Lecture Slides - trust.informatik.tu-darmstadt.de · A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 Runtime Attacks

Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Runtime Attacks

Lecture Slides

1. Background on Runtime Attacks

2. Code Injection Attacks: Conventional Buffer Overflow

3. Code Reuse Attacks

I. return-into-libc

II. Return-Oriented Programming

4. Countermeasures Against Runtime Attacks

Exercises 1. Theoretical Exercise on Buffer Overflows

2. Practical Lab on Code Injection Attacks

3. Practical Lab on Code Reuse Attacks


Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious

code

Reasons for runtime attacks Software is written in unsafe languages such as C/C++ Thus, it suffers from various memory-related

vulnerabilities

Most prominent example: Buffer overflow Are known for 2 decades Various techniques to exploit buffer overflow

vulnerabilities have been developed (e.g., Stack Smashing, Heap Overflow, Integer Overflow, Format String)


General Principle of Runtime Attacks

4


entry ins, ins, ins, … exit

BBL 1


BBL 3


BBL 2


BBL 4


BBL 5

Entry: Any instruction that is target of a branch (e.g., first instruction of a function) Exit: Any branch (e.g., indirect or direct jump/call, return)



BBL 1


BBL 3


BBL 2


BBL 4

Shellcode

Malicious Code

Instruction Sequences Library Functions

Library Code


BBL 5

1

2

Entry: Any instruction that is target of a branch (e.g., first instruction of a function) Exit: Any branch (e.g., indirect or direct jump/call, return)

Code Injection Attacks

Code Reuse Attacks


Goal of Runtime Attacks (based on code injection) Subvert the usual execution flow of a program by redirecting it

to injected (malicious) code

The attack consists of two steps 1. injecting new (malicious) code into some writable memory

area, 2. and changing a code pointer (usually the return address) in

such a way that it points to the injected malicious code

Code Injection Code can be injected by overflowing a local buffer allocated on

the stack The target of the injected code is usually to launch a shell to

the adversary Therefore the injected code is often referred to as shellcode


Some Background before we go into the details of runtime attacks

8


To understand how a buffer overflow attack works, we take a deeper look at the stack frame and the main relevant x86 CPU registers


General-Purpose Registers Bit 0 Bit 31

EAX

EBX

ECX

EDX

ESI

EDI

EBP

ESP

EFLAGS

EIP

Program Status and Control Register

Instruction Pointer

32-bit pointer to the next instruction to be executed

status of the program being executed (e.g., carry, parity, zero, overflow flag)

Stack Pointer

Base Pointer (Pointer to data on the stack)

Destination index pointer for string operations

Source index pointer for string operations

Data register: I/O Pointer

Counter register: counter for loop/string operations

Base Register: base pointer for memory access

Accumulator Register

Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture http://download.intel.com/products/processor/manual/253665.pdf

http://download.intel.com/products/processor/manual/253665.pdf

http://download.intel.com/products/processor/manual/253665.pdf


Stack Pointer (ESP)

Function Arguments

Return Address

Saved Base Pointer

Stack Frame

High Addresses

Low Addresses

Stack grows

downwards

Local Variables

Base Pointer (EBP)

The EBP register is used to reference function

arguments and local variables

The ESP register holds the stack pointer and always points to the last element

on the stack

Stack


Stack is a last in, first out (LIFO) memory area where the Stack Pointer (ESP) points to the last stored element on the stack

Typically, the stack grows downwards The stack can be accessed by two basic operations

1. PUSH elements onto the stack (ESP is decremented) 2. POP elements off the stack (ESP is incremented)

Stack is divided into individual stack frames Each function call sets up a new stack frame on top of the stack 1. Function arguments

Arguments provided by the caller of the function

2. Return address Upon function return (i.e., a return instruction is issued), control transfers to the

code pointed to by the return address (i.e., control transfers back to the caller of the function)

3. Saved Base Pointer Base pointer of the calling function

4. Local variables Variables that the called function uses internally


Function call perfomed via the x86 CALL instruction

E.g., CALL Function_A

Code

Instruction, … CALL Function_A Instruction, …

<main>:

Instruction, … RET

<Function_A>:

Stack

… ESP


Function call perfomed via the x86 CALL instruction

E.g., CALL Function_A

The CALL instruction automatically pushes the return address on the stack, while the return address is simply the instruction preceding the call

Code


<main>:


<Function_A>:

Stack

ESP

…

Return Address


Function call perfomed via the x86 CALL instruction E.g., CALL Function_A The CALL instruction automatically

pushes the return address on the stack, while the return address simply points to the instruction preceding the call

Function return is performed via the x86 RET instruction The RET instruction pops the

return address off the stack and loads it into the instruction pointer (EIP)

Hence, the execution will continue in the main function

Code


<main>:


