Defeating Instruction Set Randomization Nora Sovarel
-
Upload
eagan-thomas -
Category
Documents
-
view
31 -
download
0
description
Transcript of Defeating Instruction Set Randomization Nora Sovarel
Defeating Instruction Set Randomization
Nora Sovarel
Buffer Overflow
●“the vulnerability of the decade”●Known since 1998●Lots of defenses proposed
● Non-Executable Buffers● Array Bounds checking● Address Space Layout Randomization● StackGuard/PointGuard● Instruction Set Randomization
Why is still an issue in 2004?
I don’t know
Maybe, lack of interest…Maybe, none of the defences is good
enough…
What about Instruction Set Randomization?
Attack String - execve
[BUFFER OVERFLOWS DEMYSTIFIED, by [email protected]]
"\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */;
Instruction Set Randomization
31 ^ 12 => 23c0 ^ ac => 6c50 ^ 7d => 2d68 ^ 9c => f42f ^ a2 => 8d2f ^ 55 => 7a73 ^ 38 => 4b68 ^ cc => a468 ^ 31 => 592f ^ 0c => 2362 ^ 7d => 1f69 ^ 91 => f8
6e ^ 82 => ec89 ^ ac => 25e3 ^ 03 => e050 ^ bc => ec53 ^ 90 => c389 ^ ac => 25e1 ^ 7d => 9c99 ^ 97 => 0eb0 ^ a2 => 120b ^ 0c => 07cd ^ 90 => 5d80 ^ dc => 5c
Instruction Set Randomization
Code Actually Executed23 6c 2d f4 and 0xfffffff4(%ebp,%ebp,1),%ebp
8d 7a 4b lea 0x4b(%edx),%edi
a4 movsb %ds:(%esi),%es:(%edi)
59 pop %ecx
23 1f and (%edi),%ebx
f8 clc
ec in (%dx),%al
25 e0 ec c3 25 and $0x25c3ece0,%eax
9c pushf
0e push %cs
12 07 adc (%edi),%al
5d pop %ebp
5c pop %esp
00 00 add %al,(%eax)
Code Intended to Be Executed
31 c0 xor %eax,%eax
50 push %eax
68 2f 2f 73 68 push $0x68732f2f
68 2f 62 69 6e push $0x6e69622f
89 e3 mov %esp,%ebx
50 push %eax
53 push %ebx
89 e1 mov %esp,%ecx
99 cltd
b0 0b mov $0xb,%al
cd 80 int $0x80
Can the key be guessed?
32 bit key => 4,294,967,296 possibilities
32 bit key, guess 16 bits and 16 bits => 2 * 65,536 = 131,072 possibilities
32 bit key, guess 8 bits at a time => 4 * 256 = 1,024 possibilities
Problems
[Randomized instruction set emulation to disrupt binary code injection attacks, Barrantes & all]
Solutions
Use a 16 or 8 bits instruction
Notice a good guess– Infinite loop– Normal behavior
Infinite Loop
Use jump near – two bytes instruction
Advantage● Can be used against any application
with a buffer overflow vulnerability
Disadvantage● Large number of possibilities
Normal Behavior
Use ret – one byte instruction
Advantage● Very fast – 256 tries at most
Disadvantages● Needs a response from application ● Needs special conditions to work
Assumptions
Use TCP to connect
Same randomization key for each restartorSame randomization key for all forked
processes
Jump Attack
Ret Attack
Instructions executedleave ; restores ebpret ; normal return from functionret ; injected instruction
Results
● Simple application with a buffer overflow vulnerability
● ISR implementation uses the same key for each forked process
● Ret attack works and guesses the key most of the times
● Jump attack– Works when checks one key at each run– Unexpected behavior after a large number of tries
Future Work
● Fix the jump attack to guess the key
● Attack a real application with a buffer overflow vulnerability
● Attack a real ISR implementation
Conclusions
● Under the specified assumptions the attack is possible
● x86 arhitecture helps the attacker
● Infinite loops are sometimes useful