Detecting Code Reuse Attacks with a Model of Conformant Program Execution
Explore how to prevent code injection and detect code reuse attacks by leveraging a model of conformant program execution. Learn about the threat model, anatomy of a code reuse attack, and effective prevention strategies.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer Sciences Department University of Wisconsin ESSoS 2014 Munich, Germany February 27, 2014
Threat Model process address space Attack goal: effect some malicious intent by hijacking program control flow stack heap injected shellcode code entry point Historically, accomplished via code injection Detecting Code Reuse Attacks with a Model of Conformant Program Execution 2
Threat Model process address space W X prevents code injection So, code cannot be executed from the stack or heap Alternative: construct an exploit using code that already exists within the program s address space stack heap injected shellcode code entry point code reuse attacks Detecting Code Reuse Attacks with a Model of Conformant Program Execution 3
Anatomy of a Code Reuse Attack code 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 Example based on exploit presented in Bletsch et al. 2011 Select gadgets from within the address space of the process xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) Chain gadgets together with indirect control flow indirect jump instructions jump-oriented programming (JOP) mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) Usually a short attack with the goal of escaping the confining W X environment add %edi,%ebp jmp *-0x39(%ebp) sysenter pop %ebx exec( /bin/sh ) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 4
Anatomy of a Code Reuse Attack 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 c0 30 42 3d f0 2d 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 de a2 87 ad f3 07 51 d2 d2 02 b0 18 b5 f1 b1 fb bb 1f 67 83 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 Example based on exploit presented in Bletsch et al. 2011 Select gadgets from within the address space of the process xchg %eax,%ecx fdiv %st(3),%st jmp *-0xf(%esi) add %edi,%ebp jmp *-0x39(%ebp) Chain gadgets together with indirect control flow mov 0xc(%esi),%eax mov %eax,(%esp) call *0x4(%esi) Usually a short attack with the goal of escaping the confining W X environment add %edi,%ebp jmp *-0x39(%ebp) sysenter pop %ebx exec( /bin/sh ) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 5
Existing Defenses Against Code Reuse Attacks Select gadgets from within the address space of the process Making gadget discovery difficult: ASLR software diversification removal of useful instruction sequences [Li et al. 2010] [Onarlioglu et al. 2010] [Hiser et al. 2012] [Pappas et al. 2012] [Wartell et al. 2012] [Davi et al. 2013] Make discovery difficult, not impossible Detecting control flow manipulations: shadow stack matched call/return pairs [Davi et al. 2009] [Francillon et al. 2009] [Chen et al. 2010] [Huang et al. 2012] [Kayaalp et al. 2012] [Davi et al. 2013] Defeated by JOP Enforcing control flow integrity: [Abadi et al. 2009] [Zhang et al. 2012] [Zhang et al. 2013] Require binary rewriting of all code Chain gadgets together with indirect control flow Detecting Code Reuse Attacks with a Model of Conformant Program Execution 6
Our Approach Define security policy based on well-defined behaviors of the program binary Does not rely on behavior of known attacks Use static analysis of binary to extract the model Does not require learning phase or expert knowledge Enforce expected behavior Protects against new exploit variations Detecting Code Reuse Attacks with a Model of Conformant Program Execution 7
Our Approach Define conformant program execution (CPE) as a set of requirements on program states Valid program counter Valid callstack Enforce CPE by monitoring program at runtime Monitor is protected from being exploited because it s in a separate process Detecting Code Reuse Attacks with a Model of Conformant Program Execution 8
Model Component #1 Valid program counter (PC): PC must point to a valid instruction in the original program 0xb7fe3424 PC b7fe3424: pop %ebp b7fe3425: pop %edx b7fe3426: pop %ecx b7fe3427: ret CFG Detecting Code Reuse Attacks with a Model of Conformant Program Execution 9
Model Component #2 Valid callstack: For each frame: 1. frame must have valid stack frame height 2. (caller current frame) must represent a valid control flow transfer in the program valid control flow transfer? invalid return address 78787878 78787878 78787878 78787878 callstack push %ecx push %edx push %ebp mov %esp, %ebp sysenter jmp b7fe3417 pop %ebp pop edx pop ecx ret ret expected stack frame stack pointer pop %ebp pop %edx pop %ecx CFG Detecting Code Reuse Attacks with a Model of Conformant Program Execution 10
