Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio...
Transcript of Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio...
![Page 1: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/1.jpg)
Advanced Compiler Design, 18.5.2016
Antonio Hüseyin BarresiCo-founder & CEOxorlab AG
Compilers, Memory Errors and Hardening Techniques
1
![Page 2: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/2.jpg)
2
http://knowledge.zurich.com/risk-interconnectivity/time-to-wake-up-to-the-risks-of-cyber-crime
Executive Opinion Survey 2015
![Page 3: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/3.jpg)
3
What does that have to do with
Compilers?
![Page 4: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/4.jpg)
4
This talk
• Cyber attacks and compilers
• Memory errors and exploitation
• Hardening techniques and run-time security
![Page 6: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/6.jpg)
6
Cyber attacks cost the world economy >400 $ billion yearly
Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014
![Page 7: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/7.jpg)
7
Cyber crime is a growth industry
Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014
![Page 8: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/8.jpg)
8
•
• Direct financial losses, loss of competitivenessand other impact
• High-income countries suffer the most
• 0.9% of GDP in average
• Loss of 5.8 Bn CHF (CH 2013, GDP 646 Bn CHF)
Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014
![Page 9: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/9.jpg)
9
Example
![Page 10: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/10.jpg)
100 banks, 30 countries, 2 years
$1 Billion
10
![Page 11: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/11.jpg)
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
11
![Page 12: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/12.jpg)
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
12
![Page 13: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/13.jpg)
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
13
![Page 14: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/14.jpg)
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
14
![Page 15: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/15.jpg)
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
15
![Page 16: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/16.jpg)
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
16
-2012-0158 is a buffer overflowVulnerability in the ListView / TreeView
ActiveX controls in the MSCOMCTL.OCX library
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
![Page 17: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/17.jpg)
17
Exploit and Zero-Day Attack
Exploit = exploit is a piece of software, a chunk of
data, or a sequence of commands that takes advantage
of a bug
Zero-Day Attack = zero-day attack or threat is an
attack that exploits a previously unknown vulnerability in
http://en.wikipedia.org/wiki/Exploit_(computer_security)http://en.wikipedia.org/wiki/Zero-day_attack
![Page 18: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/18.jpg)
18
Software attacks
• Attacking software is an important capability for attackers
• Scales well
• Can be done remotely
• Very powerful
![Page 19: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/19.jpg)
19
Arbitrarycode-execution
![Page 20: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/20.jpg)
20
Goal of an attacker
![Page 21: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/21.jpg)
21
![Page 22: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/22.jpg)
22
Most important thing
Profitability
![Page 23: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/23.jpg)
23
Profit
Revenue (Costs + expenses + taxes)
![Page 24: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/24.jpg)
24
Cyber criminals
• Have costs and expenses too!
• An economic decision
• Fighting cyber crime meanslimiting its profitability
![Page 25: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/25.jpg)
25
Cyber criminals
• Have costs and expenses too!
