Software Defense Mechanisms: PaX and the future past continuous.

Software Defense Software Defense Mechanisms: PaX and the Mechanisms: PaX and the

futurefuture

past continuouspast continuous

Who am I?Who am I?

NOT Brad Spengler – I have decent NOT Brad Spengler – I have decent earsears

Tiago Assumpção Tiago Assumpção <[email protected]><[email protected]> NOT an academicNOT an academic

An undisciplined curious person with lots of An undisciplined curious person with lots of energy to be spent on whatever is valued by energy to be spent on whatever is valued by his selfhis self

Who am I? (cont.)Who am I? (cont.)

NOT a PaX developer… however…NOT a PaX developer… however… Have had delightful discussions with PaX Have had delightful discussions with PaX

Team about Team about whatever blows your hair backwhatever blows your hair back Have been Have been improving improving the project [2]the project [2] Have been Have been questioningquestioning the project [3] the project [3]

In praise of hackingIn praise of hacking

““The speculations of Thales, The speculations of Thales, Anaximander, and Anaximenes are to be Anaximander, and Anaximenes are to be regarded as scientific hypotheses (...) regarded as scientific hypotheses (...) The questions they asked were good The questions they asked were good questions, and their vigour inspired questions, and their vigour inspired subsequent investigators.subsequent investigators.””

RUSSELL, Bertrand; RUSSELL, Bertrand; History of Western Philosophy - History of Western Philosophy - 1946. p. 371946. p. 37

What is PaX?What is PaX?

Quite simply: the greatest advance in Quite simply: the greatest advance in system security in over a decade that system security in over a decade that you’ve never heard ofyou’ve never heard of

Less simply: It provides non-executable Less simply: It provides non-executable memory pages and full address space memory pages and full address space layout randomization (ASLR) for a wide layout randomization (ASLR) for a wide variety of architectures.variety of architectures.

– – Brad “grears” SpenglerBrad “grears” Spengler

What is PaX?What is PaX?

Linux kernel patchLinux kernel patch Free-software & open-source is good for Free-software & open-source is good for

the general researcherthe general researcher Universal solutions: concepts easily Universal solutions: concepts easily

extentend to any modern platformextentend to any modern platform

Why is PaX?Why is PaX?

Given a vector:Given a vector: Payload (code/data) injectionPayload (code/data) injection Context (memory/registers/etc.) Context (memory/registers/etc.)

manipulationmanipulation Intentional Control Flow modificationIntentional Control Flow modification

OutlineOutline

PaXPaX SEGMEXECSEGMEXEC PAGEEXECPAGEEXEC KERNEXECKERNEXEC ASLRASLR

RANDMMAPRANDMMAP RANDKSTACKRANDKSTACK PIEPIE

UDEREFUDEREF

Outline (cont.)Outline (cont.)

PaX’ FactsPaX’ Facts Past ContinuousPast Continuous

Control Flow VerificationControl Flow Verification KERNSEAL KERNSEAL

PaX - SEGMEXECPaX - SEGMEXEC

SEGMEXEC is PaX’s implementation SEGMEXEC is PaX’s implementation of per-page non-executable user of per-page non-executable user pages using the segmentation logic pages using the segmentation logic of IA-32 (Intel x86 architecture) and of IA-32 (Intel x86 architecture) and virtual memory area mirroring virtual memory area mirroring (developed by PaX).(developed by PaX).

PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)

The segmentation logic is fairly The segmentation logic is fairly straightforward:straightforward: Data Segment (DS)Data Segment (DS) Code Segment (CS)Code Segment (CS)

There exist these two segments for user pages There exist these two segments for user pages as well as kernel pages.as well as kernel pages.

PaX splits the address space down the middle: PaX splits the address space down the middle: the bottom half for data, the top for code.the bottom half for data, the top for code.

