Framing Signals— A Return to Portable Shellcode Erik Bosman and Herbert Bos Vrije Universiteit,...
-
Upload
kevin-mclaughlin -
Category
Documents
-
view
222 -
download
0
Transcript of Framing Signals— A Return to Portable Shellcode Erik Bosman and Herbert Bos Vrije Universiteit,...
Framing Signals—A Return to Portable
ShellcodeErik Bosman and Herbert Bos
Vrije Universiteit, Amsterdam
35th Security and Privacy
(May, 2014)
Best Student Paper Award
A Seminar at Advanced Defense Lab 2
Outline
• Introduction
• Signal Delivery on UNIX Systems
• SROP
• Turing-Complete Interpreter
• Mitigation
2014/6/16
A Seminar at Advanced Defense Lab 3
Introduction
2014/6/16
System Kernel Application
Kernel Space User Space
System Call,Interrupt
Signal
A Seminar at Advanced Defense Lab 4
In This Paper…
• While each flavor handles signals in slightly different ways, the different implementations are all very similar.
• We show that the implementation can be used as an attack method in exploits and backdoors.
2014/6/16
A Seminar at Advanced Defense Lab 5
Stack Smashing Attacks
• But…• W^X (OpenBSD)
• Exec Shield (Linux)
• DEP (Windows)
2014/6/16
Stack
Return Address
Shellcode
Buffer
A Seminar at Advanced Defense Lab 6
Code Reuse Attacks
2014/6/16
Stack
Return Address
Buffer
Code
Return Address
Return Address
A Seminar at Advanced Defense Lab 7
Ret-to-libc vs. ROP
Ret-to-libc ROP/JOP
Complexity Few function addresses Many gadgets
Code source Only functions in library Any executable segment
To defeat ASLR • Information leak • Information leak
• Non-randomized library
To change shellcode Easy Hard
2014/6/16
SROP
Few gadgets
As ROP
As ROP
Easy
A Seminar at Advanced Defense Lab 8
Signal Delivery on Early UNIX Systems
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ipsp
Signal Frame
A Seminar at Advanced Defense Lab 10
sigreturn System call (4.3BSD)
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ip
sp
Invoke sigreturn
A Seminar at Advanced Defense Lab 12
SROP
2014/6/16
StackCode
Signal Handler
Signal Dispatcher
User Context
Signal Parameters
Return Address
User Code
Kernel Code
ip
sp
Invoke sigreturn
A Seminar at Advanced Defense Lab 14
A example of sigreturn chain in SROP
2014/6/16
Stack
Ret: sigreturn
rip: syscallrax: sys_yyy num
Other register:Syscall arguments
Ret: sigreturn
rip: syscallrax: sys_xxx num
Other register:Syscall arguments
Code
mov sigreturn, %raxsyscallret
ip
rax
sigreturnsys_xxxsp
ip
sys_yyy
sp
sp
sp ip
sp
A Seminar at Advanced Defense Lab 15
SROP Pre-conditions
• The attacker should have control over the instruction pointer.
• The stack pointer should be located on attacker controlled data and NULL bytes must be allowed.
• The attacker knows the address of a piece of data controlled by the attacker.
• The attacker knows the location of code calling sigreturn, or syscall.
2014/6/16