<Function_A>:

Stack

…

Return Address ESP


Code

Stack

Function Arguments

Return Address

<Function_A>:

Function Prologue Instruction, … Function Epilogue

PUSH %ebp MOV %ebp,%esp

<Function_A>:

ESP

SUB %esp, 16 Instruction, … MOV %esp,%ebp POP %ebp RET

Assembler Notation: Destination Register is the First Operand - e.g., MOV %ebp,%esp moves the value of ESP to register EBP


Code

Stack

Function Arguments

Return Address

<Function_A>:



<Function_A>:


Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)

Saved Base Pointer ESP



Code

Stack

Function Arguments

Return Address

<Function_A>:

Function Prologue Instruction, … Function Epilogue MOV %ebp,%esp

<Function_A>:

Saved Base Pointer ESP

Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)

Initialize new Base Pointer


EBP




Code

Stack

Function Arguments

Return Address

<Function_A>:


<Function_A>:

Saved Base Pointer Store Base Pointer (EBP) of Caller on Stack (Field: Saved Base Pointer)

PUSH %ebp

EBP


Reserve Space for Local Variables (here: 16 Bytes)

MOV %ebp,%esp

Local Variables ESP




Code

Stack

Function Arguments

Return Address

<Function_A>:


<Function_A>:


PUSH %ebp

EBP



MOV %ebp,%esp

Local Variables ESP




Code

Stack

Function Arguments

Return Address

<Function_A>:


<Function_A>:


PUSH %ebp

EBP



MOV %ebp,%esp

Local Variables


Set Stack Pointer (ESP) to the location where the Saved Base Pointer is stored

ESP



Code

Stack

Function Arguments

Return Address

<Function_A>:


<Function_A>:


PUSH %ebp

EBP <= Saved Base Pointer



MOV %ebp,%esp

Local Variables



Load Saved Based Pointer to the Base Pointer Register

ESP


Code

Stack

Function Arguments

Return Address

<Function_A>:


<Function_A>:


PUSH %ebp

Program returns to the caller



MOV %ebp,%esp

Local Variables



Load Saved Based Pointer to the Base Pointer Register

Issue Return to Caller

ESP


The purpose of the function prologue is to backup selected registers, and to reserve space for local variables

On Intel x86 (Notation: destination register is the first operand)

Note: When the function is entered the stack pointer points to the return address of the function

Store Save Base Pointer on the stack: PUSH %ebp

Initialize Base Pointer of the called function with the current value of the Stack Pointer: MOV %ebp,%esp

Reserve space for local variables (e.g.,12 Bytes): SUB %esp,12


The purpose of the function epilogue is to set the Stack Pointer back to its original state, to restore selected registers, and to issue the return

Reset the Stack Pointer (by loading it with %ebp): MOV %esp, %ebp

Restore the caller‘s Base Pointer: POP %ebp

Pop the return address from the stack and return back to the caller: RET


First Attack Technique: Code Injection Attack (Conventional Buffer Overflow Attack)

26


Simple Echo program suffering from a stack overflow vulnerability

The gets() function does not provide bounds checking


Launching a buffer overflow attack against the vulnerable program

28


Code

Stack

Program Memory

Adversary

Instruction, … CALL echo() Instruction, … CALL printf(), …

<main>:


Code

Stack

Program Memory

Adversary


Return Address ESP

<main>:

Function Prologue CALL gets(buffer), … RET

<echo>:


Code

Stack

Program Memory

Adversary


Return Address Saved Base Pointer

Local Buffer Buffer[80]

ESP

<main>:


<echo>:


Code

Stack

Program Memory

Corrupt Control

Structures

Adversary




ESP

SHELLCODE

PATTERN NEW RETURN ADDR

<main>:


<echo>:


Code

Stack

Program Memory

Adversary




ESP

SHELLCODE


echo() now returns!

<main>:


<echo>:


Code

Stack

Program Memory

Adversary




SHELLCODE


Shellcode executes

<main>:


<echo>:

ESP


Why the attack is possible? The gets() function provides no bounds-checking C/C++ includes various functions providing no bounds-

checking, e.g., strcpy(): Copies a string into a buffer strcat(): Concatenates two strings scanf(): Read data from stdin (Standard Input)

General defense against code injection attacks is W ^ X (Writable Xor Executable) With W ^ X memory pages can be either marked writable

or executable Stack is marked writable Hence, the adversary can only inject his malicious code,

but cannot execute it


How to bypass W ^ X?

36


Second Attack Technique: Code Reuse Attacks (return-into-libc and

Return-oriented Programming)

37

Lecture Slides - trust.informatik.tu-darmstadt.de · A.-R. Sadeghi ©TU Darmstadt, 2007-2013 Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2012/2013 Runtime Attacks

Documents