POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006...
Transcript of POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006...
![Page 1: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/1.jpg)
POKING HOLES IN INFORMATION HIDING
Angelos OikonomopoulosElias Athanasopoulos
Herbert BosCristiano Giuffrida
Vrije Universiteit Amsterdam
![Page 2: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/2.jpg)
Teaser
• Break ideal information hiding in seconds
• Few probes, typically no crashes
• Primitives pervasive in server programs
![Page 3: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/3.jpg)
ASLR today• No longer a strong defense by itself• Plays a pivotal role in powerful new defenses:
– Shadow stacks– Secure heap allocators– CPI (OSDI ’14)– StackArmor (NDSS ’15)– ASLR‐guard (CCS ’15)– SafeStack (clang/llvm)– …
![Page 4: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/4.jpg)
ASLR2001
200432‐bit ASLR bypass
Fine‐grained ASLR2006
2013JIT ROP
Pointer‐freeInformation hiding
2014
2015Huge hiddenarea bypass
Thread spraying2016
![Page 5: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/5.jpg)
Ideal information hiding
• The hidden area:– Has no pointers in memory referring to it– Is as small as possible– Does not grow during the execution
![Page 6: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/6.jpg)
Ideal information hiding
• The hidden area:– Has no pointers in memory referring to it– Is as small as possible– Does not grow during the execution
Threat model: arbitrary RW is okay!
![Page 7: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/7.jpg)
![Page 8: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/8.jpg)
Let’s have a look
at a Linux (PIE)
Address Space
![Page 9: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/9.jpg)
code
PC
stack
SP
heap Holes
mmap
![Page 10: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/10.jpg)
code
PC
stack
SP
heap Holes
mmap
Hidden area
![Page 11: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/11.jpg)
code
PC
stack
SP
heap
mmap
A
B
C
![Page 12: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/12.jpg)
Let’s not look for the hidden area
but for the holes!
![Page 13: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/13.jpg)
Even if we remove all pointersThere is one “pointer” left:
Then:– Leak size of the largest hole Infer hidden area location
– Not stored in user memory Can’t leak directly
– However, we can side‐channel the kernel to spill the beans!
the size of the hole itself.
![Page 14: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/14.jpg)
So look for the holes
• Intuition:– repeatedly allocate large chunks of memory of size L until we find the “right size”
Succeeds!Sizeof(Hole) ≥ L
![Page 15: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/15.jpg)
So look for the holes
• Intuition:– repeatedly allocate large chunks of memory of size L until we find the “right size”
Too large, alloc fails!Sizeof(Hole) < L
![Page 16: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/16.jpg)
So look for the holes
• Intuition:– repeatedly allocate large chunks of memory of size L until we find the “right size”
Succeeds!Sizeof(Hole) ≥ L
![Page 17: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/17.jpg)
So look for the holes
• Intuition:– repeatedly allocate large chunks of memory of size L until we find the “right size”
Too large, alloc fails!Sizeof(Hole) < L
![Page 18: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/18.jpg)
So look for the holes
• Intuition:– repeatedly allocate large chunks of memory of size L until we find the “right size”
Nailed it!
Binary search
![Page 19: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/19.jpg)
Ephemeral Allocation Primitive
• For each probe (i.e., server request):
• Strategy: allocation+deallocation, repeat
ptr = malloc(size);...
free(ptr);reply(result);
![Page 20: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/20.jpg)
Ephemeral Allocation Primitive
• Say:– Single hidden area is in A (*)–Hidden area splits A in two– L is the largest hole in AS–We can find L via binary search
L
SH
* See paper for generalization
![Page 21: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/21.jpg)
Of course we still miss 1 bit of entropydon’t know if large hole is above or below area
S
L
L
S
![Page 22: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/22.jpg)
Would be greatif we could solve this
![Page 23: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/23.jpg)
Persistent Allocation Primitive
• For each request:
• Pure persistent primitives rare• But we can often turn ephemeralinto persistent– Keep the connection open– Do not complete the req‐reply
ptr = malloc(size);...
reply(result);
![Page 24: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/24.jpg)
Ephemeral + persistent yields final bit
1. Determine L using ephemeral (binary search)2. Allocate L using persistent (removing L from AS)3. Reliably read memory at:
and find either hidden area or 0s:
hole_bottom_addr + L
L
S
S
L
![Page 25: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/25.jpg)
So we need
• A way to effect large allocations repeatedly• A way to detect whether they failed
Note: we want to attack info hiding Assume arbitrary read/write primitives
![Page 26: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/26.jpg)
Here is what we do
• A way to effect large allocations repeatedly• A way to detect whether they failed
• When server is in quiescent state– Taint all memory– See which bytes end up in allocation size
![Page 27: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/27.jpg)
Here is what we do
• A way to effect large allocations repeatedly• A way to detect whether they failed
Options• Direct observation (most common)
– E.g., HTTP 200 vs. 500• Fault side channels
– E.g., HTTP 200 vs. crash• Timing side channels
– E.g., VMA cache hit vs. miss
![Page 28: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/28.jpg)
Examples
• Nginx– Failed allocation: Connection close.
• Lighttpd–We crash both when
• allocation fails (too large) and • succeeds (but allocation > than physical memory)
– But in former case: crash immediately– In latter case, many page faults, takes a long time
![Page 29: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/29.jpg)
Discovered primitives
Program # Ephemeral Persistent Crash‐free
bind 2 ✔ ✔ ✔
lighttpd 3 ✔ ✔ ✘
mysql 3 ✔ ✔ ✔
nginx 5 ✔ ✔ ✔
![Page 30: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/30.jpg)
How fast is it?
• Pretty fast– Allocations/deallocations are cheap– End‐to‐end attack is O( log[ sizeof(AS) ] )– 37 probes in the worst case on nginx– Crash‐free, completes in a few seconds
• Existing memory scanning primitives– Remote side channels, CROP, etc.– End‐to‐end attack is O( sizeof(AS) )– 2^35 probes in the worst case
![Page 31: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/31.jpg)
Memory overcommit:• OS should allow (virtual) allocations beyond available physical memory– Common in server settings– Required by some applications:
• Reddis, Hadoop, virtualization, etc.
• However, even when disabled:– Allocation oracles still possible– But attacker has to bypass overcommit restrictions
Assumption
![Page 32: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/32.jpg)
Mitigations
• strict overcommit+ reduces attack surface‐ compatibility issues
• RLIMIT_AS+ stops attacks‐ requires per‐application policies
• APM+ preserves compatibility‐ probabilistic
![Page 33: POKING HOLES IN INFORMATION HIDING...ASLR 2001 2004 32‐bit ASLR bypass Fine‐grainedASLR 2006 2013 JIT ROP Pointer‐free Informationhiding 2014 2015 Hugehidden area bypass Thread](https://reader030.fdocuments.net/reader030/viewer/2022040211/5e75f05815c089327731a3fa/html5/thumbnails/33.jpg)
Conclusion
• Allocation oracles, new primitives against ASLR:– Efficient– Layout‐agnostic– Pervasive
• Can bypass all information hiding‐based defenses• Even ideal information hiding is insufficient• Time for better (meta)data protection techniques
• More info: https://www.vusec.net/nowhere‐to‐hide
Vrije Universiteit Amsterdam