Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos,...
Transcript of Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos,...
![Page 1: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/1.jpg)
A Tough call:Mitigating Advanced Code-Reuse
Attacks At The Binary Level
Victor van der Veen, Enes Göktaş (joint first author) (VU)
Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB)
Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU)
![Page 2: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/2.jpg)
Control-Flow Integrity
• Promising way to stop code-reuse attacks
• Hard to enforce in practice
• Existing binary-level CFI cannot prevent function-reuse attacks (COOP)
2
![Page 3: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/3.jpg)
Control-Flow Integrity
• Promising way to stop code-reuse attacks
• Hard to enforce in practice
• Existing binary-level CFI cannot prevent function-reuse attacks (COOP)
TypeArmor
• A more precise binary-level CFI solution
• Acceptable overhead (3% on SPEC)
• Stops all published code-reuse attacks
3
![Page 4: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/4.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: normal execution
Func2() {
...
}
Func3() {
...
}
4
![Page 5: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/5.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: advanced code-reuse
Func2() {
...
}
Func3() {
...
}
5
![Page 6: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/6.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: advanced code-reuse
Func2() {
...
}
Func3() {
...
} Gadget
Gadget
Function-oriented programming
Attacker controlled ‘loop gadget’
6
![Page 7: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/7.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: binary-level CFI
Func2() {
...
}
Func3() {
...
} Gadget
Gadget
Loop gadget
• Unable to resolve indirect call targets• Indirect calls may go to any function
7
![Page 8: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/8.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: binary-level CFI
Func2() {
...
}
Func3() {
...
} Gadget
Gadget
Loop gadget
• Unable to resolve indirect call targets• Indirect calls may go to any function
Binary-levelsolutions
8
![Page 9: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/9.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: source-level CFI
Func2() {
...
}
Func3() {
...
} Gadget
Gadget
Loop gadget
Source-levelsolutions
• Enforce class hierarchy (VTV)• Match function argument types (IFCC)
9
![Page 10: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/10.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: TypeArmor
Func2() {
...
}
Func3() {
...
} Gadget
Gadget
Loop gadget
TypeArmor
• Approximate source-level accuracy
10
![Page 11: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/11.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: TypeArmor
Func2() {
...
}
Func3() {
...
} Gadget
Gadget
Loop gadget
TypeArmor
• Approximate source-level accuracy
Not as accurate as source
11
![Page 12: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/12.jpg)
processor() {
...
while (condition) {
...
call fptr
...
}
...
}
Func1() {
...
}
Running example: TypeArmor
Func2() {
...
}
Func3() {
…
} Gadget
Gadget
Loop gadget
TypeArmor
• Approximate source-level accuracy
Not as accurate as source
But still breaking exploits
12
![Page 13: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/13.jpg)
Approximate source-level invariants?
• Extract argument count at callsite
• Extract argument usage at callee
• Allow only targets with matching function types
Function signature matching by argcount
13
![Page 14: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/14.jpg)
Approximate source-level invariants?
• Extract argument count at callsite
• Extract argument usage at callee
• Allow only targets with matching function types
Callsites preparing two args should never call functions expecting three or more
Function signature matching by argcount
14
![Page 15: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/15.jpg)
Approximate source-level invariants?
• Extract argument count at callsite
• Extract argument usage at callee
• Allow only targets with matching function types
Callsites preparing two args should never call functions expecting three or more
Implemented for the x86-64 architecture:
• Calling convention: pass arguments via registers
• Search for write instructions at the callsite
• Search for read-before-write instructions at the callee
Function signature matching by argcount
15
![Page 16: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/16.jpg)
processor() {
...
while (condition){
arg1 = x
arg2 = y
call fptr(arg1,arg2)
...
}
...
}
Func1(arg1,arg2){
return arg1+arg2
}
Running example: TypeArmor
Func2(arg1,arg2){
return arg1*arg2
}
Func3(arg1,arg2,arg3){
return arg3-arg1+arg2
}
Loop gadget
• Match argument count expectations
16
![Page 17: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/17.jpg)
processor() {
...
while (condition){
arg1 = x
arg2 = y
call fptr(arg1,arg2)
...
