You Can Run but You Can’t Read: Preventing Disclosure Exploits in Executable Code
-
Upload
ch0psticks -
Category
Software
-
view
65 -
download
0
Transcript of You Can Run but You Can’t Read: Preventing Disclosure Exploits in Executable Code
Background• Buffer overflows, dangling pointers , memory corruption
vulnerabilities
• Defences&Attacks • DEP/W^X —> ROP
• ASLR (coarse grained) —> Memory disclosure+Memory corruption
• ASLR (fine-grained) —> JIT-code reuse
• XnR • Memory(code pages): eXecutable , but non-Readable
JIT-Code Reuse• JIT-Code Reuse
• A attack framework under script environment
• Client-side online attack
• JIT-code reuse workflow
• Harvest Code Pages
• Discovery Gadgets and API
• Just In Time CompilationK. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, et.al. “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization,” in 2013 IEEE Symposium on Security and Privacy (SP), 2013, pp. 574–588.
JIT-Code Reuse• JIT-Code Reuse
• A attack framework under script environment
• Client-side online attack
• JIT-code reuse workflow
• Harvest Code Pages
• Discovery Gadgets and API
• Just In Time CompilationK. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, et.al. “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization,” in 2013 IEEE Symposium on Security and Privacy (SP), 2013, pp. 574–588.
JIT-Code Reuse• JIT-Code Reuse
• A attack framework under script environment
• Client-side online attack
• JIT-code reuse workflow
• Harvest Code Pages
• Discovery Gadgets and API
• Just In Time CompilationK. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, et.al. “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization,” in 2013 IEEE Symposium on Security and Privacy (SP), 2013, pp. 574–588.
Preventing Disclosure Exploits• Motivion
• As soon as a process tries to read its own code as data, XnR considers this illegal behavior.
• Prevents the first necessary step of disclosure vulnerability
• Adversary’s Threat Model • Userland process contains memory corruption vulnerability
• Process contains at least one memory disclosure vulnerability
• Adversary controls the input of all communication channels
• Assumption: • XnR runs on W^X and fine-grained ASLR ready OS.
The XnR Primitive• Emulating XnR in Software
• Current hardware don not support eXecutable,but non-Readable • Memory permission only allow to toggle the ability to Write to
memory or the ability to eXecute the memory, where executable permissions imply read permissions.
• Challenge • Detect read attempts isn’t supported by MMU. • Distinguish memory access between legitimate access to data and
read attempts to code
The XnR Primitive• Emulating XnR in Software• Solutions
• Set page non-present, let modified page fault handler check the violation condition.
• Three types of memory operation to be distinguished
The XnR Primitive• Sliding Window
• Pages should be marked non-present till another page is accessed.
• The number of most recent accessed present pages that are waiting to be marked non-present.
• Keeps the last recently used n pages while setting all the others to non-present.
• A trade-off between performance and security:n=3
Implementation• One General Concept
• Using hardware page faults to emulate an XnR hardware feature.
• Two Mainstream OS
• Windows: closed source, not friendly to conduct fundamental modification(Memory Management)
• Linux: Open source
Implementation• Linux
• Windows
• Insert custom page fault handler into Windows Kernel’s IDT
• check procedure: the same
Evaluation• Precision and effectiveness
• Detection of exploits
• netcat, manually introduce MemoryDisclosure and MemoryCorruption vulnerabilities
• Legitimate code reads
• found that both common Linux programs and standard Windows DLL functions attempted to read code during normal program execution.
• Linux:Header of ELF(data) resides in .text segment
• Code reads on Windows: data in text segment