Segmentation is a “window” into the address Segmentation is a “window” into the address spacespace

No performance hitNo performance hit


UserCode & Data

Segments

3GB

Without SEGMEXEC

UserCode

Segment

1.5GB

UserData

Segment

1.5GB

With SEGMEXEC


PaX’s VMA mirroring involves duplicating PaX’s VMA mirroring involves duplicating every executable page in the lower half every executable page in the lower half of the address space into the upper half.of the address space into the upper half.

Instruction fetch attempts at addresses Instruction fetch attempts at addresses located in the data segment that don’t located in the data segment that don’t have any code located at its mirrored have any code located at its mirrored address will cause a page fault. PaX address will cause a page fault. PaX handles this page fault and kills the task.handles this page fault and kills the task.


08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08079000 rw-p 20000000-20014000 r-xp /lib/ld-2.3.2.so20014000-20015000 rw-p /lib/ld-2.3.2.so20015000-20016000 rw-p 2001e000-20145000 r-xp /lib/libc-2.3.2.so20145000-2014a000 rw-p /lib/libc-2.3.2.so2014a000-2014c000 rw-p 2014c000-202d1000 r--p /usr/lib/locale/locale-archive5ffff000-60000000 rw-p 68048000-6804c000 r-xp /home/bradly/cat80000000-80014000 r-xp /lib/ld-2.3.2.so8001e000-80145000 r-xp /lib/libc-2.3.2.so

08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08073000 rw-p 40000000-40014000 r-xp /lib/ld-2.3.2.so40014000-40015000 rw-p /lib/ld-2.3.2.so40015000-40016000 rw-p 4001e000-40145000 r-xp /lib/libc-2.3.2.so40145000-4014a000 rw-p /lib/libc-2.3.2.so4014a000-4014c000 rw-p 4014c000-402d1000 r--p /usr/lib/locale/locale-archivebfffe000-c0000000 rw-p

Without SEGMEXEC

With SEGMEXEC


Instruction fetch attempt at 0x08049000

Segmentation logic translates 0x08049000 into 0x68049000

Does 0x68049000 belong to any mapping?

Success

Violation, process is terminated

YES

NO

PaX - PAGEEXECPaX - PAGEEXEC

PAGEEXEC was PaX’s first implementation PAGEEXEC was PaX’s first implementation of non-executable pages.of non-executable pages.

Because of SEGMEXEC, it’s not used Because of SEGMEXEC, it’s not used anymore on x86 (so I won’t discuss the anymore on x86 (so I won’t discuss the implementation).implementation).

Platforms which support the executable bit Platforms which support the executable bit in hardware are implemented under in hardware are implemented under PAGEEXEC (currently alpha, ppc, parisc, PAGEEXEC (currently alpha, ppc, parisc, sparc, sparc64, amd64, and ia64)sparc, sparc64, amd64, and ia64)

PaX - KERNEXECPaX - KERNEXEC

KERNEXEC is PaX’s implementation of KERNEXEC is PaX’s implementation of proper page protection in the kernelproper page protection in the kernel ‘‘const’ finally means read only in the kernelconst’ finally means read only in the kernel Read-only system call tableRead-only system call table Read-only interrupt descriptor table (IDT)Read-only interrupt descriptor table (IDT) Read-only global descriptor table (GDT)Read-only global descriptor table (GDT) Data is non-executableData is non-executable Uses the same concept of segmentation as Uses the same concept of segmentation as

SEGMEXEC SEGMEXEC Cannot co-exist with module support (currently)Cannot co-exist with module support (currently)

PaX - ASLRPaX - ASLR

Full ASLR randomizes the locations of Full ASLR randomizes the locations of the following memory objects:the following memory objects: Executable imageExecutable image Brk-managed heapBrk-managed heap Library imagesLibrary images Mmap-managed heapMmap-managed heap User space stackUser space stack Kernel space stackKernel space stack

PaX – ASLR (cont.)PaX – ASLR (cont.)

