow1, Veer Dedhia1, Thomas Hobson1, Stephen Crane2, Christopher Liebchen4, Per Larsen3, Lucas Davi5, Michael Franz3,
Ahmad-Reza Sadeghi4, Hamed Okhravi1
1: MIT Lincoln Laboratory 2: Immunant, Inc. 3: UC Irvine 4: TU Darmstadt 5: University of Duisburg-Essen
Address-Oblivious Code Reuse: On the Effectiveness of Leakage-Resilient Diversity
This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Assistant Secretary of Defense for Research and Engineering.
© 2016 Massachusetts Institute of Technology. Delivered to the US Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.
![Page 2: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/2.jpg)
2
• Code diversity techniques are vulnerable to information leakage
• Recent leakage-resilient techniques employ “execute-only” memory
permissions to prevent information leakage
• We present a generic type of attack called Address-Oblivious Code
Reuse (AOCR) that can bypass recent leakage-resilient techniques
• We provide 3 real-world exploits
Bottom-Line Upfront
![Page 3: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/3.jpg)
3
Memory Corruption Attacks
Spatial Memory Violation Temporal Memory Violation
Heap
Buffer
Function Pointer
Attacker
Heap
Object Function Pointer
Attacker
![Page 4: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/4.jpg)
4
Code Diversification Techniques
Address Space Layout Randomization (ASLR)
Heap
Stack
Libraries
Program Image
Source Code
Compiler
Diverse binaries
Diversifier
Diverse binaries
Binary
Compile-Time Diversity Binary Rewriting †
‡ J. Hiser, et al. "ILR: Where'd My Gadgets Go?.” IEEE S&P, 2012
† T. Jackson, et al. "Compiler-generated software diversity." Moving Target Defense. Springer, 2011
‡
Heap
Stack
Libraries
Program Image
Heap
Stack
Libraries
Program Image
![Page 5: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/5.jpg)
5
Information Leakage (Direct Memory Disclosure)
Diversified Code Attacker
Buffer
![Page 6: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/6.jpg)
6
Information Leakage (Indirect Memory Disclosure)
Code
Attacker Code
Code
Code
Stack
*fptr 1
ret
![Page 7: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/7.jpg)
7
Memory Permissions
Diversified Code
Data
Readable Executable
(RX)
Readable Writable
(RW)
![Page 8: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/8.jpg)
8
Leakage Resilient Diversity
Diversified Code
Data
Executable Only (X)
Readable Writable
(RW)
Attacker Direct Leakage
![Page 9: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/9.jpg)
9
Indirect Leakage Prevention
Diversified Code
Executable Only (X)
Readable Writable
(RW)
Diversified Code
Stack
Executable Only (X)
Readable Writable
(RW)
Indirect code pointer
Stack
Trampoline
Diversified Code
Trampoline
*fptr 1
![Page 10: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/10.jpg)
10
• Indirect code pointers create a surrogate for code
• Can attackers reuse code at the granularity of indirect code pointers?
• Can they accurately identify the corresponding functions?
• Can they chain indirect code pointers together?
Research Questions
![Page 11: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/11.jpg)
11
• Goal: identify the function corresponding to each indirect code pointer
Profiling Indirect Code Pointers
Diversified Code
Stack
*open()
Attacker’s Local Copy of Target Application
Attacker
Diversified Code
Stack
Executable Only (X)
Readable Writable
(RW) icptr
Trampoline
Remote Target Application
Leakage *open() icptr
≡
![Page 12: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/12.jpg)
12
Address-Oblivious Code Reuse
Diversified Code
Stack
Executable Only (X)
Readable Writable
(RW)
icptr
Trampoline
Remote Target Application
Trampoline
Address-Oblivious Code Reuse (AOCR) Gadget
Diversified Code
![Page 13: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/13.jpg)
13
Accurate Profiling
Stack
Readable Writable
(RW)
icptr 1
Remote Target Application
Is it too volatile? icptr 2
icptr 3
icptr 4
icptr 5
![Page 14: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/14.jpg)
14
Accurate Profiling using Malicious Thread Blocking (MTB)
time
• A thread can force another threat to halt by maliciously setting a mutex • Mutexes are readily accessible is memory
Thread A
Thread B
Maliciously blocked with stable stack!
![Page 15: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/15.jpg)
15
Chaining Gadgets Together using Malicious Loop Redirection (MLR)
while (task) {! task->fptr(task->arg);! task = task->next;!}!
Data
X
RW
Func tramp 1
fptr arg next
fptr arg next
Func tramp 2
Normal Loop Maliciously Redirected Loop
Data
X
RW
Func tramp 1
Func tramp 2
Write tramp
Open tramp
… …
fptr arg next
fptr arg next
![Page 16: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/16.jpg)
16
1. Locate a mutex for MTB
2. Profile an indirect code pointer for open (1st AOCR gadget)
3. Profile an indirect code pointer for _IO_new_file_overflow (2nd AOCR gadget)
4. Corrupt Nginx’s task queue to call our profiled trampolines using MLR
Nginx Proof-of-Concept Exploit
![Page 17: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/17.jpg)
17
• Forged Direct Memory Access (FDMA) – A malicious application forges a software-based DMA call to kernel
– Uses O_DIRECT flag in Linux
– DMA request bypasses memory permissions
• Procfs – Ubiquitous facility in Linux
– Provides memory maps and addresses
– Blocking it breaks many benign applications
– Protections such as GRSecurity’s permissions will not block it
Implementation Challenges of Execute-Only Permissions
![Page 18: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/18.jpg)
18
Impact on Leakage-Resilient Diversity Techniques
Direct Leak Indirect Leak TLB-mediated
(Buffer Overread) Non-TLB-mediated
(Forged DMA) Code Pointer Leak (Ret address leak)
Indirect Code Pointer Leak (AOCR)
PointGuard
Oxymoron
Isomeron
XnR
HideM
Readactor
Heisenbyte
NEAR
ASLR-Guard
TASR
![Page 19: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/19.jpg)
19
• Complete memory safety
• Data randomization
• Authentication of indirect calls and returns
– Use HMAC tokens to disallow redirection of indirect code pointers
– Similar to cryptographically-enforced CFI (CCFI)
Possible Countermeasures
![Page 20: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/20.jpg)
20
• Code pointers pose a major challenge to leakage-resilient diversity
• AOCR attacks bypass code pointer obfuscation by profiling indirect code pointers
• Malicious threat blocking (MTB) allows accurate profiling
• Malicious loop redirection (MLR) allows chaining AOCR gadgets
• Effective defenses should incorporate aspects of diversification and enforcement
Conclusion
![Page 21: Address-Oblivious Code Reuse: On the Effectiveness of ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/...Corrupt Nginx’s task queue to call our profiled trampolines](https://reader031.fdocuments.in/reader031/viewer/2022022523/5b3a755d7f8b9a1a678daaae/html5/thumbnails/21.jpg)
21
Questions?