Program Validation Design decision: when do we validate? Option 1: At all instructions Conformant program execution Disadvantage: inefficient Option 2: At system calls Observedconformant program execution (OCPE) Effective because attacks must use the system call interface to modify overall machine state Disadvantage: relies on attack being observable at system calls Detecting Code Reuse Attacks with a Model of Conformant Program Execution 11
ROPStop Implementation ROPStop 1. Attach to running process or launch new process from binary running process or running process (monitored application) 2. Parse program binary 3. Register callbacks at system calls binary 4. Continue process At each system call: 1. Validate current program counter 2. Perform robust stackwalk and validate the current callstack intercept via ptrace system calls Operating System Detecting Code Reuse Attacks with a Model of Conformant Program Execution 12
Evaluation Overhead Accuracy False negatives? Real code reuse attacks SPEC CPU2006 SPEC CPU2006 False positives? Apache HTTP Server Apache HTTP Server Detecting Code Reuse Attacks with a Model of Conformant Program Execution 13
Results: Real Code Reuse Attacks Exploit Type Detected Detection Component Why Invalid? Overwritten return address Overwritten return address Overwritten return address 17286(a) ROP Invalid stack frame height 17286(b) ROP Invalid stack frame height Rsync ROP Invalid stack frame height Bletsch JOP Invalid stack frame height Gadget executing Overwritten return address Stack-smash Stack-smash Invalid stack frame height 100% accuracy using real ROP and JOP exploits Detecting Code Reuse Attacks with a Model of Conformant Program Execution 14
Results: Real Code Reuse Attacks Exploit Type Detected Detection Component Why Invalid? Bletsch JOP Invalid stack frame height Gadget executing invalid return address push %ecx push %edx push %ebp mov %esp, %ebp sysenter jmp b7fe3417 pop %ebp pop edx pop ecx ret ret 78787878 78787878 78787878 78787878 callstack expected stack frame stack pointer pop %ebp pop %edx pop %ecx CFG Detecting Code Reuse Attacks with a Model of Conformant Program Execution 15
Results: SPEC CPU2006 20% 15% Overhead 10% 5% 0% 100% accuracy (0 false positives), 5.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 16
Results: SPEC CPU2006 20% 241.5 system calls/ second 15% Overhead 2.0 10% system calls/ second 5% 0% Where does the overhead come from? PC validity Callstack validity Monitor context switching (~frequency of system calls) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 17
Results: Apache HTTP Server 30% 25% 20% Overhead 15% 10% 5% 0% Total Number of Requests 100% accuracy (0 false positives), 6.3% overhead (geometric mean) Detecting Code Reuse Attacks with a Model of Conformant Program Execution 18
Open Questions Data-driven attacks (orthogonal type of attack) [Chen et al. 2005] [Demay et al. 2011] Exploits that modify program data (e.g., system call arguments) to effect an attack May not have visible effects on the program states we monitor Mimicry/evasion attacks (do not exist as code reuse attacks) [Giffin et al. 2006] [Wagner and Soto 2002] Exploits that evade system call monitoring by ensuring program state is restored before system call check takes place Are designed to have no visible effects on the program states we monitor Detecting Code Reuse Attacks with a Model of Conformant Program Execution 19
Conclusion Approach for detecting code reuse attacks We defined conformant program execution and an efficient and adoptable approximation, observed conformant program execution We built a tool to enforce OCPE, ROPStop Detecting Code Reuse Attacks with a Model of Conformant Program Execution 20
Questions? jacobson@cs.wisc.edu www.paradyn.org Detecting Code Reuse Attacks with a Model of Conformant Program Execution 21
Overhead breakdown System call rate (calls/second) Benchmark % Overhead Imposed % Instruction Validity % Callstack Validity % Context Switching perlbench 167.8 9.6 0.2 50.7 49.1 bzip2 2 0.8 0 43.8 56.2 bwaves 3.3 1.4 0 31.7 68.2 gamess 29.5 2.4 0.1 59 40.9 mcf 3.4 1.9 0 51.4 48.5 milc 25.5 5.7 0.1 23.5 76.4 zeusmp 0.2 0.7 0 54.2 45.7 gromacs 1.5 0.6 0 45.1 54.9 cactusADM 7.6 1 0.1 52 47.9 leslie3d 31.4 9.2 0.1 14.2 85.7 namd 3.1 0.9 0 61.6 38.4 gobmk 14 2.2 0.1 43.6 56.4 soplex 241.5 18.1 0.2 50.8 49.1 povray 156.2 18.1 0.1 53.3 46.6 hmmer 18.6 2.6 0.1 38.8 61.1 sjeng 4.8 1.3 0 40.5 59.5 GemsFDTD 88.7 7.3 0.2 40.9 59 libquantum 0.3 0.7 0 50.2 49.8 h264ref 5.1 1.3 0 28.9 71 tonto 119.6 19.1 0.1 41.2 58.7 lbm 1.4 3.4 0 15.5 84.5 omnetpp 3.7 8.8 0 12.7 87.3 astar 7.2 1.3 0.1 56.7 43.3 wrf 53.2 15.7 0 13.4 86.6 22 sphinx3 18.6 2.4 0.1 38.1 61.8
