MemoryCorrup+on

BasicMemoryCorrup+onA3acks

OriginalslideswerecreatedbyProf.DanBoneh

Memorycorrup+ona3acks•  A3acker’sgoal:

–  Takeovertargetmachine(e.g.webserver)•  Executearbitrarycodeontargetbyhijackingapplica+oncontrolflowleveragingmemorycorrup+on

•  Examples.–  Bufferoverflowa3acks–  Integeroverflowa3acks–  Formatstringvulnerabili+es

Example1:bufferoverflows•  ExtremelycommonbuginC/C++programs.

–  Firstmajorexploit:1988InternetWorm.fingerd.

0

100

200

300

400

500

600

1995 1997 1999 2001 2003 2005

Source:NVD/CVE

≈ 20%ofallvuln.

Whatisneeded•  UnderstandingCfunc+ons,thestack,andtheheap.•  Knowhowsystemcallsaremade•  Theexec()systemcall

•  A3ackerneedstoknowwhichCPUandOSusedonthetargetmachine:

– Ourexamplesareforx86runningLinuxorWindows– DetailsvaryslightlybetweenCPUsandOSs:

•  Li3leendianvs.bigendian(x86 vs. Motorola)•  StackFramestructure(Unixvs.Windows)

Linuxprocessmemorylayout

unused 0x08048000

run+meheap

sharedlibraries

userstack

0x40000000

0xC0000000

%esp

brk

Loadedfromexec

0

excep+onhandlers

StackFrame

arguments

returnaddressstackframepointer

localvariablesSP

StackGrowth

high

low

Whatarebufferoverflows?void func(char *str) { char buf[128];

strcpy(buf, str); do-something(buf);

}

Supposeawebservercontainsafunc+on:

Whenfunc()iscalledstacklookslike:

argument:strreturnaddress

stackframepointer

charbuf[128]

SP

Whatarebufferoverflows?void func(char *str) { char buf[128];

strcpy(buf, str); do-something(buf);

}

Whatif*stris136byteslong?Aferstrcpy:

argument:strreturnaddress

stackframepointer

charbuf[128]

SP

*str Problem:nolengthcheckinginstrcpy()

charbuf[128]

returnaddress

BasicstackexploitSuppose*strissuchthataferstrcpystacklookslike:

ProgramP:exec(“/bin/sh”)

Whenfunc()exits,theusergetsshell!Note:a3ackcodePrunsinstack.

ProgramP

low

high

TheNOPslideProblem:howdoesa3acker

determineret-address?Solu+on:NOPslide•  Guessapproximatestackstate

whenfunc()iscalled

•  InsertmanyNOPsbeforeprogramP:nop,xoreax,eax,incax

charbuf[128]

returnaddress

NOPSlide

ProgramP

low

high

Detailsandexamples•  Somecomplica+ons:

–  ProgramPshouldnotcontainthe‘\0’character.– Overflowshouldnotcrashprogrambeforefunc()exists.

•  (in)Famousremotestacksmashingoverflows:–  (2007)OverflowinWindowsanimatedcursors(ANI).LoadAniIcon()

–  (2005)OverflowinSymantecVirusDetec+on

test.GetPrivateProfileString "file", [long string]

Manyunsafelibcfunc+onsstrcpy(char*dest,constchar*src)strcat(char*dest,constchar*src)gets(char*s)scanf(constchar*format,…)andmanymore.

•  “Safe”libcversionsstrncpy(),strncat()aremisleading–  e.g.strncpy()mayleavestringunterminated.

•  WindowsCrun+me(CRT):–  strcpy_s(*dest,DestSize,*src):ensurespropertermina+on

Bufferoverflowopportuni+es•  Excep+onhandlers:(WindowsSEHa3acks)

–  Overwritetheaddressofanexcep+onhandlerinstackframe.

•  Func+onpointers:(e.g.PHP4.0.2,MSMediaPlayerBitmaps)

–  Overflowingbufwilloverridefunc+onpointer.

•  Longjmpbuffers:longjmp(pos)(e.g.Perl5.003)

–  Overflowingbufnexttoposoverridesvalueofpos.