• An economic decision
• Fighting cyber crime meansprofitability
![Page 26: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/26.jpg)
26
Software hardening
• Compile and run-time techniques
• To make software exploitation harder
• But also slower
![Page 27: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/27.jpg)
Exploit mitigations since the 90s
27
1972 1988 1996 2000 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
The Anderson Report
MorrisWorm
/GSSEH Overwrite
/SAFESEH
DEPLin + Win
XP SP2/GS/SAFESEH
ASLRWindowsVista
Integrity levelsWindows Vista
ASLRLinux
Advancedret2libcPaX ASLR
PaX PAGEEXEC
Smashingthe stack
StackGuardret2libc
vtguardWin8 + IE10
ROPGuard
Win8 «Sandbox»Win32k lockdown +App Container
Fully enforced
ASLR
NozzleHeap spraying protection
Heap spraying in browsers
EMET 5.2
Control Flow GuardVS15 +Win10 or 8.1 U3
ROP JOP + COP
![Page 28: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/28.jpg)
Attacker Return
28
Mitigating Software Vulnerabilities, July 2011, Microsoft
![Page 29: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/29.jpg)
Attacker Return
29
Mitigating Software Vulnerabilities, July 2011, Microsoft
Increase costs
![Page 30: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/30.jpg)
Hardening value chain
30
SourceCompiler &
Linker BinaryHardware
Operating system
Application
Run-time libraries
![Page 31: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/31.jpg)
Hardening value chain
31
SourceCompiler &
Linker BinaryHardware
Operating system
Application
Run-time librariesStack canaries
Pointer obfuscation
Compiler warnings
/SAFESEH/GS
vtguard & Virtual Table Verification
Control-flow guardStaticanalysis tools
NX-bit for DEP
DEP & ASLR
DEP & ASLR
Sandboxing
SEHOP
GOT protection
Hardened heap
Heap-spraying protection
Compiler optimizations
Annotations
ROP mitigations (EMET)
![Page 32: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/32.jpg)
32
Software attacks
![Page 33: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/33.jpg)
Victim Attacker
Exploits memory error within
vulnerable victim software
Runs a vulnerable web
server software
Runs an exploit that triggers a
memory error within the web
server software
$>./exploit 192.168.1.28
Runs a malicious web server
serving HTML documents that
trigger a memory error within
the web browser
Sends a malicious
PDF attachement by
GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>
Runs a vulnerable web
browser or PDF reader
Attacks
33
![Page 34: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/34.jpg)
Memory corruption
34
•
• C/C++
• Two basic types exist
• Spatial and temporal memory errors
• Allow attackers to corrupt memory in a more or less controllable way
![Page 35: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/35.jpg)
Allow low-level access to memory
• Typed pointers & pointer arithmetic
• No automatic bounds checking / index checking
Weakly enforced typing
• Cast (almost) anything to pointers
Explicit memory management
• Like malloc() & free() in C
«Unsafe» languages
35
![Page 36: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/36.jpg)
#include <stdio.h>#include <math.h>
long computation(int x, int y, int z, double f) {return (long)(((x*y)/z)*sin(f));
}
void main(){
*(int*)computation(32, 64, 2, M_PI/6) = 128;return;
}
shell:~$ gcc -o segfault segfault.c -lmshell:~$ ./segfaultSegmentation fault (core dumped)shell:~$
«Unsafe» languages - C
36
![Page 37: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/37.jpg)
#include <stdio.h>#include <string.h>
#define STDIN 0
void vulnFunc() {char buf[1024];read(STDIN, buf, 2048);
}
shell:~$ gcc -o vuln vuln.c -fno-stack-protectorshell:~$ ./vulnread> hi there!shell:~$ ./vulnread> AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA...Segmentation fault (core dumped)shell:~$
void main() {printf("read> ");vulnFunc();return;
}
«Unsafe» languages - C
37
![Page 38: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/38.jpg)
Spatial error Temporal error
Array / Object
[out of bounds]
start
*ptr
Array / Object
• De-reference pointer that is out of bounds
• De-reference pointer to freed memory
*ptr
Types of memory errors
38
![Page 39: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/39.jpg)
Spatial error Temporal error
Array / Object
Attacker supplied dataoverwrites/reads data/pointers
• Overwrite data or pointers
• Used or de-referenced later
• Make application allocate memory in the freed area
• Used as old type
Attacker supplied dataused as wrong type
*ptr
*ptrstart
Exploiting memory errors
39
![Page 40: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/40.jpg)
Overwrite data or pointers
• That might be used to overwrite data or pointers
• Function pointers, sensitive data, index values, control-flow sensitive data etc.
