w5_w5-4_memerr

8/13/2019 w5_w5-4_memerr

1/39

Malicious Software and its Underground EconomyTwo Sides to Every Story

Specialized cybercrimeMemory Errors: thePast, the Present, and the Future

Lorenzo Cavallaro

Information Security Group

Royal Holloway, University of London

Jul 15, 2013Week 5-4

(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 1 / 24

8/13/2019 w5_w5-4_memerr

2/39

Memory Errors

8/13/2019 w5_w5-4_memerr

3/39

Memory Errors

A memory error occurs when an object accessed using a pointer expressionis different from the one intended

Out-of-bounds access (e.g., buffer overow)Using a corrupted pointer (e.g., buffer overow, format bug)Uninitialized pointer access, dangling pointers, . . .


8/13/2019 w5_w5-4_memerr

4/39

Memory ErrorExploit

A program that generates data to trigger a vulnerability and achievereliable arbitrary code execution or subversion of the application logic (A.Sotirov)

1 Gathers information on memory layout or locations2 Corrupts (control) data

Saved return addresses, saved frame pointersApplication-specic function pointersBinary format-specic function pointers

GOT, .dtors , C++ virtual pointers3 Subverts the application logic

Hijacks the targets execution ow to execute arbitrary code, orCorrupts security-sensitive non-control data


8/13/2019 w5_w5-4_memerr

5/39

A Vulnerable Program

/ vuln.c /

void foobar( char str){

char buffer[100];strcpy(buffer, str);

}

int main( int argc, char argv){if (!argv[1]) return 1;foobar(argv[1]);exit(0);

}

Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr

i = 0


8/13/2019 w5_w5-4_memerr

6/39


/ vuln.c /



}

int main( int argc, char argv){if (!argv[1]) return 1;foobar(argv[1]);exit(0);

}


i = 0


8/13/2019 w5_w5-4_memerr

7/39


/ vuln.c /



}

int main(

int argc,

char argv){

if (!argv[1]) return 1;foobar(argv[1]);exit(0);

}


A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A

i = 100


8/13/2019 w5_w5-4_memerr

8/39


/ vuln.c /



}

int main(

int argc,

char argv){


}


A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A A A A A

i = 104


8/13/2019 w5_w5-4_memerr

9/39


/ vuln.c /



}

int main( int argc, char argv){


}


A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A A A A A A A A A

i = 108


8/13/2019 w5_w5-4_memerr

10/39


/ vuln.c /



}

int main( int argc, char argv){


}

Where will execution resumewhen foobar() terminates?


A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A A A A A A A A A

i = 108


8/13/2019 w5_w5-4_memerr

11/39

Attacks-Protections Evolution

1996- Code injection1997 NX (no executable data memory)1998 Canary

Protects only return addresses or saved frame pointers2000 Variable reordering

Still application specic pointers can be corrupted1997 Return-into-libc (code reuse)

Defeats NX2001 Address space layout randomization (ASLR)2006 OS-specic protections (e.g., SafeSEH)

2007 Return-oriented programmingDefeats NXDefeats ASLR if information leaks (or .text is nor randomized)

2009 Ad-hoc return-oriented programming protectionsCompiler-enforced protectionsIn-place code randomizationHardware-supported solutions. . . Still an arm-race


8/13/2019 w5_w5-4_memerr

12/39









8/13/2019 w5_w5-4_memerr

13/39









8/13/2019 w5_w5-4_memerr

14/39








ASLR seems overall the most promising mitigation yet


8/13/2019 w5_w5-4_memerr

15/39

An Ongoing Threat?

20+ years of research on memory errorsSafe languagesProgram analysisCountermeasures

Classic buffer overow still in top 3 CWE SANS top 25Will memory errors remain a signicant threat?Do we need renewed/different research efforts?

(V. van der Veen, N. Dutt-Sharma, L. Cavallaro, and H. Bos, Memory Errors:the Past, the Present, and the Future , RAID 2012)


8/13/2019 w5_w5-4_memerr

16/39

Memory Errors: The Present

8/13/2019 w5_w5-4_memerr

17/39

The PresentVulnerability Analysis

Number of memory errors are dropping


8/13/2019 w5_w5-4_memerr

18/39

The PresentVulnerability Breakdown

No more format stringsFrom stack to heap smashing


8/13/2019 w5_w5-4_memerr

19/39

The PresentExploit Breakdown

The heap is difficult to exploit


8/13/2019 w5_w5-4_memerr

20/39

The PresentExploit Analysis

Exploitation is getting harder


h

8/13/2019 w5_w5-4_memerr

21/39

The PresentExploit Analysis

Exploitation is getting harder

Fewer reports


Th P

8/13/2019 w5_w5-4_memerr

22/39

The PresentPublic Disclosure?