Notes on amount of randomization:Notes on amount of randomization: The following values are for 32bit architectures. The following values are for 32bit architectures.

They are larger on 64bit architectures, though They are larger on 64bit architectures, though not twice as large (since they generally don’t not twice as large (since they generally don’t use 64 bits for the address space).use 64 bits for the address space).

Stack – 24 bits (28 bits for argument/environment Stack – 24 bits (28 bits for argument/environment pages)pages)

Mmap – 16 bitsMmap – 16 bits Executable – 16 bitsExecutable – 16 bits Heap – 12 bits (or 24 bits if executable is randomized Heap – 12 bits (or 24 bits if executable is randomized

also)also)


The randomizations applied to each memory The randomizations applied to each memory region are independent of each otherregion are independent of each other Because PaX guarantees no arbitrary code Because PaX guarantees no arbitrary code

execution, exploits will most likely need to execution, exploits will most likely need to access different memory regions.access different memory regions.

So, if the exploit needs access to libraries and So, if the exploit needs access to libraries and the stack, the bits that must be guessed are the the stack, the bits that must be guessed are the sum of the two regions: 40 bits (or 44). The sum of the two regions: 40 bits (or 44). The chance of such an attack succeeding while chance of such an attack succeeding while depending on hard coded addresses is depending on hard coded addresses is effectively zero.effectively zero.

PaX – ASLR (cont.)PaX – ASLR (cont.)08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08078000 rw-p 4edaa000-4edbe000 r-xp /lib/ld-2.3.2.so4edbe000-4edbf000 rw-p /lib/ld-2.3.2.so4edbf000-4edc0000 rw-p 4edc8000-4eeef000 r-xp /lib/libc-2.3.2.so4eeef000-4eef4000 rw-p /lib/libc-2.3.2.so4eef4000-4eef6000 rw-p4eef6000-4f07b000 r--p /usr/lib/locale/locale-archivebf3dc000-bf3dd000 rw-p

08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08070000 rw-p43d8c000-43da0000 r-xp /lib/ld-2.3.2.so43da0000-43da1000 rw-p /lib/ld-2.3.2.so43da1000-43da2000 rw-p43daa000-43ed1000 r-xp /lib/libc-2.3.2.so43ed1000-43ed6000 rw-p /lib/libc-2.3.2.so43ed6000-43ed8000 rw-p43ed8000-4405d000 r--p /usr/lib/locale/locale-archiveb54f9000-b54fa000 rw-p

Two runs of a binary with stack, mmap, and heap randomization


RANDKSTACKRANDKSTACK Randomizes the kernel’s stackRandomizes the kernel’s stack Randomized on each system call, so Randomized on each system call, so

info-leaking the randomization is uselessinfo-leaking the randomization is useless Randomizes 5 bits of the stack. Brute Randomizes 5 bits of the stack. Brute

forcing generally shouldn’t be possible, forcing generally shouldn’t be possible, as each attempt will most likely crash as each attempt will most likely crash the kernel.the kernel.


PIEPIE Special type of ELF binary (the same used for Special type of ELF binary (the same used for

shared libraries)shared libraries) Position independent code (PIC)Position independent code (PIC) Allows for relocation of the binary at a random Allows for relocation of the binary at a random

locationlocation Needed to achieve Full ASLRNeeded to achieve Full ASLR Requires a recompile and re-link of applicationsRequires a recompile and re-link of applications

PaX – Dangling PointersPaX – Dangling Pointers

““Dangling pointers and wild pointers Dangling pointers and wild pointers in computer programming are in computer programming are pointers that do not point to a valid pointers that do not point to a valid object of the appropriate type, or to object of the appropriate type, or to a distinguished null pointer value in a distinguished null pointer value in languages which support this”languages which support this”

WikipediaWikipedia

PaX – Dangling Pointers PaX – Dangling Pointers (cont.)(cont.)