Leak information
• E.g., corrupt a length field
Construct attacker primitives
• Write primitive (write any value to arbitrary address)
• Read primitive (read from any address)
Attackers use memory errors to
40
![Page 41: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/41.jpg)
• Out-of-bounds bugs / Buffer overflows
• On stack or heap
• Dangling pointer / Use-after-free
• Integer bugs, signedness bugs
• Format string bugs
• Uninitialized memory
• NULL pointer dereference
Types of bugs
41
![Page 42: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/42.jpg)
Victim Attacker
<html><head></head><body>... <html or javascript thattriggers the memory corruptionvulnerability> ...</body></html>
0xe8a0f000
Heap
Corrupted
0x41414141
Code
Stack
Write primitive
*0xe8a0f000 = 0x41414141
Memory corruption attack
42
![Page 43: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/43.jpg)
43http://www.cs.berkeley.edu/~dawnsong/papers/Oakland13-SoK-CR.pdf
• Code corruption attack
• Control-flow hijack attack
• Data-only attack
• Information leak
Attack types
![Page 44: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/44.jpg)
• Most powerful attack
• Hijack control-flow
• To attacker supplied arbitrary machine code
• To existing code (code-reuse attack)
• Corrupt code pointers
• Return addresses, function pointers, vtable entries, exception handlers, jmp_bufs
Control-flow hijack attack
44
![Page 45: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/45.jpg)
Most ISAs support indirect branch instructions
E.g., x86 ret, indirect jmp, indirect call
branch *fptrfptr: 0xafe08044
Code
0x8056b30
good_func:0x08056b30
Control-flow hijack attack
45
![Page 46: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/46.jpg)
fptr corrupted by attacker
branch *fptr
Attacker goal: hijack control-flow to injected
fptr: 0xafe08044
Code
Corrupted
evil_code:
Control-flow hijack attack
46
![Page 47: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/47.jpg)
0x00000000
0xffffffff
%eip
0x084a4504
Code
Heap
Stack
0x084a4504
call *0xe0fa4404
func:
0xe0fa4404
0x00000000
0xffffffff
0x084a4504
0xe0fa4404
Code
Heap
Stack
0xfffc8408
call *0xe0fa4404
func:
AttackerCode
0xfffc8408
%eip
Indirect call to func() Hijacked indirect call
Control-flow hijack attack
47
![Page 48: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/48.jpg)
0x00000000
0xffffffff
Code
Heap
Stack
call/jmp/ret
attackercode &
data
attackercode &
data
<code from binary>
rw-
rw-
r-x
Make data regions non-executable(by default)
Changing protection flags or allocating rwx memory still possible
Required for JITs
Non-eXecutable data (NX)
48
![Page 49: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/49.jpg)
Code regions will be non-writable
• Else code corruption attacks possible
Also known as
• Data Execution Prevention (DEP) on Windows
• NX, Non-eXecutable Memory on Linux
• W^X, on OpenBSD
Implemented by hardware where available (NX-bit)
Non-eXecutable data (NX)
49
![Page 50: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/50.jpg)
Binary images need to provide separate sections / segments that can be mapped exclusively as
• rw- OR r-x
• Linker support required
Self-modifying code not allowed
• Compiler support required
• If code is generated just-in-time,explicit rwx allocation required
NX / DEP implementation issues
50
![Page 51: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/51.jpg)
0x00000000
0xffffffff
Code
Heap
Stackattackercode &
data
attackercode &
data
rw-
rw-
r-x
Only use existing code
Code-reuse attack
• ret2libc, ret2bin, ret2*
• Return-oriented programming (ROP)
• Jump/Call-oriented programming
Use code-reuse technique to change protection flags
Make memory executable• mprotect/VirtualProtect
• mmap/VirtualAlloc
Bypassing NX / DEP
51
![Page 52: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/52.jpg)
Stack during vulnFunc()
%ebp
%esp
void vulnFunc() {char buf[1024];read(STDIN, buf, 2048);
}
Stack after read()
%ebp
%esp
Stack-based buffer overflow
%eip and %ebp under control
Local variables and buffers under attacker control
arguments
return address
saved ebp
return address
saved ebp