Is there something else that could explain this drop in reports?1 0-day private market2 Bounty programs3 Black market


8/13/2019 w5_w5-4_memerr

23/39

Th P t

8/13/2019 w5_w5-4_memerr

24/39

The Present0-Day Private Market

Pwn2Own 2012[. . . ] But the other one, a memory corruption aw in IEs protectedmode sandbox, VUPEN will keep for itself and its customers (NATOgovernments and partners)


The Present

8/13/2019 w5_w5-4_memerr

25/39

The Present0-Day Private Market

Pwn2Own 2012[. . . ] But the other one, a memory corruption aw in IEs protectedmode sandbox, VUPEN will keep for itself and its customers (NATOgovernments and partners)

Other companies selling zero-daysNetragardEndgame SystemsNorthrop GrummanRaytheonHacking Team (cyber surveillance)


The Present

8/13/2019 w5_w5-4_memerr

26/39

The PresentBounty Programs

Vendors have started paying for zero-daysMozilla (up to $3,000)

Google (up to $20,000)Facebook (minimum of $500)Baracuda Networks (up to $3,133.7)Zero Day Initiative. . .


The Present

8/13/2019 w5_w5-4_memerr

27/39

The PresentBlack Market

Selling on black markets is also lucrative


8/13/2019 w5_w5-4_memerr

28/39

Memory Errors: The Future

The Future

8/13/2019 w5_w5-4_memerr

29/39

The FutureTrends

What can we expect in the future?

Exploitation is getting harderPublic disclosure is being avoidedIncrease of bounty programsIncrease of 0-day private markets


The Future

8/13/2019 w5_w5-4_memerr

30/39

The FuturePercentages

Stats show memory errors seem to persist


The Future

8/13/2019 w5_w5-4_memerr

31/39




The Future

8/13/2019 w5_w5-4_memerr

32/39




The Future

8/13/2019 w5_w5-4_memerr

33/39

The FutureC Usage

Most important programming language (still)Lots of existing C softwareNot safe by designHard to get it right


The Future

8/13/2019 w5_w5-4_memerr

34/39

The FutureC Usage

Most important programming language (still)Lots of existing C softwareNot safe by designHard to get it right

Memory errors are endemic in C-like programs


The Future

8/13/2019 w5_w5-4_memerr

35/39

Non-control data

Non-control data attacks are realistic threats (USENIX Security2005)Exim attack (2005)

Typical heap overow: overwrite a variableDoes not divert control owUndetected by NX, ALSR, canary protection


The Future

8/13/2019 w5_w5-4_memerr

36/39

Non-control data

Non-control data attacks are realistic threats (USENIX Security2005)Exim attack (2005)

Typical heap overow: overwrite a variableDoes not divert control owUndetected by NX, ALSR, canary protection

More attacks in the future?


Conclusions

8/13/2019 w5_w5-4_memerr

37/39

Conclusions

Memory errors will remain a serious threatHigh amounts paid for zero-days

Exploitation is getting harder but less publicExploit kits also keep exploiting legacy apps

Focus on comprehensive mitigationsFocus on preventing privilege escalation

Fine-grained sandboxing?


Recommended Readings I

8/13/2019 w5_w5-4_memerr

38/39

g

J. Caballero, C. Grier, C. Kreibich, and V. Paxson.Measuring Pay-per-Install: The Commoditization of Malware Distribution.In Proceedings of the the 20th USENIX Security Symposium , San Francisco, CA, August2011.

C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko,P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Z. Raque, M. A.Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker.Manufacturing Compromise: The Emergence of Exploit-as-a-Service.In Proceedings of the 19th ACM Conference on Computer and Communication Security ,Raleigh, NC, October 2012.

A. Nappa, M. Z. Raque, and J. Caballero.Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting.In Proceedings of the 10th Conference on Detection of Intrusions and Malware &Vulnerability Assessment , Berlin, Germany, July 2013.


Suggested Readings

8/13/2019 w5_w5-4_memerr

39/39

gg g

V. van der Veen, N. dutt Sharma, L. Cavallaro, and H. Bos. Memory Errors: The Past,the Present, and the Future. In In the Proceedings of the 15th International Symposiumon Research in Attacks Intrusions and Defenses (RAID) , September 2012.L. Bilge and T. Dumitras. Before we knew it: an empirical study of zero-day attacks inthe real world. In Proceedings of the 2012 ACM conference on Computer and communications security , CCS 12, pages 833844, New York, NY, USA, 2012. ACM.


w5_w5-4_memerr

Documents

Transcript of w5_w5-4_memerr