Lecture Slides - trust.informatik.tu-darmstadt.de · A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Slide...
-
Upload
nguyenkhuong -
Category
Documents
-
view
215 -
download
3
Transcript of Lecture Slides - trust.informatik.tu-darmstadt.de · A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Slide...
Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Lecture Slides
1. Background on Runtime Attacks
2. Code Injection Attacks: Conventional Buffer Overflow
3. Code Reuse Attacks
I. return-into-libc
II. Return-Oriented Programming
4. Countermeasures Against Runtime Attacks
Exercises 1. Theoretical Exercise on Buffer Overflows
2. Practical Lab on Code Injection Attacks
3. Practical Lab on Code Reuse Attacks
Slide Nr. 3, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious
code
Reasons for runtime attacks Software is written in unsafe languages such as C/C++ Thus, it suffers from various memory-related
vulnerabilities
Most prominent example: Buffer overflow Are known for 2 decades Various techniques to exploit buffer overflow
vulnerabilities have been developed (e.g., Stack Smashing, Heap Overflow, Integer Overflow, Format String)
Slide Nr. 4, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
General Principle of Runtime Attacks
4
Slide Nr. 5, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
entry ins, ins, ins, … exit
BBL 1
entry ins, ins, ins, … exit
BBL 3
entry ins, ins, ins, … exit
BBL 2
entry ins, ins, ins, … exit
BBL 4
entry ins, ins, ins, … exit
BBL 5
Entry: Any instruction that is target of a branch (e.g., first instruction of a function) Exit: Any branch (e.g., indirect or direct jump/call, return)
Slide Nr. 6, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
entry ins, ins, ins, … exit
BBL 1
entry ins, ins, ins, … exit
BBL 3
entry ins, ins, ins, … exit
BBL 2
entry ins, ins, ins, … exit
BBL 4
Shellcode
Malicious Code
Instruction Sequences Library Functions
Library Code
entry ins, ins, ins, … exit
BBL 5
1
2
Entry: Any instruction that is target of a branch (e.g., first instruction of a function) Exit: Any branch (e.g., indirect or direct jump/call, return)
Code Injection Attacks
Code Reuse Attacks
Slide Nr. 7, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Goal of Runtime Attacks (based on code injection) Subvert the usual execution flow of a program by redirecting it
to injected (malicious) code
The attack consists of two steps 1. injecting new (malicious) code into some writable memory
area, 2. and changing a code pointer (usually the return address) in
such a way that it points to the injected malicious code
Code Injection Code can be injected by overflowing a local buffer allocated on
the stack The target of the injected code is usually to launch a shell to
the adversary Therefore the injected code is often referred to as shellcode
Slide Nr. 8, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Some Background before we go into the details of runtime attacks
8
Slide Nr. 9, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
To understand how a buffer overflow attack works, we take a deeper look at the stack frame and the main relevant x86 CPU registers
Slide Nr. 10, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
General-Purpose Registers Bit 0 Bit 31
EAX
EBX
ECX
EDX
ESI
EDI
EBP
ESP
EFLAGS
EIP
Program Status and Control Register
Instruction Pointer
32-bit pointer to the next instruction to be executed
status of the program being executed (e.g., carry, parity, zero, overflow flag)
Stack Pointer
Base Pointer (Pointer to data on the stack)
Destination index pointer for string operations
Source index pointer for string operations
Data register: I/O Pointer
Counter register: counter for loop/string operations
Base Register: base pointer for memory access
Accumulator Register
Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture http://download.intel.com/products/processor/manual/253665.pdf
Slide Nr. 11, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Stack Pointer (ESP)
Function Arguments
Return Address
Saved Base Pointer
Stack Frame
High Addresses
Low Addresses
Stack grows
downwards
Local Variables
Base Pointer (EBP)
The EBP register is used to reference function
arguments and local variables
The ESP register holds the stack pointer and always points to the last element
on the stack
Stack
Slide Nr. 12, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Stack is a last in, first out (LIFO) memory area where the Stack Pointer (ESP) points to the last stored element on the stack
Typically, the stack grows downwards The stack can be accessed by two basic operations
1. PUSH elements onto the stack (ESP is decremented) 2. POP elements off the stack (ESP is incremented)
Stack is divided into individual stack frames Each function call sets up a new stack frame on top of the stack 1. Function arguments
Arguments provided by the caller of the function
2. Return address Upon function return (i.e., a return instruction is issued), control transfers to the
code pointed to by the return address (i.e., control transfers back to the caller of the function)
3. Saved Base Pointer Base pointer of the calling function
4. Local variables Variables that the called function uses internally
Slide Nr. 13, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Function call perfomed via the x86 CALL instruction
E.g., CALL Function_A
Code
Instruction, … CALL Function_A Instruction, …
<main>:
Instruction, … RET
<Function_A>:
Stack
… ESP
Slide Nr. 14, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Function call perfomed via the x86 CALL instruction
E.g., CALL Function_A
The CALL instruction automatically pushes the return address on the stack, while the return address is simply the instruction preceding the call
Code
Instruction, … CALL Function_A Instruction, …
<main>:
Instruction, … RET
<Function_A>:
Stack
ESP
…
Return Address
Slide Nr. 15, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Function call perfomed via the x86 CALL instruction E.g., CALL Function_A The CALL instruction automatically
pushes the return address on the stack, while the return address simply points to the instruction preceding the call
Function return is performed via the x86 RET instruction The RET instruction pops the
return address off the stack and loads it into the instruction pointer (EIP)
Hence, the execution will continue in the main function
Code
Instruction, … CALL Function_A Instruction, …
<main>:
Instruction, … RET
<Function_A>:
Stack
…
Return Address ESP
Slide Nr. 16, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
PUSH %ebp MOV %ebp,%esp
<Function_A>:
ESP
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP
Slide Nr. 17, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
PUSH %ebp MOV %ebp,%esp
<Function_A>:
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
Saved Base Pointer ESP
Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP
Slide Nr. 18, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue MOV %ebp,%esp
<Function_A>:
Saved Base Pointer ESP
Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
Initialize new Base Pointer
PUSH %ebp MOV %ebp,%esp
EBP
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP
Slide Nr. 19, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
<Function_A>:
Saved Base Pointer Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
PUSH %ebp
EBP
Initialize new Base Pointer
Reserve Space for Local Variables (here: 16 Bytes)
MOV %ebp,%esp
Local Variables ESP
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP
Slide Nr. 20, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
<Function_A>:
Saved Base Pointer Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
PUSH %ebp
EBP
Initialize new Base Pointer
Reserve Space for Local Variables (here: 16 Bytes)
MOV %ebp,%esp
Local Variables ESP
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP
Slide Nr. 21, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
<Function_A>:
Saved Base Pointer Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
PUSH %ebp
EBP
Initialize new Base Pointer
Reserve Space for Local Variables (here: 16 Bytes)
MOV %ebp,%esp
Local Variables
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Set Stack Pointer (ESP) to the location where the Saved Base Pointer is stored
ESP
Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP
Slide Nr. 22, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
<Function_A>:
Saved Base Pointer Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
PUSH %ebp
EBP <= Saved Base Pointer
Initialize new Base Pointer
Reserve Space for Local Variables (here: 16 Bytes)
MOV %ebp,%esp
Local Variables
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Set Stack Pointer (ESP) to the location where the Saved Base Pointer is stored
Load Saved Based Pointer to the Base Pointer Register
ESP
Slide Nr. 23, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Function Arguments
Return Address
<Function_A>:
Function Prologue Instruction, … Function Epilogue
<Function_A>:
Saved Base Pointer Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)
PUSH %ebp
Program returns to the caller
Initialize new Base Pointer
Reserve Space for Local Variables (here: 16 Bytes)
MOV %ebp,%esp
Local Variables
SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET
Set Stack Pointer (ESP) to the location where the Saved Base Pointer is stored
Load Saved Based Pointer to the Base Pointer Register
Issue Return to Caller
ESP
Slide Nr. 24, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
The purpose of the function prologue is to backup selected registers, and to reserve space for local variables
On Intel x86 (Notation: destination register is the first operand)
Note: When the function is entered the stack pointer points to the return address of the function
Store Save Base Pointer on the stack: PUSH %ebp
Initialize Base Pointer of the called function with the current value of the Stack Pointer: MOV %ebp,%esp
Reserve space for local variables (e.g.,12 Bytes): SUB %esp,12
Slide Nr. 25, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
The purpose of the function epilogue is to set the Stack Pointer back to its original state, to restore selected registers, and to issue the return
Reset the Stack Pointer (by loading it with %ebp): MOV %esp, %ebp
Restore the caller‘s Base Pointer: POP %ebp
Pop the return address from the stack and return back to the caller: RET
Slide Nr. 26, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
First Attack Technique: Code Injection Attack (Conventional Buffer Overflow Attack)
26
Slide Nr. 27, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Simple Echo program suffering from a stack overflow vulnerability
The gets() function does not provide bounds checking
Slide Nr. 28, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Launching a buffer overflow attack against the vulnerable program
28
Slide Nr. 29, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Program Memory
Adversary
Instruction, … CALL echo() Instruction, … CALL printf(), …
<main>:
Slide Nr. 30, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Program Memory
Adversary
Instruction, … CALL echo() Instruction, … CALL printf(), …
Return Address ESP
<main>:
Function Prologue CALL gets(buffer), … RET
<echo>:
Slide Nr. 31, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Program Memory
Adversary
Instruction, … CALL echo() Instruction, … CALL printf(), …
Return Address Saved Base Pointer
Local Buffer Buffer[80]
ESP
<main>:
Function Prologue CALL gets(buffer), … RET
<echo>:
Slide Nr. 32, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Program Memory
Corrupt Control
Structures
Adversary
Instruction, … CALL echo() Instruction, … CALL printf(), …
Return Address Saved Base Pointer
Local Buffer Buffer[80]
ESP
SHELLCODE
PATTERN NEW RETURN ADDR
<main>:
Function Prologue CALL gets(buffer), … RET
<echo>:
Slide Nr. 33, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Program Memory
Adversary
Instruction, … CALL echo() Instruction, … CALL printf(), …
Return Address Saved Base Pointer
Local Buffer Buffer[80]
ESP
SHELLCODE
PATTERN NEW RETURN ADDR
echo() now returns!
<main>:
Function Prologue CALL gets(buffer), … RET
<echo>:
Slide Nr. 34, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Code
Stack
Program Memory
Adversary
Instruction, … CALL echo() Instruction, … CALL printf(), …
Return Address Saved Base Pointer
Local Buffer Buffer[80]
SHELLCODE
PATTERN NEW RETURN ADDR
Shellcode executes
<main>:
Function Prologue CALL gets(buffer), … RET
<echo>:
ESP
Slide Nr. 35, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
Why the attack is possible? The gets() function provides no bounds-checking C/C++ includes various functions providing no bounds-
checking, e.g., strcpy(): Copies a string into a buffer strcat(): Concatenates two strings scanf(): Read data from stdin (Standard Input)
General defense against code injection attacks is W ^ X (Writable Xor Executable) With W ^ X memory pages can be either marked writable
or executable Stack is marked writable Hence, the adversary can only inject his malicious code,
but cannot execute it
Slide Nr. 36, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks
How to bypass W ^ X?
36