Detecting Code Reuse Attacks with a Model of Conformant Program
Execution
Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller
Computer Sciences DepartmentUniversity of Wisconsin
ESSoS 2014Munich, GermanyFebruary 27, 2014
• Attack goal: effect some malicious intent by hijacking program control flow
• Historically, accomplishedvia code injection
Threat Model
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
heap
entry point
code
process address spacestack
injected shellcode
2
• W X prevents code injection
• So, code cannot be executed from the stack or heap
• Alternative: construct an exploit using code that already exists within the program’s address space
Threat Model
code reuse attacks
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
heap
entry point
code
process address spacestack
injected shellcode
3
7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80
89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92
57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5
94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9
83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2
87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f
67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09
e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48
6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32
f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2
16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84
02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02
b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d
7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80
89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92
57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5
94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68
c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8
6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07
b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90
14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c
22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18
b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8
68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a
d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5
07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e
20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27
Anatomy of a Code Reuse Attack
xchg %eax,%ecxfdiv %st(3),%stjmp *-0xf(%esi)
add %edi,%ebpjmp *-0x39(%ebp)
mov 0xc(%esi),%eaxmov %eax,(%esp)call *0x4(%esi)
add %edi,%ebpjmp *-0x39(%ebp)
sysenter…pop %ebx
Select gadgets from within the address space of the process
Chain gadgets together with indirect control flow
Usually a short attack with the goal of escaping the confining W X environmentexec(“/bin/sh”)
code
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
Example based on exploit presented in Bletsch et al. 2011
4
indirect jump instructions “jump-oriented programming” (JOP)
Anatomy of a Code Reuse AttackSelect gadgets from within the address space of the process
Chain gadgets together with indirect control flow
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80
89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92
57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5
94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9
83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2
87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f
67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09
e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48
6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32
f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2
16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84
02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02
b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d
7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80
89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92
57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5
94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68
c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8
6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07
b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90
14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c
22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18
b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8
68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a
d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5
07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e
20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27
xchg %eax,%ecxfdiv %st(3),%stjmp *-0xf(%esi)
add %edi,%ebpjmp *-0x39(%ebp)
mov 0xc(%esi),%eaxmov %eax,(%esp)call *0x4(%esi)
add %edi,%ebpjmp *-0x39(%ebp)
sysenter…pop %ebx
Usually a short attack with the goal of escaping the confining W X environmentexec(“/bin/sh”)
Example based on exploit presented in Bletsch et al. 2011
5
Existing Defenses Against Code Reuse Attacks
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
Select gadgets from within the address space of the process
Chain gadgets together with indirect control flow
Making gadget discovery difficult:• ASLR• software diversification• removal of useful instruction
sequences[Li et al. 2010] [Onarlioglu et al. 2010] [Hiser et al. 2012] [Pappas et al. 2012] [Wartell et al. 2012] [Davi et al. 2013]
Make discovery difficult, not impossible
Detecting control flow manipulations:• shadow stack• matched call/return pairs[Davi et al. 2009] [Francillon et al. 2009] [Chen et al. 2010] [Huang et al. 2012] [Kayaalp et al. 2012] [Davi et al. 2013]
Defeated by JOPEnforcing control flow integrity:[Abadi et al. 2009] [Zhang et al. 2012] [Zhang et al. 2013]
Require binary rewriting of all code
6
Our Approach
• Define security policy based on well-defined behaviors of the program binaryDoes not rely on behavior of known attacks
• Use static analysis of binary to extract the modelDoes not require learning phase or expert
knowledge
• Enforce expected behaviorProtects against new exploit variationsDetecting Code Reuse Attacks with a Model of Conformant Program
Execution7
Our Approach
• Define conformant program execution (CPE) as a set of requirements on program states• Valid program counter• Valid callstack
• Enforce CPE by monitoring program at runtime• Monitor is protected from being exploited
because it’s in a separate process
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
8
Model Component #1
Valid program counter (PC):PC must point to a valid instruction in the original
program
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
b7fe3424: pop %ebpb7fe3425: pop %edxb7fe3426: pop %ecxb7fe3427: ret
0xb7fe3424P
C
CFG
9
Model Component #2
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
Valid callstack:For each frame:1. frame must have valid stack frame height2. (caller current frame) must represent a valid control flow
transfer in the program
stack pointer
…78787878
787878787878787878787878callstac
k
CFG
expected stack frame
push %ecxpush %edxpush %ebpmov %esp, %ebpsysenter…jmp b7fe3417pop %ebppop edxpop ecxret
pop %ebppop %edxpop %ecxret
invalid return address
valid control flow transfer?
10
Program Validation
Design decision: when do we validate?• Option 1: At all instructions • “Conformant program execution”• Disadvantage: inefficient
• Option 2: At system calls• “Observed conformant program
execution”(OCPE)• Effective because attacks must use the system
call interface to modify overall machine state• Disadvantage: relies on attack being observable
at system calls
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
11
ROPStop Implementation
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
Operating System
running process
(monitored application)
systemcalls
intercept via ptrace
binary
running process
ROPStop1. Attach to running process
or launch new process from binary
2. Parse program binary
3. Register callbacks at system calls
4. Continue processAt each system call:1. Validate current program
counter2. Perform robust stackwalk
and validate the current callstack
or
12
Accuracy
Evaluation
Real code reuse
attacks
SPEC CPU2006
Overhead
Apache HTTP
Server
SPEC CPU2006
Apache HTTP
Server
False negatives?