}
...
}
Func1(arg1,arg2){
return arg1+arg2
}
Running example: TypeArmor
Func2(arg1,arg2){
return arg1*arg2
}
Func3(arg1,arg2,arg3){
return arg3-arg1+arg2
}
Loop gadget
• Match argument count expectations
Prepares 2 arguments
Expects 2 arguments
17
![Page 18: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/18.jpg)
processor() {
...
while (condition){
arg1 = x
arg2 = y
call fptr(arg1,arg2)
...
}
...
}
Func1(arg1,arg2){
return arg1+arg2
}
Running example: TypeArmor
Func2(arg1,arg2){
return arg1*arg2
}
Func3(arg1,arg2,arg3){
return arg3-arg1+arg2
}
Loop gadget
• Match argument count expectations
Prepares 2 arguments
Expects 2 arguments
Expects 2 arguments
Working Gadget
18
![Page 19: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/19.jpg)
processor() {
...
while (condition){
arg1 = x
arg2 = y
call fptr(arg1,arg2)
...
}
...
}
Func1(arg1,arg2){
return arg1+arg2
}
Running example: TypeArmor
Func2(arg1,arg2){
return arg1*arg2
}
Func3(arg1,arg2,arg3){
return arg3-arg1+arg2
}
Broken Gadget
Loop gadget
• Match argument count expectations
Prepares 2 arguments
Expects 2 arguments
Expects 2 arguments
Expects 3 arguments
Working Gadget
19
![Page 20: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/20.jpg)
PrecisionHow accurate can we determine the prepared and used argument count?
Callsites Functions
Server # As in source # As in source
Memcached 48 41 (86%) 236 210 (89%)
lighttpd 54 47 (87%) 353 311 (88%)
Nginx 218 161 (74%) 1,111 869 (78%)
MySQL 7,532 5,771 (77%) 9,961 6,977 (70%)
20
![Page 21: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/21.jpg)
PrecisionHow accurate can we determine the prepared and used argument count?
Callsites Functions
Server # As in source # As in source
Memcached 48 41 (86%) 236 210 (89%)
lighttpd 54 47 (87%) 353 311 (88%)
Nginx 218 161 (74%) 1,111 869 (78%)
MySQL 7,532 5,771 (77%) 9,961 6,977 (70%)
21
![Page 22: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/22.jpg)
PrecisionHow accurate can we determine the prepared and used argument count?
Callsites Functions
Server # As in source # As in source
Memcached 48 41 (86%) 236 210 (89%)
lighttpd 54 47 (87%) 353 311 (88%)
Nginx 218 161 (74%) 1,111 869 (78%)
MySQL 7,532 5,771 (77%) 9,961 6,977 (70%)
22
![Page 23: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/23.jpg)
processor() {
...
while (condition){
arg1 = x
arg2 = y
CHECK TARGET: ID <= 2
call fptr(arg1,arg2)
...
}
...
}
ID: 2
Func1(arg1,arg2){
return arg1+arg2
}
Running example: TypeArmor
ID: 2
Func2(arg1,arg2){
return arg1*arg2
}
ID: 3
Func3(arg1,arg2,arg3){
return arg3-arg1+arg2
}Broken Gadget
Loop gadget
• Runtime enforcement
Working Gadget
23
![Page 24: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/24.jpg)
Performance
SPEC CPU2006: less than 3% (geometric mean)
24
![Page 25: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/25.jpg)
Performance
Server Overhead Language
Memcached 1.4% C
lighttpd 11.6% C
Nginx 13.2% C
MySQL 23.9% C++
SPEC CPU2006: less than 3% (geometric mean)
25
![Page 26: Mitigating Advanced Code-Reuse Attacks At The Binary Level · Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU) Control-Flow Integrity •Promising](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f69df72609ad1643d04a8c3/html5/thumbnails/26.jpg)
Conclusion
• Extract new invariants from binaries
• Enforce strictest security policy at binary-level to date
• Binary-level CFI solutions can mitigate sophisticated code-reuse attacks
• Keep an eye on http://www.vusec.net
26