Defeating Memory Corruption Defeating Memory Corruption Attacks via Pointer Taintedness Attacks via Pointer Taintedness Detection Detection Shuo Chen Shuo Chen † , , Jun Xu Jun Xu ‡ , Nithin Nakka , Nithin Nakka † , Zbigniew Kalbarczyk , Zbigniew Kalbarczyk † and Ravi K. Iyer and Ravi K. Iyer † ‡ Department of Computer Department of Computer Science, Science, North Carolina State North Carolina State University, University, U.S.A. U.S.A. Center for Reliable and High-Performance Computing, Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign, University of Illinois at Urbana-Champaign, U.S.A. U.S.A. IEEE International Conference on Dependable Systems and Networks Yokohama, Japan, June 30, 2005
28
Embed
Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk † and Ravi K. Iyer † ‡
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Shuo ChenShuo Chen††, , Jun XuJun Xu‡‡, Nithin Nakka, Nithin Nakka††, Zbigniew Kalbarczyk, Zbigniew Kalbarczyk†† and Ravi K. Iyer and Ravi K. Iyer††
‡‡ Department of Computer Science,Department of Computer Science, North Carolina State University,North Carolina State University, U.S.A.U.S.A.
†† Center for Reliable and High-Performance Computing, Center for Reliable and High-Performance Computing, University of Illinois at Urbana-Champaign, University of Illinois at Urbana-Champaign, U.S.A.U.S.A.
IEEE International Conference on Dependable Systems and NetworksYokohama, Japan, June 30, 2005
22
IntroductionIntroduction
Memory corruption attackMemory corruption attack Major threat of InternetMajor threat of Internet Current dominant form: Control data attackCurrent dominant form: Control data attack
Our contributionsOur contributions Non-control data attacks are realisticNon-control data attacks are realistic More general observation: pointer taintednessMore general observation: pointer taintedness A new architecture for detection A new architecture for detection
33
OutlineOutline
Non-control Data AttacksNon-control Data Attacks
The Concept of Tainted PointersThe Concept of Tainted Pointers
Processor Architecture for Pointer Taintedness Processor Architecture for Pointer Taintedness Detection Detection
Experimental Evaluation Experimental Evaluation
ConclusionConclusion
44
Control Data AttackControl Data Attack
Control data attackControl data attack a.k.a. control hijacking or code-injection attacka.k.a. control hijacking or code-injection attack Dominant form of memory corruption attacks Dominant form of memory corruption attacks
[[CERTCERT and and Microsoft Security BulletinMicrosoft Security Bulletin]]
Control data (code pointers)Control data (code pointers) data used as targets of call, return and jumpdata used as targets of call, return and jump widely understood as security critical-datawidely understood as security critical-data
Many existing defenses: enforce security via Many existing defenses: enforce security via control data integritycontrol data integrity
55
Control Data Attack – An ExampleControl Data Attack – An Example
WU-FTPD format string attackWU-FTPD format string attack
Execute malicious code
Overwrite a return address
Embed malicious contents in input
get an FTP command
Authentication;x = user ID
repeat
FTP_service()
seteuid(x)
SITE_EXEC(fmt)
printf(fmt,…)
seteuid(0) exec(“/bin/sh”)
66
Non-Control-Data Attack: A Realistic ThreatNon-Control-Data Attack: A Realistic Threat
Non-control-data: not control data (code pointers), Non-control-data: not control data (code pointers), attacks corrupt application-specific dataattacks corrupt application-specific data
Not been seriously consideredNot been seriously considered
We constructed non-control-data attacks against We constructed non-control-data attacks against a number of real world applicationsa number of real world applications Equivalent security compromise as control data attacksEquivalent security compromise as control data attacks Root privilege on HTTP, SSH, Telnet and FTP serversRoot privilege on HTTP, SSH, Telnet and FTP servers Corrupting user identify data, configuration data, user Corrupting user identify data, configuration data, user
input data, and decision-making datainput data, and decision-making data Will appear in Will appear in USENIX Security SymposiumUSENIX Security Symposium, Aug 2005, Aug 2005
77
Non-Control Data Attack – An ExampleNon-Control Data Attack – An Example
WU-FTPD format string attackWU-FTPD format string attack
More Non-Control-Data AttacksMore Non-Control-Data Attacks
Against Against NULL HTTPNULL HTTP server server Corrupt the configuration string of CGI-BIN path.Corrupt the configuration string of CGI-BIN path. Run Run /bin/sh/bin/sh as a CGI program as a CGI program