buf[1024]
main() stack frame
rw-
arguments
return address
saved ebp
overwritten retaddr
overwritten ebp
buf[1024]
overwritten frame
rw-
Code-reuse attack
52
![Page 53: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/53.jpg)
Stack after read()
%ebp
%esp
Before NX/DEP
Return to attacker supplied code
Shellcode
Use existing code
Executable or librariesE.g., mprotect()
arguments
return address
saved ebp
overwritten retaddr
overwritten ebp
buf[1024]
AttackerCode
“Shellcode“
overwritten frame
rw-
Code-reuse attack
53
![Page 54: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/54.jpg)
Stack after read()
%ebp
%esp
Let's call mprotect()
mprotect(address_shellcode, 4096, 0x1|0x2|0x4)
0x1 | 0x2 | 0x4 = RWX
mprotect() will make the stackexecutable
and return to our shellcode
arguments
return address
saved ebp
address mprotect()
dummy ebp
buf[1024]
AttackerCode
“Shellcode“
address shellcode
4096
0x1|0x2|0x4
rw-
Code-reuse attack
54
![Page 55: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/55.jpg)
Stack after mprotect()
%ebp
%esp
After mprotect() our stack is executable again
mprotect() will return to our shellcode
x64 or ARM:
Fill registers with parameters before invoking mprotect()
arguments
return address
saved ebp
address mprotect()
dummy ebp
buf[1024]
AttackerCode
“Shellcode“
address shellcode
4096
0x1|0x2|0x4
rwx
Code-reuse attack
55
![Page 56: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/56.jpg)
%ebp
%esp
Use available code snippets endingwith ret instruction
Called gadgets / ROP chain
E.g., write primitive
Code
arguments
return address
saved ebp
address gadget1
dummy ebp
buf[1024]
value
address gadget2
address
rw-
dummy value
address gadget3
address gadget4
r-x
pop %edx;ret;
1
pop %eax;pop %ebx;ret;
2
mov %edx, (%eax);mov $0x0, %eax;ret;
3
Return-oriented programming
56
![Page 57: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/57.jpg)
• Turing complete although not required
• Can be initiated over call or jmp as well
• Need to be in control of memory %esp is pointing to
Or make %esp point to area under control
• Also possible with jmp or call gadgets
Return-oriented programming
57
![Page 58: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/58.jpg)
To hijack control-flow or to corrupt memory an attacker needs to know where things are in memory
Addresses of data or pointers to corrupt
Addresses of injected shellcode/payload
Addresses of gadgets
Addresses in memory
58
![Page 59: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/59.jpg)
Once upon a time...
Addresses were more or less predictable
Executables and libraries were prelinked to certain addresses
Stack and Heap base addresses were fixed
• With differences at runtime for specific locationsdue to the dynamic behaviour of the process
Addresses in memory
59
![Page 60: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/60.jpg)
Today most Operating Systems implementAddress Space Layout Randomization
Randomize memory layout of processes to makeaddress prediction or guessing hard
What can be randomized?
• OS: Stack, heap and memory mapping base addresses
• OS, compiler, linker: Exectuables and libraries• Position-independent or relocatable code
ASLR
60
![Page 61: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/61.jpg)
0x00000000
0xffffffff
mm base range
Executable
Heap
Stack
Library 2
Library 1
Memory Mapping
heap base range
stack base range
libraries base range
executable base range
aligned
page-aligned
page-aligned
page-aligned
page-aligned
Use source of randomness to randomize within ranges
Randomization of layout
61
![Page 62: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/62.jpg)
In general: Usage of fixed addresses not allowed
Code should be position-independent or relocatable
Linux/ELF:• PIC & PIE supported, libraries all PIC, executables sometimes still prelinked
Windows/PE:• No PIC support! But libraries/executables relocatable!
x86 32bit PIE/PIC slower, no IP relative data addressing
Relocated PE images not sharable between processes
ASLR implementation issues
62
![Page 63: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/63.jpg)
Enough entropy?