Most i386 OSs don't separate the Most i386 OSs don't separate the userland virtual address space from userland virtual address space from that of the kernel. that of the kernel.

Linux 2.6 has per-cpu GDTs; LDTs are Linux 2.6 has per-cpu GDTs; LDTs are untoucheduntouched

BSDs creates flat per-process LDTsBSDs creates flat per-process LDTs Windows creates flat per-process LDTsWindows creates flat per-process LDTs

PaX – Dangling Pointers PaX – Dangling Pointers (cont.)(cont.)

Thence, whenever userland can make Thence, whenever userland can make the kernel (unexpectedly) dereference the kernel (unexpectedly) dereference a pointer within its range of control, it a pointer within its range of control, it holds ability to controlling the data holds ability to controlling the data (and, possibly, code) flow of the kernel (and, possibly, code) flow of the kernel by virtue of providing the attack by virtue of providing the attack elements in its own address space.elements in its own address space.

Real-life [4]Real-life [4]

PaX – UDEREFPaX – UDEREF

Kernel & UserSegments

4GB

Without UDEREFKernel

Segments

1GB

UserSegments

3GB

With UDEREF

PaX – UDEREF (cont.)PaX – UDEREF (cont.)

Segment selectors are properly setSegment selectors are properly set Few modifications are done Few modifications are done

regarding user/kernel, kernel/kernel regarding user/kernel, kernel/kernel system callssystem calls

FactsFacts

PaXPaX 24/28 bit stack 24/28 bit stack

randomizationrandomization 16 bit mmap 16 bit mmap

randomizationrandomization Completely Completely

implemented in the implemented in the kernel. Can be kernel. Can be implemented implemented transparently and retain transparently and retain binary compatibility binary compatibility with all distributions.with all distributions.

Facts (cont.)Facts (cont.)

PaXPaX Cuts usable address Cuts usable address

space in half (though space in half (though this can be changed if it this can be changed if it becomes a problem)becomes a problem)

Support for non-Support for non-executable and read-executable and read-only kernel pages on only kernel pages on i386i386

PaXPaX Per-system call kernel Per-system call kernel

stack randomizationstack randomization Brk-managed heap Brk-managed heap

randomizationrandomization Ability to enable/disable Ability to enable/disable

all features on a per all features on a per binary basisbinary basis

Annihilates the Annihilates the possibility of exploiting possibility of exploiting kernel dereferencing kernel dereferencing pointer vulnerabilitiespointer vulnerabilities


PaXPaX Supports the same user Supports the same user

space features on i386, space features on i386, alpha, ppc, parisc, alpha, ppc, parisc, sparc, sparc64, amd64, sparc, sparc64, amd64, and ia64and ia64

Supports a per-page Supports a per-page implementation of non-implementation of non-executable pages on executable pages on ppcppc


PaX – Past ContinuousPaX – Past Continuous

Control Flow VerificationControl Flow Verification Basic blocksBasic blocks

A basic block is a sequence of statements A basic block is a sequence of statements that is always entered at the beginning and that is always entered at the beginning and exited at the end, that is:exited at the end, that is:

The first statement is a LABELThe first statement is a LABEL The last statement is a JUMP or a CJUMPThe last statement is a JUMP or a CJUMP There are no other LABELs, JUMPs, or JUMPsThere are no other LABELs, JUMPs, or JUMPs

APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 180180


Control Flow VerificationControl Flow Verification Control Flow Graph (CFG)Control Flow Graph (CFG)

““In computer science, a control flow graph In computer science, a control flow graph (CFG) is a representation, using graph (CFG) is a representation, using graph notation, of all paths that might be traversed notation, of all paths that might be traversed through a program during its execution. through a program during its execution. Each node in the graph represents a basic Each node in the graph represents a basic block, block, (…)”(…)”