Against Against SSH CommunicationsSSH Communications SSH server SSH server Corrupt a BooleanCorrupt a Boolean Log in as root with an arbitrary passwordLog in as root with an arbitrary password
Against Against GazTek HTTPGazTek HTTP server server Corrupt user URL inputCorrupt user URL input Run Run /bin/sh/bin/sh as a CGI program as a CGI program
New threat calling for new defenseNew threat calling for new defense How can we defeat both control-data and non-control-data How can we defeat both control-data and non-control-data
Tainted pointers: Tainted pointers: code or data pointers derived code or data pointers derived from malicious user inputfrom malicious user input
Root cause of a large class of memory Root cause of a large class of memory corruption attacks (control-data or non-control-corruption attacks (control-data or non-control-data)data)
Detection of tainted pointersDetection of tainted pointers Defeat a large class real-world memory attacks, e.g., Defeat a large class real-world memory attacks, e.g.,
stack smashing, format string, heap corruption, stack smashing, format string, heap corruption, integer overflowinteger overflow
1010
Internals of Stack Buffer Overflow Attacks Internals of Stack Buffer Overflow Attacks
A processor architectural level mechanism to A processor architectural level mechanism to detect pointer taintednessdetect pointer taintedness Implemented a taintedness-aware memory systemImplemented a taintedness-aware memory system
One-bit extension for each byte to indicate the taintedness of One-bit extension for each byte to indicate the taintedness of the bytethe byte
Taintedness initializationTaintedness initializationTag every byte of data received from external input sourcesTag every byte of data received from external input sources
Taintedness trackingTaintedness tracking Tainedness is propagated by ALU instructionsTainedness is propagated by ALU instructions
Attack detectionAttack detection When a tainted value is dereferenced (i.e., used as a pointer).When a tainted value is dereferenced (i.e., used as a pointer).
On On SimpleScalarSimpleScalar processor simulator processor simulator
1212
ALU taintedness tracking logic
Reg
iste
r F
ile
4 bits
4 bits
32 bits
32 bits
ALU
BitwiseOR
32 bits 36 bits
4 bits
MUX
MUX
36 bits36 bits
36 bits
36 bits
Data
Mem
ory
36 bits
36 bits
MUX
36 bits
ID/EX EX/MEM MEM/WB
MUX
Opcode
Com
pare
sp
eci
fic
log
ic
Sh
ift
speci
fic
log
ic
XO
R s
peci
fic
log
ic
MUX0 alert
jr? MUX
4 bits
0
alert
load/store?
Jump pointertaintedness detector
Data pointer taintednessdetector
8-bit byte
Taintedness bit
36 bits
store path
load path
AN
D s
peci
fic
log
ic
1313
Related Work on TaintednessRelated Work on TaintednessPerl securityPerl securityShankar and Wagner (2001) Shankar and Wagner (2001)
Static analysis to uncover format string vulnerabilitiesStatic analysis to uncover format string vulnerabilities
Our previous work on pointer taintedness (Aug. 2004)Our previous work on pointer taintedness (Aug. 2004) A source code analysis technique to uncover A source code analysis technique to uncover pointer taintednesspointer taintedness
vulnerabilitiesvulnerabilities Reasoning taintedness at machine code level, relying on an Reasoning taintedness at machine code level, relying on an
extended extended memory modelmemory model
More recent work:More recent work: Secure Program Execution Secure Program Execution (MIT), (MIT), MinosMinos (UC-Davis) and (UC-Davis) and TaintCheckTaintCheck (CMU) (late 2004 and (CMU) (late 2004 and early 2005)early 2005)
Similar memory modelSimilar memory model Taintedness of Taintedness of control datacontrol data Pointer taintedness vs. control-data taintedness Pointer taintedness vs. control-data taintedness
cause vs. result of memory corruption cause vs. result of memory corruption
Attack Detection EffectivenessAttack Detection EffectivenessFirst, test on synthetic vulnerable programsFirst, test on synthetic vulnerable programsAll attacks (control/non-control data) are detectedAll attacks (control/non-control data) are detected
Attack Detection Effectiveness (cont.)Attack Detection Effectiveness (cont.)Evaluation on real world network applicationsEvaluation on real world network applicationsAll attacks are detectedAll attacks are detectedNo difference between control-data attack and non-control-data No difference between control-data attack and non-control-data attack from the viewpoint of pointer taintednessattack from the viewpoint of pointer taintedness
WU-FTP WU-FTP serverserver
Format string Format string attackattack
Overwrite user identity data Overwrite user identity data
Overwrite user input data Overwrite user input data
(non-control-data)(non-control-data)