False positives?
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
13
Results: Real Code Reuse Attacks
Exploit Type Detected
Detection Component Why Invalid?
17286(a) ROP ✓ Invalid stack frame height
Overwritten return address
17286(b) ROP ✓ Invalid stack frame height
Overwritten return address
Rsync ROP ✓ Invalid stack frame height
Overwritten return address
Bletsch JOP ✓ Invalid stack frame height
Gadget executing
Stack-smash
Stack-smash ✓ Invalid stack frame
heightOverwritten return address
100% accuracy using real ROP and JOP exploits
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
14
Results: Real Code Reuse Attacks
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
CFG
push %ecxpush %edxpush %ebpmov %esp, %ebpsysenter…jmp b7fe3417pop %ebppop edxpop ecxret
pop %ebppop %edxpop %ecxret
Exploit Type Detected
Detection Component Why Invalid?
Bletsch JOP ✓ Invalid stack frame height
Gadget executing
stack pointer
…78787878
787878787878787878787878callstac
k
expected stack frame
invalid return address
15
Results: SPEC CPU2006pe
rlbe
nch
bwav
es
mcf
zeus
mp
cact
usAD
M
nam
dso
plex
hmm
erge
msF
DTD
h264
ref
lbm
asta
rsp
hinx
3
-5%
0%
5%
10%
15%
20%
Overh
ead
100% accuracy (0 false positives),
5.3% overhead (geometric mean)Detecting Code Reuse Attacks with a Model of Conformant Program Execution
16
Results: SPEC CPU2006
Where does the overhead come from?• PC validity• Callstack validity• Monitor context switching (~frequency of
system calls)Detecting Code Reuse Attacks with a Model of Conformant Program
Execution
perl
benc
hbw
aves
mcf
zeus
mp
cact
usAD
M
nam
dso
plex
hmm
erge
msF
DTD
h264
ref
lbm
asta
rsp
hinx
3
-5%
0%
5%
10%
15%
20%
Overh
ead
241.5 system calls/
second
2.0system calls/
second
17
Results: Apache HTTP Server
1000
020
000
3000
040
000
5000
060
000
7000
080
000
9000
010
0000
1100
0012
0000
1300
0014
0000
1500
0016
0000
1700
0018
0000
1900
0020
0000
0%
5%
10%
15%
20%
25%
30%
Total Number of Requests
Overh
ead
100% accuracy (0 false positives),
6.3% overhead (geometric mean)Detecting Code Reuse Attacks with a Model of Conformant Program Execution
18
Open Questions
• Data-driven attacks (orthogonal type of attack)[Chen et al. 2005] [Demay et al. 2011]
• Exploits that modify program data (e.g., system call arguments) to effect an attack • May not have visible effects on the program states we monitor
• Mimicry/evasion attacks (do not exist as code reuse attacks)[Giffin et al. 2006] [Wagner and Soto 2002]
• Exploits that evade system call monitoring by ensuring program state is restored before system call check takes place
• Are designed to have no visible effects on the program states we monitor
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
19
Conclusion
• Approach for detecting code reuse attacks
• We defined conformant program execution and an efficient and adoptable approximation, observed conformant program execution
• We built a tool to enforce OCPE, ROPStop
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
20
Questions?
www.paradyn.org
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
21
Overhead breakdown
BenchmarkSystem call rate (calls/second)
% Overhead Imposed
% Instruction Validity % Callstack Validity % Context Switching
perlbench 167.8 9.6 0.2 50.7 49.1
bzip2 2 0.8 0 43.8 56.2
bwaves 3.3 1.4 0 31.7 68.2
gamess 29.5 2.4 0.1 59 40.9
mcf 3.4 1.9 0 51.4 48.5
milc 25.5 5.7 0.1 23.5 76.4
zeusmp 0.2 0.7 0 54.2 45.7
gromacs 1.5 0.6 0 45.1 54.9
cactusADM 7.6 1 0.1 52 47.9
leslie3d 31.4 9.2 0.1 14.2 85.7
namd 3.1 0.9 0 61.6 38.4
gobmk 14 2.2 0.1 43.6 56.4
soplex 241.5 18.1 0.2 50.8 49.1
povray 156.2 18.1 0.1 53.3 46.6
hmmer 18.6 2.6 0.1 38.8 61.1
sjeng 4.8 1.3 0 40.5 59.5
GemsFDTD 88.7 7.3 0.2 40.9 59
libquantum 0.3 0.7 0 50.2 49.8
h264ref 5.1 1.3 0 28.9 71
tonto 119.6 19.1 0.1 41.2 58.7
lbm 1.4 3.4 0 15.5 84.5
omnetpp 3.7 8.8 0 12.7 87.3
astar 7.2 1.3 0.1 56.7 43.3
wrf 53.2 15.7 0 13.4 86.6
sphinx3 18.6 2.4 0.1 38.1 61.822
Top Related