Exploit Mitigation using Multi-Variant Execution
Stijn Volckaert from University of California, Irvine discusses exploit mitigation strategies at the OWASP Belgium Chapter Meeting on October 18, 2016.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Exploit Mitigation using Multi-Variant Execution Stijn Volckaert University of California, Irvine OWASP Belgium Chapter Meeting 18 October 2016
Possible Solutions Type-Safe Languages (e.g. Rust) Type-Safe Languages (e.g. Rust) Mitigations: Integrity-Based (e.g. CFI) Randomization-Based (e.g. ASLR) Randomization-Based (e.g. ASLR) Multi-Variant Execution Environments (MVEEs) Mitigations: Integrity-Based (e.g. CFI) 3
Program Program Stack Stack Input 4
Memory Corruption Attacks Program 0: void foo() { 1: char buf[256]; 2: gets(buf); 3: printf( %s , buf); 4: } 0: int main(int argc, char** argv) { 1: foo(); 2: return 0; 3: } Stack buf return address main + 2 execve 5
Program Program Stack Stack 0x7f00beef 0x7f00beef 0x7f00dead 0x7f00dead main + 2 0x7ffffffff main + 2 0x7ffffffff 6
Multi-Variant Execution Environments (MVEEs) Program In a nutshell: Run multiple program variants in parallel Program Variant system calls executed in lock-step t t Suspend them at every system call write brk brk write Compare system call numbers/arguments Monitor Master/Slave replication for I/O Kernel 7
Performance Considerations Program Programs can execute at native speed (assuming you have enough idle CPU cores and memory bandwidth) Program The total system load does not increase by a factor of n (with n the number of variants) t t Stack Stack write brk brk write BUT there are some problems! Monitor Kernel 8
Slow System Call Interception Program Split-Monitor Design: Program In-Process Monitor Handle security-sensitive system calls in Cross-Process Monitor (CP-MON) In-Process Monitor Handle non-sensitive system calls in In-Process Monitor (IP-MON) getpid open Cross-Process Monitor Syscall Broker Kernel 9
Code Reuse Program Program Protects against: - - - - - - return-to-libc (RILC) return-oriented programming (ROP) jump-oriented programming (JOP) just-in-time code reuse (JIT-ROP) [*] counterfeit object-oriented programming (COOP) [*] Stack Stack 0x7f00beef 0x7f00beef 0x7f00dead 0x7f00dead main + 2 0x7ffffffff main + 2 0x7ffffffff [*] Requires eXecute-only memory support 13
Code Injection xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall \x48\x31\xd2\x48\xbb \x2f\x2f\x62\x69\x6e \x2f\x73\x68\x48\xc1 \xeb\x08\x53\x48\x89 \xe7\x50\x57\x48\x89 \xe6\xb0\x3b\x0f\x05 execve("/bin/sh", ["/bin/sh"], NULL)
Code Injection Program Program \x48\x31\xd2\x48 \xbb\x2f\x2f\x62 \x69\x6e\x2f\x73 \x68\x48\xc1\xeb \x08\x53\x48\x89 \xe7\x50\x57\x48 \x89\xe6\xb0\x3b \x0f\x05 \x48\x31\xd2\x48 \xbb\x2f\x2f\x62 \x69\x6e\x2f\x73 \x68\x48\xc1\xeb \x08\x53\x48\x89 \xe7\x50\x57\x48 \x89\xe6\xb0\x3b \x0f\x05 Stack Stack main + 2 Stack + 2 main + 2 Stack + 2 15 15
Program + VM (ARM) Code Injection Program + VM (x86_64) \x48\x31\xd2\x48 \xbb\x2f\x2f\x62 \x69\x6e\x2f\x73 \x68\x48\xc1\xeb \x08\x53\x48\x89 \xe7\x50\x57\x48 \x89\xe6\xb0\x3b \x0f\x05 \x48\x31\xd2\x48 \xbb\x2f\x2f\x62 \x69\x6e\x2f\x73 \x68\x48\xc1\xeb \x08\x53\x48\x89 \xe7\x50\x57\x48 \x89\xe6\xb0\x3b \x0f\x05 Stack Stack main + 2 Stack + 2 main + 2 Stack + 2 16 16
Non-Control Data Attacks Return address 1: void ProcessConnection(connection* c) { 2: cred_t user; 3: char message[1024]; 4: int i = 0; 5: 6: auth_user(&user, c); 7: while (!end_of_message(c)) 8: message[i++] = get_next_char(c); 9: 10: seteuid(user.user_id); 11: ExecuteRequest(message); 12:} user message i 17
Non-Control Data Attacks 1: void ProcessConnection(connection* c) { 2: cred_t user; 3: char message[1024]; 4: int i = encrypt(0, ); 5: 6: auth_user(&user, c); 7: while (!end_of_message(c)) { 8: register int tmp = decrypt(i, ); 9: message[tmp] = encrypt(get_next_char(c),); 10: i = encrypt(tmp + 1, ); 11: } 12: 13: seteuid(decrypt(user.user_id, )); 14: ExecuteRequest(message); 15:} 18 Return address 1: void ProcessConnection(connection* c) { 2: cred_t user; 3: char message[1024]; 4: int i = 0; 5: 6: auth_user(&user, c); 7: while (!end_of_message(c)) 8: message[i++] = get_next_char(c); 9: 10: seteuid(user.user_id); 11: ExecuteRequest(message); 12:} user message i
Non-Control Data Attacks Program Program BONUS: Information Leakage Protection Return address Return address Stack Stack user user message message i i main + 2 main + 2 19 19
Multithreading Master Thread 1 Master Thread 2 Slave Thread 1 Slave Thread 2 monitor monitor 2 monitor 1 kernel 21
Multithreading Master Thread 1 Slave Thread 1 Master Thread 2 Slave Thread 2 t t t t accept nanosleep nanosleep accept monitor 1 GHUMVEE monitor monitor 2 kernel
Multithreading Master Thread 1 Slave Thread 1 Master Thread 2 Slave Thread 2 Sync Agent Sync Agent Sync Agent Sync Buffer Sync Agent t t t t GHUMVEE monitor monitor 2 monitor 1 kernel
Shared Memory Program Display Server Program Monitor Kernel 24
Other problems Data races vdso/vsyscall pages RDTSC/RDTSCP Address Dependence 25
