2016.6.21 Related Work: Reuse Code Attacks

Related Work:Code Reuse Attacks

2016.6.21<ajblane0612@gmail.com>

AJMachine

@ 若渴

How to Explore Code Reuse to Construct a Turing Machine

https://www.quora.com/What-exactly-is-Turings-Automatic-Computing-Engine

The Turing Machine

• Finite state machine• Read head

• Program

For Example: Return-Oriented Programmingvirtual memory

heap

high

low

code

ADD gadget retLOAD gadget ret

stack

ADD gadget AddrLOAD gadget AddrSP

• Finite state machine • SP (read head) + ret

• Program • LOAD gadget ret

For Simplicity, Code Reuse Attack Using ROP

László Szekeres, etc., “Eternal War in Memory”

Stack overflow Use-After-Free 不只

ROP

沒畫到SMEP

Modify a Code Pointer …

• Code pointer– Stack overflow modifies EIP. Once ret instruction is

used, the execution flow is redirected.– Heap overflow modifies function pointer with an

address that points to stack pivot gadget. Once the overwritten function pointer is used by the application, the execution flow is redirected.

– Enrique Nissim, etc.,Windows SMEP Bypass U=S (!)– …

Just-In-Time ROP

Kevin Z. Snow, etc., “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”

ROP

ASLRASLR

ROP semantics (Load/Store/…) RO Programming自動化找 gadgetsROP gadgets ROP compiler

Just-in-time ROP compiler Bypassing ASLR

Initial code pointer

還需 stack overflow, 等來執行 ROP payload

Network

AttackerVictimInitial code pointer

kuku 補充

Researches on Code Reuse Attacks to Break Defenses

• The different FSMs• The different gadgets

Code Reuse Attacks

• Jump-oriented programming• Loop-oriented programming• Interrupt-oriented programming• Data-oriented programming• …

Jump-oriented Programming

Tyler Bletsch, etc.,”Jump-Oriented Programming: A New Class of Code-Reuse Attack”

• Bypassing ret integrity• Stackless

Loop-oriented(call-ret-pairing) Programming

• Bypassing CFI and shadow stack

Interrupt-oriented Programming

Samuel Junjie Tan, etc., “Interrupt-oriented Bugdoor Programming: A minimalist approach to bugdooring embedded systems firmware“

IOP Setup

Timings are precise enough

The table is from László Szekeres, etc., “Eternal War in Memory”

Data-oriented programming

假設 data address 已知

Data-oriented Exploit

Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”

Data-oriented Exploit

Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”

Data-oriented Exploit

Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”

Data-oriented Exploit isTuring-complete

Hong Hu, etc., “Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks”

• The data consumed by the interpreter is inherently under the remote attacker’s control

• For example, all local variables are under the control of attackers using stack overflow

The Concept of Data-oriented Programming

Vulnerable FTP server with data-oriented gadgets

Data-oriented Programming

a data-oriented gadget simulates three logical micro-operations• the load micro-operation• the intended virtual operation’s

semantics• store micro-operation.

The Evil interpreter

data-oriented gadget of assignment operation

利用 DOP 執行 74+612

round1

*type 被 corrupted 成 !NONE 也不是 !STREAM ，假設 *type =74 。假設 srv 被 corrupted 讓 srv + 0x8 (srv->type) 等於 size 。那執行 assignment gadget 時， *size = 74而執行 addition gadget 是無意思的。

The Evil interpreter

round2

*type 被 corrupted 成 !NONE 也不是 !STREAM ，假設 *type =612 。假設 srv 被 corrupted 成 srv – 0x4 ，讓 srv – 0x4 + 0x8 (srv->type) 會等於 srv + 0x4 (srv->total) 。那執行 assignment gadget 時， srv->total = 612而執行 addition gadget 是無意思的

The Evil interpreter

round3

*type 被 corrupted 成 !NONE 也不是 !STREAM ，假設 *type =612 。假設 srv 被 corrupted 成 (srv – 0x4) + 0x4那執行 assignment gadget 時， 是無意思。而執行 addition gadget 就會是 612 + 74 存至 srv->total

The Evil interpreter

Reference• https://

www.trust.cased.de/fileadmin/user_upload/Group_TRUST/PubsPDF/blackhat-2013-jitrop.pdf

• http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf• https://nebelwelt.net/publications/files/14SP.pdf• https://www.csc.ncsu.edu/faculty/jiang/pubs/ASIACCS11.pdf• http://tcipg.org/sites/default/files/papers/2014_q3_tfs1.pdf• https://

www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_hu_0.pdf

• http://huhong-nus.github.io/advanced-DOP/• https://www.ics.uci.edu/~perl/keynote_sadeghi_runtime_exploits.pdf• https://www.trust.cased.de/fileadmin/user_upload/Group_TRUST/Pub

sPDF/blackhat-2013-jitrop.pdf• http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf