Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos,...

A Tough call:Mitigating Advanced Code-Reuse

Attacks At The Binary Level

Victor van der Veen, Enes Göktaş (joint first author) (VU)

Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB)

Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU)

Control-Flow Integrity

• Promising way to stop code-reuse attacks

• Hard to enforce in practice

• Existing binary-level CFI cannot prevent function-reuse attacks (COOP)

Control-Flow Integrity

• Promising way to stop code-reuse attacks

• Hard to enforce in practice

• Existing binary-level CFI cannot prevent function-reuse attacks (COOP)

TypeArmor

• A more precise binary-level CFI solution

• Acceptable overhead (3% on SPEC)

• Stops all published code-reuse attacks

processor() {

while (condition) {

call fptr

Func1() {

Running example: normal execution

Func2() {

Func3() {

processor() {

while (condition) {

call fptr

Func1() {

Running example: advanced code-reuse

Func2() {

Func3() {

processor() {

while (condition) {

call fptr

Func1() {

Running example: advanced code-reuse

Func2() {

Func3() {

} Gadget

Gadget

Function-oriented programming

Attacker controlled ‘loop gadget’

processor() {

while (condition) {

call fptr

Func1() {

Running example: binary-level CFI

Func2() {

Func3() {

} Gadget

Gadget

Loop gadget

• Unable to resolve indirect call targets• Indirect calls may go to any function

processor() {

while (condition) {

call fptr

Func1() {

Running example: binary-level CFI

Func2() {

Func3() {

} Gadget

Gadget

Loop gadget

• Unable to resolve indirect call targets• Indirect calls may go to any function

Binary-levelsolutions

processor() {

while (condition) {

call fptr

Func1() {

Running example: source-level CFI

Func2() {

Func3() {

} Gadget

Gadget

Loop gadget

Source-levelsolutions

• Enforce class hierarchy (VTV)• Match function argument types (IFCC)

processor() {

while (condition) {

call fptr

Func1() {

Running example: TypeArmor

Func2() {

Func3() {

} Gadget

Gadget

Loop gadget

TypeArmor

• Approximate source-level accuracy

processor() {

while (condition) {

call fptr

Func1() {

Func2() {

Func3() {

} Gadget

Gadget

Loop gadget

TypeArmor

Not as accurate as source

processor() {

while (condition) {

call fptr

Func1() {

Func2() {

Func3() {

} Gadget

Gadget

Loop gadget

TypeArmor

Not as accurate as source

But still breaking exploits

Approximate source-level invariants?

• Extract argument count at callsite

• Extract argument usage at callee

• Allow only targets with matching function types

Function signature matching by argcount

Callsites preparing two args should never call functions expecting three or more

Implemented for the x86-64 architecture:

• Calling convention: pass arguments via registers

• Search for write instructions at the callsite

• Search for read-before-write instructions at the callee

processor() {

while (condition){

arg1 = x

arg2 = y

call fptr(arg1,arg2)

Func1(arg1,arg2){

return arg1+arg2

Func2(arg1,arg2){

return arg1*arg2

Func3(arg1,arg2,arg3){

return arg3-arg1+arg2

Loop gadget

• Match argument count expectations

processor() {

while (condition){

arg1 = x

arg2 = y

Func1(arg1,arg2){

return arg1+arg2

Func2(arg1,arg2){

return arg1*arg2

Loop gadget

Prepares 2 arguments

Expects 2 arguments

processor() {

while (condition){

arg1 = x

arg2 = y

Func1(arg1,arg2){

return arg1+arg2

Func2(arg1,arg2){

return arg1*arg2

Loop gadget

Expects 2 arguments

Working Gadget

processor() {

while (condition){

arg1 = x

arg2 = y

Func1(arg1,arg2){

return arg1+arg2

Func2(arg1,arg2){

return arg1*arg2

Broken Gadget

Loop gadget

Expects 2 arguments

Expects 3 arguments

Working Gadget

PrecisionHow accurate can we determine the prepared and used argument count?

Callsites Functions

Server # As in source # As in source

Memcached 48 41 (86%) 236 210 (89%)

lighttpd 54 47 (87%) 353 311 (88%)

Nginx 218 161 (74%) 1,111 869 (78%)

MySQL 7,532 5,771 (77%) 9,961 6,977 (70%)

Callsites Functions

Memcached 48 41 (86%) 236 210 (89%)

lighttpd 54 47 (87%) 353 311 (88%)

Nginx 218 161 (74%) 1,111 869 (78%)

MySQL 7,532 5,771 (77%) 9,961 6,977 (70%)

Callsites Functions

Memcached 48 41 (86%) 236 210 (89%)

lighttpd 54 47 (87%) 353 311 (88%)

Nginx 218 161 (74%) 1,111 869 (78%)

MySQL 7,532 5,771 (77%) 9,961 6,977 (70%)

processor() {

while (condition){

arg1 = x

arg2 = y

CHECK TARGET: ID <= 2

Func1(arg1,arg2){

return arg1+arg2

Func2(arg1,arg2){

return arg1*arg2

}Broken Gadget

Loop gadget

• Runtime enforcement

Working Gadget

Performance

SPEC CPU2006: less than 3% (geometric mean)

Performance

Server Overhead Language

Memcached 1.4% C

lighttpd 11.6% C

Nginx 13.2% C

MySQL 23.9% C++

SPEC CPU2006: less than 3% (geometric mean)

Conclusion

• Extract new invariants from binaries

• Enforce strictest security policy at binary-level to date

• Binary-level CFI solutions can mitigate sophisticated code-reuse attacks

• Keep an eye on http://www.vusec.net

Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos,...

Documents

Transcript of Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos,...

Rawat Inap

Developed by: Inger Giuffrida

PENGEMBANGAN APLIKASI REGISTRASI PASIEN RAWAT …

PROGETTO SPREAD S trategies and P ractices in E urope A gainst S chool D ropping out Pinella Giuffrida 02/02/2013 1 Progetto SPREAD Pinella Giuffrida.

KRITIKA RAWAT(4562)

Astrologer Manish Rawat

Jyoti rawat

Electrochemistry by rawat

Crm HSBC Deepak Rawat

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos elathan@ics.forth.gr.

Sistem Informasi Rawat Inap

Project Report of Amit Rawat

Formulir Klaim Rawat Inap1

Proposal rawat luka

Abhishek Rawat Avinash Kalyanaraman

aayush rawat

Tata motors ----Mayur Rawat

NO ORDINARY BOX: Prem Rawat

Roopa Rawat, RN

Sachin Rawat Crypsis sachin@crypsis