WikipediaWikipedia


Control Flow VerificationControl Flow Verification


Control Flow VerificationControl Flow Verification Call graphsCall graphs

““A call graph (also known as a call A call graph (also known as a call multigraph) is a directed graph that multigraph) is a directed graph that represents calling relationship among represents calling relationship among subroutines in a computer programsubroutines in a computer program””

WikipediaWikipedia




Control Flow VerificationControl Flow Verification Static analysisStatic analysis

Build call graph for program Build call graph for program PP Build set Build set SS of callers of callers Build set Build set Q Q of calleesof callees Build set Build set RR of relationships between of relationships between S S and and QQ, ,

creating creating magicmagic value for each value for each


Control Flow VerificationControl Flow Verification Code generationCode generation

Create proper prologues for every member Create proper prologues for every member of of SS

Create proper epilogues for every member Create proper epilogues for every member of of QQ

Magic ValuesMagic Values Hard to predict by exhaustive search values Hard to predict by exhaustive search values

kept within safe memory regions, they are kept within safe memory regions, they are verified in run-timeverified in run-time


Control Flow VerificationControl Flow Verificationcalleecalleeepilogue:epilogue: mov register,[esp]mov register,[esp]

cmp [register+1],MAGICcmp [register+1],MAGICjnz .1jnz .1retnretn

.1: jmp esp.1: jmp esp

caller:caller:call calleecall calleetest eax,MAGICtest eax,MAGIC


Control Flow Verification: Control Flow Verification: NondeterminismNondeterminism Branch tables: run-time environmentBranch tables: run-time environment OO virtual methods and function OO virtual methods and function

pointerspointers



GOT entriesGOT entries Made read-only by tweaking the static and the Made read-only by tweaking the static and the

dynamic linkerdynamic linker .ctors/.dtors.ctors/.dtors

Made read-only by modifying the link-editor scriptMade read-only by modifying the link-editor script



Are of a dynamic natureAre of a dynamic nature atexit() handlersatexit() handlers malloc() callbacksmalloc() callbacks linuxthread callbacks (atfork() handlers)linuxthread callbacks (atfork() handlers)

PaX – Past Continuous PaX – Past Continuous (cont.)(cont.)

Control Flow Verification: ResultsControl Flow Verification: Results Breaks my attack [3] – Breaks my attack [3] – brief brief

explanation? explanation? – and anything that rely on – and anything that rely on the following premissesthe following premisses

execute existing code out of original execute existing code out of original program orderprogram order

execute existing code in original program execute existing code in original program order with arbitrary dataorder with arbitrary data

PaX – Past Continuous PaX – Past Continuous (cont.)(cont.)

Control Flow Verification: ResultsControl Flow Verification: Results Opens a wide range of possibilities for Opens a wide range of possibilities for

improving systemic securityimproving systemic security Call graph trust relationship ensures that (in Call graph trust relationship ensures that (in

most cases) all control flow (including intra-most cases) all control flow (including intra-procedural) can’t be broken with a very low procedural) can’t be broken with a very low performance impactperformance impact

Call graph trust relationship allows data Call graph trust relationship allows data integrity verification (KERNSEAL)integrity verification (KERNSEAL)


KERNSEALKERNSEAL Liveness AnalysisLiveness Analysis

““We say a variable is We say a variable is livelive if it holds a value if it holds a value that may be needed in the future, so this that may be needed in the future, so this analysis is called analysis is called livenessliveness analysis”analysis”



KERNSEALKERNSEAL The set of live variables at line L2 is {b, The set of live variables at line L2 is {b,

c}, but the set of live variables at line L1 c}, but the set of live variables at line L1 is only {b} since variable c is updated in is only {b} since variable c is updated in line 2. The value of variable a is never line 2. The value of variable a is never used, so the variable is never live.used, so the variable is never live.

