Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk † and Ravi K. Iyer † ‡

Defeating Memory Corruption Attacks Defeating Memory Corruption Attacks via Pointer Taintedness Detectionvia Pointer Taintedness Detection

Shuo ChenShuo Chen††, , Jun XuJun Xu‡‡, Nithin Nakka, Nithin Nakka††, Zbigniew Kalbarczyk, Zbigniew Kalbarczyk†† and Ravi K. Iyer and Ravi K. Iyer††

‡‡ Department of Computer Science,Department of Computer Science, North Carolina State University,North Carolina State University, U.S.A.U.S.A.

†† Center for Reliable and High-Performance Computing, Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign, University of Illinois at Urbana-Champaign, U.S.A.U.S.A.

IEEE International Conference on Dependable Systems and NetworksYokohama, Japan, June 30, 2005

22

IntroductionIntroduction

Memory corruption attackMemory corruption attack Major threat of InternetMajor threat of Internet Current dominant form: Control data attackCurrent dominant form: Control data attack

Our contributionsOur contributions Non-control data attacks are realisticNon-control data attacks are realistic More general observation: pointer taintednessMore general observation: pointer taintedness A new architecture for detection A new architecture for detection

33

OutlineOutline

Non-control Data AttacksNon-control Data Attacks

The Concept of Tainted PointersThe Concept of Tainted Pointers

Processor Architecture for Pointer Taintedness Processor Architecture for Pointer Taintedness Detection Detection

Experimental Evaluation Experimental Evaluation

ConclusionConclusion

44

Control Data AttackControl Data Attack

Control data attackControl data attack a.k.a. control hijacking or code-injection attacka.k.a. control hijacking or code-injection attack Dominant form of memory corruption attacks Dominant form of memory corruption attacks

[[CERTCERT and and Microsoft Security BulletinMicrosoft Security Bulletin]]

Control data (code pointers)Control data (code pointers) data used as targets of call, return and jumpdata used as targets of call, return and jump widely understood as security critical-datawidely understood as security critical-data

Many existing defenses: enforce security via Many existing defenses: enforce security via control data integritycontrol data integrity

55

Control Data Attack – An ExampleControl Data Attack – An Example

WU-FTPD format string attackWU-FTPD format string attack

Execute malicious code

Overwrite a return address

Embed malicious contents in input

get an FTP command

Authentication;x = user ID

repeat

FTP_service()

seteuid(x)

SITE_EXEC(fmt)

printf(fmt,…)

seteuid(0) exec(“/bin/sh”)

66

Non-Control-Data Attack: A Realistic ThreatNon-Control-Data Attack: A Realistic Threat

Non-control-data: not control data (code pointers), Non-control-data: not control data (code pointers), attacks corrupt application-specific dataattacks corrupt application-specific data

Not been seriously consideredNot been seriously considered

We constructed non-control-data attacks against We constructed non-control-data attacks against a number of real world applicationsa number of real world applications Equivalent security compromise as control data attacksEquivalent security compromise as control data attacks Root privilege on HTTP, SSH, Telnet and FTP serversRoot privilege on HTTP, SSH, Telnet and FTP servers Corrupting user identify data, configuration data, user Corrupting user identify data, configuration data, user

input data, and decision-making datainput data, and decision-making data Will appear in Will appear in USENIX Security SymposiumUSENIX Security Symposium, Aug 2005, Aug 2005

77

Non-Control Data Attack – An ExampleNon-Control Data Attack – An Example

WU-FTPD format string attackWU-FTPD format string attack

Overwrite x (saved user ID)

Embed malicious contents in input

get an FTP command

Authentication;x = user ID

repeat

FTP_service()

seteuid(x)

SITE_EXEC(fmt)

printf(fmt,…)

getdatasock( ... ) { seteuid(0); setsockopt( ... ); seteuid(x);}

88

More Non-Control-Data AttacksMore Non-Control-Data Attacks

Against Against NULL HTTPNULL HTTP server server Corrupt the configuration string of CGI-BIN path.Corrupt the configuration string of CGI-BIN path. Run Run /bin/sh/bin/sh as a CGI program as a CGI program

Against Against SSH CommunicationsSSH Communications SSH server SSH server Corrupt a BooleanCorrupt a Boolean Log in as root with an arbitrary passwordLog in as root with an arbitrary password

Against Against GazTek HTTPGazTek HTTP server server Corrupt user URL inputCorrupt user URL input Run Run /bin/sh/bin/sh as a CGI program as a CGI program

New threat calling for new defenseNew threat calling for new defense How can we defeat both control-data and non-control-data How can we defeat both control-data and non-control-data

attacks?attacks?

99

Pointer Taintedness DetectionPointer Taintedness Detection

Tainted pointers: Tainted pointers: code or data pointers derived code or data pointers derived from malicious user inputfrom malicious user input

Root cause of a large class of memory Root cause of a large class of memory corruption attacks (control-data or non-control-corruption attacks (control-data or non-control-data)data)

Detection of tainted pointersDetection of tainted pointers Defeat a large class real-world memory attacks, e.g., Defeat a large class real-world memory attacks, e.g.,

stack smashing, format string, heap corruption, stack smashing, format string, heap corruption, integer overflowinteger overflow

1010

Internals of Stack Buffer Overflow Attacks Internals of Stack Buffer Overflow Attacks

Vulnerable code: char buf[100]; strcpy(buf,user_input);

Return addrReturn addr

Frame pointerFrame pointer

buf[99]buf[99]

……

buf[1]buf[1]

buf[0]buf[0]

High

Low

Sta

ck g

row

th

buf

user_input

Frame pointer or return address can be tainted.

1111

Runtime Pointer Taintedness DetectionRuntime Pointer Taintedness Detection

A processor architectural level mechanism to A processor architectural level mechanism to detect pointer taintednessdetect pointer taintedness Implemented a taintedness-aware memory systemImplemented a taintedness-aware memory system

One-bit extension for each byte to indicate the taintedness of One-bit extension for each byte to indicate the taintedness of the bytethe byte

Taintedness initializationTaintedness initializationTag every byte of data received from external input sourcesTag every byte of data received from external input sources

Taintedness trackingTaintedness tracking Tainedness is propagated by ALU instructionsTainedness is propagated by ALU instructions

Attack detectionAttack detection When a tainted value is dereferenced (i.e., used as a pointer).When a tainted value is dereferenced (i.e., used as a pointer).

On On SimpleScalarSimpleScalar processor simulator processor simulator

1212

ALU taintedness tracking logic

Reg

iste

r F

ile

4 bits

4 bits

32 bits

32 bits

ALU

BitwiseOR

32 bits 36 bits

4 bits

MUX

MUX

36 bits36 bits

36 bits

36 bits

Data

Mem

ory

36 bits

36 bits

MUX

36 bits

ID/EX EX/MEM MEM/WB

MUX

Opcode

Com

pare

sp

eci

fic

log

ic

Sh

ift

speci

fic

log

ic

XO

R s

peci

fic

log

ic

MUX0 alert

jr? MUX

4 bits

0

alert

load/store?

Jump pointertaintedness detector

Data pointer taintednessdetector

8-bit byte

Taintedness bit

36 bits

store path

load path

AN

D s

peci

fic

log

ic

1313

Related Work on TaintednessRelated Work on TaintednessPerl securityPerl securityShankar and Wagner (2001) Shankar and Wagner (2001)

Static analysis to uncover format string vulnerabilitiesStatic analysis to uncover format string vulnerabilities

Our previous work on pointer taintedness (Aug. 2004)Our previous work on pointer taintedness (Aug. 2004) A source code analysis technique to uncover A source code analysis technique to uncover pointer taintednesspointer taintedness

vulnerabilitiesvulnerabilities Reasoning taintedness at machine code level, relying on an Reasoning taintedness at machine code level, relying on an

extended extended memory modelmemory model

More recent work:More recent work: Secure Program Execution Secure Program Execution (MIT), (MIT), MinosMinos (UC-Davis) and (UC-Davis) and TaintCheckTaintCheck (CMU) (late 2004 and (CMU) (late 2004 and early 2005)early 2005)

Similar memory modelSimilar memory model Taintedness of Taintedness of control datacontrol data Pointer taintedness vs. control-data taintedness Pointer taintedness vs. control-data taintedness

cause vs. result of memory corruption cause vs. result of memory corruption

1414

EvaluationEvaluation

Attack detection effectivenessAttack detection effectiveness Synthetic vulnerable programsSynthetic vulnerable programs Real-world network applicationsReal-world network applications

Evaluation of false positivesEvaluation of false positives Real-world network applicationsReal-world network applications SPEC 2000 benchmarksSPEC 2000 benchmarks

Potential false negative scenariosPotential false negative scenarios

1515

Attack Detection EffectivenessAttack Detection EffectivenessFirst, test on synthetic vulnerable programsFirst, test on synthetic vulnerable programsAll attacks (control/non-control data) are detectedAll attacks (control/non-control data) are detected

Stack Buffer Stack Buffer OverflowOverflow

Heap Corruption Heap Corruption AttackAttack

Format String Format String AttackAttack

Vulnerable Vulnerable programprogram

void exp1() {void exp1() {

char buf[10]; char buf[10];

scanf("%s",buf);scanf("%s",buf);

}}

void exp2() {void exp2() {

char * buf;char * buf;

buf = malloc(8); buf = malloc(8);

scanf("%s",buffer); scanf("%s",buffer);

free(p);free(p);

}}

void exp3(int s) { void exp3(int s) {

char buf[100]; char buf[100];

recv(s,buf,100,0); recv(s,buf,100,0);

printf(buf);printf(buf);

}}

Input data Input data

(network/console)(network/console)

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaa abcd%x%x%x%n abcd%x%x%x%n

Violating Violating instructioninstruction

400a38: JR 400a38: JR $31$31 401dc0: LW $3,0(401dc0: LW $3,0($3$3)) 402d60: SW $21,0(402d60: SW $21,0($3$3))

Tainted dataTainted data $31= $31= 0x616161610x61616161 $3 = $3 = 0x616161610x61616161 $3=$3=0x646362610x64636261

1616

Attack Detection Effectiveness (cont.)Attack Detection Effectiveness (cont.)Evaluation on real world network applicationsEvaluation on real world network applicationsAll attacks are detectedAll attacks are detectedNo difference between control-data attack and non-control-data No difference between control-data attack and non-control-data attack from the viewpoint of pointer taintednessattack from the viewpoint of pointer taintedness

WU-FTP WU-FTP serverserver

Format string Format string attackattack

Overwrite user identity data Overwrite user identity data

(non-control-data)(non-control-data)

detecteddetected

GazTek GazTek HTTP serverHTTP server

Stack buffer Stack buffer overflow attackoverflow attack

Overwrite user input data Overwrite user input data

(non-control-data)(non-control-data)

detecteddetected

NULL HTTP NULL HTTP serverserver

Heap corruption Heap corruption attackattack

Overwrite configuration data Overwrite configuration data

(non-control-data)(non-control-data)

detecteddetected

traceroutetraceroute Double freeDouble free Function pointer Function pointer

(control-data)(control-data)

detecteddetected

1717

Transparency and False PositiveTransparency and False Positive

No need for re-compilation, run existing binary executablesNo need for re-compilation, run existing binary executables

Results from network applications: no false positivesResults from network applications: no false positives

Results from SPEC benchmarksResults from SPEC benchmarks 15 billion instructions without any false positive15 billion instructions without any false positive

Conclusion: No known false positiveConclusion: No known false positive

BZIP2 BZIP2 GCCGCC GZIP GZIP MCF MCF PARSER PARSER VPRVPR TotalTotal

Program size Program size 321KB 321KB 4184KB 4184KB 485KB 485KB 304KB 304KB 595KB595KB 697KB697KB 6586KB6586KB

Total number Total number of input bytes of input bytes

1048KB 1048KB 77.7K77.7K 282KB 282KB 39.2KB39.2KB 743.0KB743.0KB 6.4KB6.4KB 2186KB2186KB

Total number Total number of instructions of instructions

5,951M 5,951M 110M110M 6,926M6,926M 1,653M1,653M 389M389M 108M108M 15,139M15,139M

Alert Alert generated? generated?

NoNo NoNo NoNo NoNo NoNo NoNo NoNo

1818

Potential False Negative ScenariosPotential False Negative Scenarios

Incorrect array index boundary checkIncorrect array index boundary check Determining correct array size requires source code Determining correct array size requires source code

analysis – very hard at binary levelanalysis – very hard at binary level

Buffer overflow within the local frameBuffer overflow within the local frame If no pointer is tainted, no alert is raisedIf no pointer is tainted, no alert is raised Unlikely to cause severe security damage because Unlikely to cause severe security damage because

attacker-controllable location is very limitedattacker-controllable location is very limited

Format string attack causing information leakFormat string attack causing information leak Allows inspection of some memory data wordsAllows inspection of some memory data words Cause security compromises if these words containing Cause security compromises if these words containing

security-critical secret, e.g., key and passwordsecurity-critical secret, e.g., key and password

1919

Integer overflow Induced Array Integer overflow Induced Array Index Out of Bound Index Out of Bound

void foo(unsigned int ui) {1: int i = ui;2: if (i >= ArraySize)3: i = ArraySize – 1;4: array[i] = 1;}

2020

Buffer overflow causing critical Buffer overflow causing critical flags to be corrupted flags to be corrupted

void bar () {1: int auth;2: char buf[100];3: auth = do_auth ();4: scanf(“%s”,buf);5: if (auth) grant_access();}

2121

Format string attack causing Format string attack causing information leak information leak

void leak() {1: int secret_key;2: char buf[12];3: recv(s,buf,12,0);4: printf(buf); }

“%x%x%x%x”

2222

ConclusionsConclusionsContributions: Contributions: Non-control-data attack is a realistic threatNon-control-data attack is a realistic threat Memory corruption attacks, including control-data Memory corruption attacks, including control-data

attacks and non-control-data attacks, are due to attacks and non-control-data attacks, are due to pointer taintednesspointer taintedness

Proposed a runtime pointer taintedness detection Proposed a runtime pointer taintedness detection architecture - Substantial improvement in security architecture - Substantial improvement in security coveragecoverage

EvaluationEvaluation transparent to existing applicationstransparent to existing applications a near-zero false positive ratea near-zero false positive rate

We plan to implement this approach in the We plan to implement this approach in the Hardware framework for detection and recoveryHardware framework for detection and recovery

2323

Questions?Questions?

2424

Another Motivating ExampleAnother Motivating Example

NULL-HTTPD heap corruption attackNULL-HTTPD heap corruption attack

Overwrite function pointer foo

Corrupt heap structure

Execute malicious code

process HTTP headerp=malloc(…)

repeat

HTTP_service()

HTTP_POST()

recv(p,…)

seteuid(0) exec(“/bin/sh”)

free(p)

*foo()

2525

Non-Control-Data Attack against Non-Control-Data Attack against WU-FTPWU-FTP Server Server

int x;

site_exec() { a format string vulnerability}

getdatasock( ... ) { seteuid(0); setsockopt( ... ); seteuid(x);}

Overwrite an integer representing user ID Overwrite an integer representing user ID obtain the root privilege of the serverobtain the root privilege of the server

2626

ap: argument pointer

fmt: format string pointer

Internals of Format String AttackInternals of Format String Attack

In vfprintf(), if (fmt points to “%n”) then **ap = (character count)

Vulnerable code: recv(buf); printf(buf); /* should be printf(“%s”,buf) */

\xdd \xcc \xbb \xaa %d %d %d %n

……

%n%n

%d%d

%d%d

%d%d

0xaabbccdd0xaabbccdd

fmt: format string pointer

ap: argument pointer

High

Low

Sta

ck g

row

th

*ap is a tainted value.

2727

Future DirectionsFuture Directions

Combination of static code analysis and Combination of static code analysis and architecture supportarchitecture support To automatically derive predicates to be To automatically derive predicates to be

checked by processor at runtimechecked by processor at runtime

Reliability and security support for Reliability and security support for embedded systemsembedded systems Migrate our current techniques to embedded Migrate our current techniques to embedded

systemssystems New topics: cell phone virus, reduced power New topics: cell phone virus, reduced power

consumption, tamper-resistance hardware, consumption, tamper-resistance hardware, crypto and authentication hardware/softwarecrypto and authentication hardware/software

2828

Format String 7%

Globbing2%

Heap Corruption

8%

Integer Overflow

6%

Buffer Overflow

44%

Other33%