Heapor

stackbuf[128] FuncPtr

Corrup+ngmethodpointers•  Compilergeneratedfunc+onpointers(e.g.C++code)

•  Aferoverflowofbuf:

ptr

data

ObjectT

FP1FP2FP3

vtable

method#1method#2method#3

ptr

buf[256] data

objectT

vtable

NOPslide

shellcode

Findingbufferoverflows•  Tofindoverflow:

– Runwebserveronlocalmachine– Issuemalformedrequests(endingwith“$$$$$”)

•  Manyautomatedtoolsexist(fuzzers,symbolic/concolicexecu+on)

– Ifwebservercrashes,searchcoredumpfor“$$$$$”tofindoverflowloca+on

•  Constructexploit(noteasygivenlatestdefenses)

MemoryCorrup+on

MoreMemoryCorrup+onA3acks

MoreCorrup+onOpportuni+es

•  Integeroverflows:(e.g. MS DirectX MIDI Lib)

•  Doublefree:doublefreespaceonheap–  Cancausememorymgrtowritedatatospecificloca+on–  Examples:CVSserver

•  Use after free: using memory after it is freed

•  Format string vulnerabilities

IntegerOverflows(seePhrack60)Problem:whathappenswhenintexceedsmaxvalue?

intm;(32bits)shorts;(16bits)charc;(8bits)

c=0x80+0x80=128+128 ⇒c=0

s=0xff80+0x80 ⇒s=0

m=0xffffff80+0x80 ⇒m=0Canthisbeexploited?

Anexamplevoidfunc(char*buf1,*buf2,unsignedintlen1,len2){

char temp[256]; if (len1 + len2 > 256) {return -1} // length check memcpy(temp, buf1, len1); // cat buffers memcpy(temp+len1, buf2, len2); do-something(temp); // do stuff

}

Whatiflen1=0x80,len2=0xffffff80?⇒len1+len2=0

Secondmemcpy()willoverflowheap!!

0

20

40

60

80

100

120

140

1996 1998 2000 2002 2004 2006Source:NVD/CVE

Integeroverflowexploitstats

Formatstringbugs

Formatstringproblem int func(char *user) { fprintf( stderr, user); }

Problem:whatif*user = “%s%s%s%s%s%s%s”??– Mostlikelyprogramwillcrash:DoS.–  Ifnot,programwillprintmemorycontents.Privacy?–  Fullexploitusinguser=“%n”

Correctform: fprintf( stdout, “%s”, user);

Vulnerablefunc+onsAnyfunc+onusingaformatstring.Prin+ng:prinz,fprinz,sprinz,…vprinz,vfprinz,vsprinz,…

Logging:syslog,err,warn

Exploit•  Dumpingarbitrarymemory:

– Walkupstackun+ldesiredpointerisfound.

–  prinz(“%08x.%08x.%08x.%08x|%s|”)

•  Wri+ngtoarbitrarymemory:

–  prinz(“hello%n”,&temp)--writes‘6’intotemp.

–  prinz(“%08x.%08x.%08x.%08x.%n”)

MemoryCorrup+on

PlazormDefenses

Preven+nghijackinga3acks1.  Fixbugs:

– Auditsofware•  Automatedtools:Coverity,Prefast/Prefix.

– Rewritesofwareinatypesafelanguange(Java,ML)•  Difficultforexis+ng(legacy)code…

2.  Concedeoverflow,butpreventcodeexecu+on

3.  Addrun+mecodetodetectoverflowsexploits– Haltprocesswhenoverflowexploitdetected– StackGuard,LibSafe,…

Markingmemoryasnon-execute(W^X)

Preventa3ackcodeexecu+onbymarkingstackandheapasnon-executable

•  NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott –  NXbitineveryPageTableEntry(PTE)

•  Deployment:–  Linux(viaPaXproject);OpenBSD– Windows:sinceXPSP2(DEP)

•  VisualStudio:/NXCompat[:NO]

•  Limita+ons:–  Someappsneedexecutableheap(e.g.JITs).–  Doesnotdefendagainst`ReturnOrientedProgramming’exploits

Examples:DEPcontrolsinWindows

DEPtermina+ngaprogram

A3ack:ReturnOrientedProgramming(ROP)

•  Controlhijackingwithoutexecu+ngcustomcode

argsret-addr

sfp

local buf

stack

exec()printf()

“/bin/sh”

libc.so

Response:randomiza+on•  ASLR:(AddressSpaceLayoutRandomiza+on)

– Mapsharedlibrariestorandloca+oninprocessmemory⇒A3ackercannotjumpdirectlytoexecfunc+on

– Deployment:(/DynamicBase)•  Windows7: 8bitsofrandomnessforDLLs

– alignedto64Kpageina16MBregion⇒256choices•  Windows8: 24bitsofrandomnesson64-bitprocessors

•  Otherrandomiza+onmethods:–  Sys-callrandomiza+on:randomizesys-callid’s–  Instruc+onSetRandomiza+on(ISR)

ASLRExampleBooting twice loads libraries into different locations:

Note:everythinginprocessmemorymustberandomized stack,heap,sharedlibs,baseimage

• Win8ForceASLR:ensuresallloadedmodulesuseASLR

Defenses:Canary•  Manyrun-+mecheckingtechniques…

–  weonlydiscussmethodsrelevanttooverflowprotec+on

•  Solu+on1:StackGuard–  Run+metestsforstackintegrity.–  Embed“canaries”instackframesandverifytheirintegritypriortofunc+onreturn.

str ret sfp localtopof

stackcanarystr ret local canaryFrame1Frame2

sfp

CanaryTypes•  Randomcanary:

–  Randomstringchosenatprogramstartup.–  Insertcanarystringintoeverystackframe.–  Verifycanarybeforereturningfromfunc+on.