detecteddetected
NULL HTTP NULL HTTP serverserver
Heap corruption Heap corruption attackattack
Overwrite configuration data Overwrite configuration data
(non-control-data)(non-control-data)
detecteddetected
traceroutetraceroute Double freeDouble free Function pointer Function pointer
(control-data)(control-data)
detecteddetected
1717
Transparency and False PositiveTransparency and False Positive
No need for re-compilation, run existing binary executablesNo need for re-compilation, run existing binary executables
Results from network applications: no false positivesResults from network applications: no false positives
Results from SPEC benchmarksResults from SPEC benchmarks 15 billion instructions without any false positive15 billion instructions without any false positive
Conclusion: No known false positiveConclusion: No known false positive
analysis – very hard at binary levelanalysis – very hard at binary level
Buffer overflow within the local frameBuffer overflow within the local frame If no pointer is tainted, no alert is raisedIf no pointer is tainted, no alert is raised Unlikely to cause severe security damage because Unlikely to cause severe security damage because
attacker-controllable location is very limitedattacker-controllable location is very limited
Format string attack causing information leakFormat string attack causing information leak Allows inspection of some memory data wordsAllows inspection of some memory data words Cause security compromises if these words containing Cause security compromises if these words containing
security-critical secret, e.g., key and passwordsecurity-critical secret, e.g., key and password
1919
Integer overflow Induced Array Integer overflow Induced Array Index Out of Bound Index Out of Bound
void foo(unsigned int ui) {1: int i = ui;2: if (i >= ArraySize)3: i = ArraySize – 1;4: array[i] = 1;}
2020
Buffer overflow causing critical Buffer overflow causing critical flags to be corrupted flags to be corrupted
void bar () {1: int auth;2: char buf[100];3: auth = do_auth ();4: scanf(“%s”,buf);5: if (auth) grant_access();}
2121
Format string attack causing Format string attack causing information leak information leak
void leak() {1: int secret_key;2: char buf[12];3: recv(s,buf,12,0);4: printf(buf); }
“%x%x%x%x”
2222
ConclusionsConclusionsContributions: Contributions: Non-control-data attack is a realistic threatNon-control-data attack is a realistic threat Memory corruption attacks, including control-data Memory corruption attacks, including control-data
attacks and non-control-data attacks, are due to attacks and non-control-data attacks, are due to pointer taintednesspointer taintedness
Proposed a runtime pointer taintedness detection Proposed a runtime pointer taintedness detection architecture - Substantial improvement in security architecture - Substantial improvement in security coveragecoverage
EvaluationEvaluation transparent to existing applicationstransparent to existing applications a near-zero false positive ratea near-zero false positive rate
We plan to implement this approach in the We plan to implement this approach in the Hardware framework for detection and recoveryHardware framework for detection and recovery
2323
Questions?Questions?
2424
Another Motivating ExampleAnother Motivating Example
Overwrite an integer representing user ID Overwrite an integer representing user ID obtain the root privilege of the serverobtain the root privilege of the server
2626
ap: argument pointer
fmt: format string pointer
Internals of Format String AttackInternals of Format String Attack
In vfprintf(), if (fmt points to “%n”) then **ap = (character count)
Vulnerable code: recv(buf); printf(buf); /* should be printf(“%s”,buf) */
\xdd \xcc \xbb \xaa %d %d %d %n
……
%n%n
%d%d
%d%d
%d%d
0xaabbccdd0xaabbccdd
fmt: format string pointer
ap: argument pointer
High
Low
Sta
ck g
row
th
*ap is a tainted value.
2727
Future DirectionsFuture Directions
Combination of static code analysis and Combination of static code analysis and architecture supportarchitecture support To automatically derive predicates to be To automatically derive predicates to be
checked by processor at runtimechecked by processor at runtime
Reliability and security support for Reliability and security support for embedded systemsembedded systems Migrate our current techniques to embedded Migrate our current techniques to embedded
systemssystems New topics: cell phone virus, reduced power New topics: cell phone virus, reduced power
consumption, tamper-resistance hardware, consumption, tamper-resistance hardware, crypto and authentication hardware/softwarecrypto and authentication hardware/software