Defending against Return-Oriented Programming Vasilis Pappas Columbia University.
Return Oriented Programming - TAU
Transcript of Return Oriented Programming - TAU
![Page 1: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/1.jpg)
Introduction to Information SecurityReturn Oriented Programming
1
![Page 2: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/2.jpg)
Motivation: Data Execution Prevention
Write xor Execute: Write and execute permissions become mutually exclusive
![Page 3: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/3.jpg)
Return Oriented Programming
• What does it mean ?
• Return oriented programming is a different way to control the flow of EIP (or code) in a program• Instead of controlling EIP directly, we control it indirectly.
• Many slides in this presentation were taken as is from:
Return-oriented Programming: Exploitation without Code Injection
By Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham from the University of California, San Diego
• http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf
![Page 4: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/4.jpg)
![Page 5: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/5.jpg)
Getting started
• We need control of memory around %esp
• Option #1- Rewrite stack:• Buffer overflow on stack
• Format string vuln to rewrite stack contents
• Other
• Other options: goto end
![Page 6: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/6.jpg)
Schematic: return to libc
• Control hijacking without writing code
args
ret-addrsfp
local buf
stack
exec()printf()
“/bin/sh”
libc.so
![Page 7: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/7.jpg)
Return to libc
• Stack progress trace
void f2(int len, char *arg) {char buf[128];memcpy(buf, arg, len);
}void f1(int len, char *arg) {
f2(len, arg);}int main(int argc, char *argv[]) {
f1(atoi(argv[1]), argv[2]);}
![Page 8: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/8.jpg)
Questions ?
![Page 9: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/9.jpg)
Buckle up!
![Page 10: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/10.jpg)
Returning to Code Chunks (aka Gadgets)
• Instead of working with small “opcodes” and %eip, we now use larger chunks of code and %esp
• All the “larger chunks” do multiple register manipulations, and we must consider the effect of all of them.
• Not everything we want is possible directly, so we have to be creative and work around the problem.
• We are effectively using a new ‘language’ to code.
In case you are wondering: Its Turing complete.
![Page 11: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/11.jpg)
Chunk guidelines
• All chunk ends with 0xc3 (opcode byte for RET)
• Chunks should be as minimal as possible, containing minimum amount of data
• Chunks are better if they appear in more “stable” and common libraries such as: libc. (and can then be reused for different binaries).
• Chunks can not contain Junks.• If the CPU can not interpret the junk in the chunk, it will stop the program
with illegal instruction exception.
![Page 12: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/12.jpg)
ROP – Machine level
• Stack pointer (%esp) determines which instruction
• sequence to fetch & execute• Processor doesn’t automatically increment %esp; — but
• the “ret” at end of each instruction sequence does
![Page 13: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/13.jpg)
No-op equivalent
• No-op instruction does nothing but advance %eip• Return-oriented equivalent:
• point to return instruction
• advances %esp
• Useful in nop sled
![Page 14: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/14.jpg)
Loading Immediates
• Instructions can encode constants
• Return-oriented equivalent:• Store on the stack;
• Pop into register to use
![Page 15: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/15.jpg)
Control flow
• Ordinary programming:• (Conditionally) set %eip to new value
• Return-oriented equivalent:• (Conditionally) set %esp to new value
![Page 16: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/16.jpg)
Multiple instruction sequence
• Sometimes more than one instruction sequence needed• to encode logical unit
• Example: load from memory into register:• Load address of source word into %eax
• Load memory at (%eax) into %ebx
![Page 17: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/17.jpg)
Conditional Jump #0
• Negative causes the carry flag to be turn on.
• Carry flag can be used in conjunction with ADC.
![Page 18: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/18.jpg)
Conditional Jump #1Code (.text)
XOR EAX,EAXRET
POP ECXRET
ADC CL, AL ; ADC CL, AL – Add With Carry ; CL = CL + AL + CF
RET
ROL ECX, 1 // Multiply by 2 (do 3 times)RET
XCHG EAX, ECX //XCHG EAX, ECX - Exchange
// registers: // TMP = EAX; EAX = ECX; ECX = TMP
RET
ADD ESP, EAX // skip 0 or 8 bytes in the stack.
RET
POP ESP RET
void exit(int status);
Stack
[DWORD PTR]
[DWORD PTR]
[DWORD ]0x00000000
[DWORD PTR]
[DWORD PTR]
[DWORD PTR]
[DWORD PTR]
[DWORD PTR]
[DWORD PTR]
[DWORD PTR]
[DWORD PTR] // ‘JMP‘ TO SOMEWHERE IN THE STACK
[DWORD PTR]
![Page 19: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/19.jpg)
Gadget summary
• We can write complex shellcode by returning to relevant gadgets.
• All gadgets end with ret. (0xc3)
• Gadgets can not contain junk (everything must be interpretable)
• “JMP” is analogous to finding code that modifies the ESP.
• We don’t have to maintain the original alignment of code (on x86).
• Example: • MOV EAX, 0x5DC3• This is interpreted into: B8 5D C3• However,• POP EBP• RETN• This is interpreted into:• 5D C3
![Page 20: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/20.jpg)
Trick: Using EBP to restore ret.
[DWORD PTR]
[DWORD PTR] //Loaded to EBP
[DWORD PTR] //Returns to function
// Do something that jumps back.
void puts() {..…..POP EBP // Restores address to putsRET}
PUSH EBPRET
Stack Code
![Page 21: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/21.jpg)
Getting started (Cont.): Moving the stack
• Instead of changing the stack completely, we can move the stack somewhere else.• Overwrite saved frame pointer on stack; on leave/ret, move %esp to area
under attacker control
• Advanced:• Overflow (heap) function pointer to a register spring for %esp:
• set or modify %esp from an attacker-controlled register
• then return
![Page 22: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/22.jpg)
H/W
![Page 23: Return Oriented Programming - TAU](https://reader035.fdocuments.in/reader035/viewer/2022071216/62cbbdbb303fd3207739688c/html5/thumbnails/23.jpg)
Questions ?