L1: b := 3;L2: c := 5;L3: a := b + c;goto L1;


KERNSEALKERNSEAL Liveness Analysis: Dataflow equationsLiveness Analysis: Dataflow equations

““Liveness of variables ‘flows’ around the Liveness of variables ‘flows’ around the edges of the control-flow graph; determining edges of the control-flow graph; determining the live range of each variable is na the live range of each variable is na example of a example of a dataflow dataflow problem”problem”



KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology

Out-edgesOut-edges: nodes leading to successor nodes: nodes leading to successor nodes In-edges: In-edges: nodes coming from predecesor nodes coming from predecesor

nodesnodes

predpred[n], holding the set of predecessors of [n], holding the set of predecessors of node node nn

succsucc[n], holding the set of successors of node [n], holding the set of successors of node nn



UsesUses: the set of variables : the set of variables in usein use at a given at a given nodenode

Defs:Defs: the set of variables the set of variables assigned assigned at a at a given nodegiven node



LivenessLiveness: “: “A variable is A variable is livelive on an edge if there on an edge if there is a directed path from tha edge to a is a directed path from tha edge to a useuse of of the variable that does not go through any the variable that does not go through any defdef. . A variable is A variable is live-inlive-in at a node if it is live on any at a node if it is live on any of the in-edges of that node; it is of the in-edges of that node; it is live-outlive-out at a at a node if it is live on any of the out-edges of the node if it is live on any of the out-edges of the node.”node.”



KERNSEALKERNSEAL Liveness Analysis: Liveness Analysis:

The dataflow equations used for a given basic The dataflow equations used for a given basic block s and exiting block block s and exiting block ff in live variable analysis in live variable analysis

WikipediaWikipedia


KERNSEALKERNSEAL Liveness AnalysisLiveness Analysis

Allows access control of specific code Allows access control of specific code procedures – known procedures – known a priori a priori – towards– towards sensitive data (kernel data)sensitive data (kernel data)

Process structuresProcess structures Object CredentialsObject Credentials Kernel Function PointersKernel Function Pointers And othersAnd others


KERNSEALKERNSEAL DesignDesign

Unreadablememory pages

Read-onlymemory pages

Read-writememory pages


KERNSEALKERNSEAL Example: Example: protect user credentials infoprotect user credentials info

Perform liveness analysis for deriving Perform liveness analysis for deriving specific code blocks that may have legit specific code blocks that may have legit read/write access to itread/write access to it

Set memory properties holding the data Set memory properties holding the data structures to read-onlystructures to read-only

Embed (through instrumentation) Embed (through instrumentation) write-key write-key procedure to allowing legit code to access procedure to allowing legit code to access the structurethe structure


KERNSEALKERNSEAL ResultsResults

Strengthen of Trusted Computing Base Strengthen of Trusted Computing Base (TCB)(TCB)

Defense in Depth: even if compromised, Defense in Depth: even if compromised, kernel operations towards sensitive memory kernel operations towards sensitive memory areas are restricted by natureareas are restricted by nature

Provides strong trust-relationship Provides strong trust-relationship infrastructure to creating several other infrastructure to creating several other protection mechanisms in different layers of protection mechanisms in different layers of the kernel as well as of the user spacethe kernel as well as of the user space

Questions?Questions?

Thanks!!!Thanks!!!

contact me at contact me at [email protected]

mailto:[email protected]

ReferencesReferences

[1] [1] http://pax.grsecurity.net [2] [2] http://www.phrack.org/issues.html?issue=63&id=4 [3] [3]

http://assumpcao.org/content/publications/Breaking_PaX_ASLR.ppt [4] [4]

http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html

http://pax.grsecurity.net/

http://www.phrack.org/issues.html?issue=63&id=4

http://assumpcao.org/content/publications/Breaking_PaX_ASLR.ppt



Software Defense Mechanisms: PaX and the future past continuous.

Documents

rwp libld

rwp 2001e000

rwp 4001e000

rxp liblibc

rxp libld

pax team

pax developer howeverhave

executable page