• Base range size
• Alignment constraints
• Address width (64bit is better than 32bit)
Randomization strategy
Per process, system-wide per boot
Source of randomness
ASLR only effective without exceptions
ASLR effectiveness
63
![Page 64: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/64.jpg)
Low entropy
Brute-force addresses (multiple attempts required)
Memory leaks (information disclosure)
Leak addresses to derive base addresses
Construct and enforce a leak by memory corruption
Application and vulnerability specific attacks
Force predictable memory state
• Heap-spraying / Heap massaging
Pointer inference
• Use a side-channel
Avoid using exact addresses
• Only corrupt least significant bytes i.e. offsets
Bypassing ASLR
64
![Page 65: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/65.jpg)
Victim Attacker
GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>
HTTP/1.1 200 OKDate: Fri, 12 Mar 2014 23:59:00 GMTContent-Type: text/htmlContent-Length: 1354Allow: GET,POST,OPTIONS,HEADCache-Control: public,max-age=30<binary data... 0x414162320xffed4460 0x77ff2332 0x...>
<html><head>...
Heap
Code
Stack
0xffed4460
GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>
1
2
3
Trigger memory leak
Parse response for leaked memoryand construct exploit
Exploit memory error withtailored exploit
Runs web server software with
memory leak and exploitable
memory corruption
vulnerability
Memory leak
65
![Page 66: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/66.jpg)
arguments
return address
saved ebp
address mprotect()
dummy ebp
buf[1024]Attacker
Code“Shellcode“
address shellcode
4096
0x1|0x2|0x4
rwx
vulnExecutable
Heap
Stack
libc
libc data
0x0efa4604
mprotect:
0x0efa4604
0x0ebb0880
0x0dfff000libc base
?
static offset
mprotect = leaked pointer – static offset
0x0ebb0880 = 0x0efa4604 - 0x003f3d84
Memory leak
66
![Page 67: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/67.jpg)
void memLeak() {char buf[256];scanf("%s", buf);printf(buf);
}
shell:~$ gcc -o memleak memleak.cmemleak.c: In function ‘memLeak’:memleak.c:9:2: warning: format not a string literal and no format arguments [-Wformat-security]shell:~$ ./memleakecho> hihishell:~$ ./memleakecho> %llx,%llx,%llx,%llx,%llx,%llx,%llx,%llx1,7fabf517cac0,a,ffffffff,0,6c6c252c786c6c25,252c786c6c252c78,786c6c252c786c6cshell:~$
void main() {printf("echo> ");memLeak();printf("\n");return;
}
Memory leak format string bug
67
![Page 68: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/68.jpg)
http://en.wikipedia.org/wiki/HeartbleedSimplified Heartbleed explanation by FenixFeather licensed under CC
Heartbleed CVE-2014-0160 - OpenSSL
68
![Page 69: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/69.jpg)
Constructed arbitrary readCVE-2011-2371 Firefox vulnerability
69
![Page 70: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/70.jpg)
DEP & ASLR are generic defenses
Exploitation becomes harder for all vulnerability classes &attack techniques
Together quite effective• If implemented correctly
Injecting code and corrupting pointers with exact addresses is in general desirable for attackers
DEP & ASLR
70
![Page 71: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/71.jpg)
A determined attacker will use code-reuse
techniques and memory leaks to bypass
DEP & ASLR.
DEP & ASLR are not enough
71
![Page 72: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/72.jpg)
Raise exploit development costs with additional protections
• The more line of defenses, the better!