•  Exitprogramifcanarychanged.Turnspoten+alexploitintoDoS.–  Tocorrupt,a3ackermustlearncurrentrandomstring.

•  Terminatorcanary:Canary={0,newline,linefeed,EOF}–  Stringfunc+onswillnotcopybeyondterminator.–  A3ackercannotusestringfunc+onstocorruptstack.

Canariesarenotfullproof•  Canariesareanimportantdefensetool,butdonotpreventall

controlhijackinga3acks:

–  Heap-baseda3ackss+llpossible

–  Integeroverflowa3ackss+llpossible

– Maynot(dependsontheimplementa+on)preventExcep+onHandlinga3acks

Moremethods…Ø  StackShield

§  Atfunc+onprologue,copyreturnaddressRETandSFPto“safe”loca+on(beginningofdatasegment)

§  Uponreturn,checkthatRETandSFPisequaltocopy.§  Implementedasassemblerfileprocessor(GCC)

Ø  ControlFlowIntegrity(CFI)§  Acombina+onofsta+canddynamicchecking

§  Sta+callydetermineprogramcontrolflow§  Dynamicallyenforcecontrolflowintegrity

MemoryCorrup+on

AdvancedA3acks

HeapSprayA3acks

Areliablemethodforexploi+ngheapoverflows

Heap-basedcontrolhijacking•  Compilergeneratedfunc+onpointers(e.g.C++code)

•  Supposevtableisontheheapnexttoastringobject:

ptr

data

ObjectT

FP1FP2FP3

vtable

method#1method#2method#3

ptr

buf[256] data

objectT

vtable

Heap-basedcontrolhijacking•  Compilergeneratedfunc+onpointers(e.g.C++code)

•  Aferoverflowofbufwehave:

ptr

data

ObjectT

FP1FP2FP3vtable

method#1method#2method#3

ptr

buf[256] data

objectT

vtable

shellcode

Areliableexploit? <SCRIPTlanguage="text/javascript"> shellcode=unescape("%u4343%u4343%..."); overflow-string=unescape(“%u2332%u4276%...”);

cause-overflow(overflow-string);//overflowbuf[] </SCRIPT>

Problem: a3ackerdoesnotknowwherebrowser

placesshellcodeontheheap

ptr

buf[256] data

shellcodevtable

???

HeapSpraying[SkyLined2004]Idea: 1.useJavascripttosprayheap

withshellcode(andNOPslides)

2.thenpointvtableptranywhereinsprayarea

heap

vtable

NOPslide shellcode

heapsprayarea

Javascriptheapspraying var nop = unescape(“%u9090%u9090”) while (nop.length < 0x100000) nop += nop

var shellcode = unescape("%u4343%u4343%...");

var x = new Array () for (i=0; i<1000; i++) { x[i] = nop + shellcode; }

•  Poin+ngfunc-ptralmostanywhereinheapwillcauseshellcodetoexecute.

Vulnerablebufferplacement•  Placingvulnerablebuf[256]nexttoobjectO:

–  BysequenceofJavascriptalloca+onsandfreesmakeheaplookasfollows:

–  Allocatevuln.bufferinJavascriptandcauseoverflow

–  SuccessfullyusedagainstaSafariPCREoverflow[DHM’08]

objectO

freeblocks

heap

Manyheapsprayexploits

•  Improvements:HeapFengShui[S’07]–  ReliableheapexploitsonIEwithoutspraying–  Givesa3ackerfullcontrolofIEheapfromJavascript

[RLZ’08]

(par+al)Defenses•  Protectheapfunc+onpointers•  Be3erbrowserarchitecture:

–  StoreJavaScriptstringsinaseparateheapfrombrowserheap

•  OpenBSDheapoverflowprotec+on:

•  Nozzle[RLZ’08]:detectspraysbyprevalenceofcodeonheap

non-writablepages

preventscross-pageoverflows

Referencesonheapspraying[1] HeapFengShuiinJavascript,

byA.So+rov,BlackhatEurope2007[2] EngineeringHeapOverflowExploitswithJavaScript

M.Daniel,J.Honoroff,andC.Miller,WooT2008[3] Nozzle:ADefenseAgainstHeap-sprayingCodeInjec`onAaacks, byP.Ratanaworabhan,B.Livshits,andB.Zorn

[4] InterpreterExploita`on:PointerinferenceandJiTspraying,

byDionBlazakis