• Implement protections against specific vulnerability classes and exploitation techniques
Additional protections
72
![Page 73: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/73.jpg)
May require source code changes (annotations)and/or recompilation of the application
Compile-time and checks at run-time
Additional protections
73
• Stack canaries / cookies
• Pointer obfuscation
• /GS
• /SAFESEH (link-time, provide list ofvalid handlers)
• SEHOP (run-time, walk down SEH chain i.e. integrity check)
• Virtual Table Verification (VTV) & vtguard
• Control-Flow Guard
![Page 74: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/74.jpg)
74
Stack canary / cookie
![Page 75: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/75.jpg)
Mitigations deployment delay
75
• Deployment of exploit mitigations requires time
• Source or binary compatibility risk
• Support from multiple sides required
Attackers have time to adapt
![Page 76: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/76.jpg)
Exploit mitigations since the 90s
76
1972 1988 1996 2000 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
The Anderson Report
MorrisWorm
/GSSEH Overwrite
/SAFESEH
DEPLin + Win
XP SP2/GS/SAFESEH
ASLRWindowsVista
Integrity levelsWindows Vista
ASLRLinux
Advancedret2libcPaX ASLR
PaX PAGEEXEC
Smashingthe stack
StackGuardret2libc
vtguardWin8 + IE10
ROPGuard
Win8 «Sandbox»Win32k lockdown +App Container
Fully enforced
ASLR
NozzleHeap spraying protection
Heap spraying in browsers
EMET 5.2
Control Flow GuardVS15 +Win10 or 8.1 U3
ROP JOP + COP
![Page 77: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/77.jpg)
Modern mitigations
77
• ROP mitigations (EMET)
• Control-Flow Integrity
• Control-Flow Guard (CFG)
![Page 78: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/78.jpg)
ROP mitigations (EMET)
78
• Run-time checks
• Detect ongoing ROP attacks
• Hook into sensitive APIs
![Page 79: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/79.jpg)
Control-flow integrity (CFI)
79
• Original publication in 2005«Control-Flow Integrity Principles, Implementations, and Applications»
• Many CFI implementations proposed since then• Compiler-based, binary-only (static rewriting)
• Check indirect control-flow transfers and limitthe set of allowed targets
![Page 80: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/80.jpg)
Control-flow integrity (CFI)
80
• CFI approachesXFI (2006), HyperSafe (2010), CFIMon (2012), MoCFI (2012), BinCFI (2013), KCoFI (2014), MCFI (2014)
• -Grained Control-Flow Integrity through Binary
Mathias Payer, Antonio Barresi, Thomas R. Gross
• -Flow Bending: On the Effectiveness of Control-
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, Thomas R. Gross
![Page 81: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/81.jpg)
Control-flow guard (CFG)
81
• First adoption of a practicalControl-Flow Integrity (CFI) implementation
• Requires recompilation and OS support• VS15 + Windows 10 or 8.1 U3
• Restricts indirect call targetsto a static global set of locations
![Page 82: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/82.jpg)
Control-flow guard (CFG)
82
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
![Page 83: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/83.jpg)
Control-flow guard (CFG)
83
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
CFGBitmap
011010100101
100101011001
010101010100
101010101010
01110110....
..........
![Page 84: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/84.jpg)
Control-flow guard (CFG)
84
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
CFGBitmap
011010100101
100101011001
010101010100
101010101010
01110110....
..........
![Page 85: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/85.jpg)
Control-flow guard (CFG)
85
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
ntdll!LdrpValidateUserCallTarget
CFGBitmap
011010100101
100101011001
010101010100
101010101010
01110110....
..........
![Page 86: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/86.jpg)
Future?
86
• Hardening techniques make exploit development harder and increase the costs of an attack
• But there is no magic bullet
•
code-reuse techniques to bypass all mitigations(ret2libc is 1997)
![Page 87: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/87.jpg)
Pwn2own 2016
87
http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/http://blog.trendmicro.com/pwn2own-day-2-event-wrap/
![Page 88: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/88.jpg)
88
Conclusion
![Page 89: Compilers, Memory Errors and Hardening Techniques · Advanced Compiler Design, 18.5.2016 Antonio Hüseyin Barresi Co-founder & CEO xorlab AG Compilers, Memory Errors and Hardening](https://reader035.fdocuments.net/reader035/viewer/2022081402/5f0ac7967e708231d42d4d6c/html5/thumbnails/89.jpg)
Conclusion
89
• Compilers help mitigate software attacks
• Software hardening increases costs of attacks
• Attackers still find ways to bypass all protections