w5_w5-4_memerr
-
Upload
2013scribd001 -
Category
Documents
-
view
215 -
download
0
Transcript of w5_w5-4_memerr
-
8/13/2019 w5_w5-4_memerr
1/39
Malicious Software and its Underground EconomyTwo Sides to Every Story
Specialized cybercrimeMemory Errors: thePast, the Present, and the Future
Lorenzo Cavallaro
Information Security Group
Royal Holloway, University of London
Jul 15, 2013Week 5-4
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 1 / 24
-
8/13/2019 w5_w5-4_memerr
2/39
Memory Errors
-
8/13/2019 w5_w5-4_memerr
3/39
Memory Errors
A memory error occurs when an object accessed using a pointer expressionis different from the one intended
Out-of-bounds access (e.g., buffer overow)Using a corrupted pointer (e.g., buffer overow, format bug)Uninitialized pointer access, dangling pointers, . . .
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 3 / 24
-
8/13/2019 w5_w5-4_memerr
4/39
Memory ErrorExploit
A program that generates data to trigger a vulnerability and achievereliable arbitrary code execution or subversion of the application logic (A.Sotirov)
1 Gathers information on memory layout or locations2 Corrupts (control) data
Saved return addresses, saved frame pointersApplication-specic function pointersBinary format-specic function pointers
GOT, .dtors , C++ virtual pointers3 Subverts the application logic
Hijacks the targets execution ow to execute arbitrary code, orCorrupts security-sensitive non-control data
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 4 / 24
-
8/13/2019 w5_w5-4_memerr
5/39
A Vulnerable Program
/ vuln.c /
void foobar( char str){
char buffer[100];strcpy(buffer, str);
}
int main( int argc, char argv){if (!argv[1]) return 1;foobar(argv[1]);exit(0);
}
Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr
i = 0
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 5 / 24
-
8/13/2019 w5_w5-4_memerr
6/39
A Vulnerable Program
/ vuln.c /
void foobar( char str){
char buffer[100];strcpy(buffer, str);
}
int main( int argc, char argv){if (!argv[1]) return 1;foobar(argv[1]);exit(0);
}
Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr
i = 0
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 5 / 24
-
8/13/2019 w5_w5-4_memerr
7/39
A Vulnerable Program
/ vuln.c /
void foobar( char str){
char buffer[100];strcpy(buffer, str);
}
int main(
int argc,
char argv){
if (!argv[1]) return 1;foobar(argv[1]);exit(0);
}
Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr
A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A
i = 100
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 5 / 24
-
8/13/2019 w5_w5-4_memerr
8/39
A Vulnerable Program
/ vuln.c /
void foobar( char str){
char buffer[100];strcpy(buffer, str);
}
int main(
int argc,
char argv){
if (!argv[1]) return 1;foobar(argv[1]);exit(0);
}
Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr
A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A A A A A
i = 104
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 5 / 24
-
8/13/2019 w5_w5-4_memerr
9/39
A Vulnerable Program
/ vuln.c /
void foobar( char str){
char buffer[100];strcpy(buffer, str);
}
int main( int argc, char argv){
if (!argv[1]) return 1;foobar(argv[1]);exit(0);
}
Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr
A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A A A A A A A A A
i = 108
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 5 / 24
-
8/13/2019 w5_w5-4_memerr
10/39
A Vulnerable Program
/ vuln.c /
void foobar( char str){
char buffer[100];strcpy(buffer, str);
}
int main( int argc, char argv){
if (!argv[1]) return 1;foobar(argv[1]);exit(0);
}
Where will execution resumewhen foobar() terminates?
Content of the stack when argv[1] contains A repeated 108 times:buffer EBP retaddr
A A A A A A A A A A . . . . . . . . . . . . A A A A A A A A A A A A A A A A A A
i = 108
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 5 / 24
-
8/13/2019 w5_w5-4_memerr
11/39
Attacks-Protections Evolution
1996- Code injection1997 NX (no executable data memory)1998 Canary
Protects only return addresses or saved frame pointers2000 Variable reordering
Still application specic pointers can be corrupted1997 Return-into-libc (code reuse)
Defeats NX2001 Address space layout randomization (ASLR)2006 OS-specic protections (e.g., SafeSEH)
2007 Return-oriented programmingDefeats NXDefeats ASLR if information leaks (or .text is nor randomized)
2009 Ad-hoc return-oriented programming protectionsCompiler-enforced protectionsIn-place code randomizationHardware-supported solutions. . . Still an arm-race
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 6 / 24
-
8/13/2019 w5_w5-4_memerr
12/39
Attacks-Protections Evolution
1996- Code injection1997 NX (no executable data memory)1998 Canary
Protects only return addresses or saved frame pointers2000 Variable reordering
Still application specic pointers can be corrupted1997 Return-into-libc (code reuse)
Defeats NX2001 Address space layout randomization (ASLR)2006 OS-specic protections (e.g., SafeSEH)
2007 Return-oriented programmingDefeats NXDefeats ASLR if information leaks (or .text is nor randomized)
2009 Ad-hoc return-oriented programming protectionsCompiler-enforced protectionsIn-place code randomizationHardware-supported solutions. . . Still an arm-race
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 6 / 24
-
8/13/2019 w5_w5-4_memerr
13/39
Attacks-Protections Evolution
1996- Code injection1997 NX (no executable data memory)1998 Canary
Protects only return addresses or saved frame pointers2000 Variable reordering
Still application specic pointers can be corrupted1997 Return-into-libc (code reuse)
Defeats NX2001 Address space layout randomization (ASLR)2006 OS-specic protections (e.g., SafeSEH)
2007 Return-oriented programmingDefeats NXDefeats ASLR if information leaks (or .text is nor randomized)
2009 Ad-hoc return-oriented programming protectionsCompiler-enforced protectionsIn-place code randomizationHardware-supported solutions. . . Still an arm-race
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 6 / 24
-
8/13/2019 w5_w5-4_memerr
14/39
Attacks-Protections Evolution
1996- Code injection1997 NX (no executable data memory)1998 Canary
Protects only return addresses or saved frame pointers2000 Variable reordering
Still application specic pointers can be corrupted1997 Return-into-libc (code reuse)
Defeats NX2001 Address space layout randomization (ASLR)2006 OS-specic protections (e.g., SafeSEH)
2007 Return-oriented programmingDefeats NXDefeats ASLR if information leaks (or .text is nor randomized)
2009 Ad-hoc return-oriented programming protectionsCompiler-enforced protectionsIn-place code randomizationHardware-supported solutions. . . Still an arm-race
ASLR seems overall the most promising mitigation yet
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 6 / 24
-
8/13/2019 w5_w5-4_memerr
15/39
An Ongoing Threat?
20+ years of research on memory errorsSafe languagesProgram analysisCountermeasures
Classic buffer overow still in top 3 CWE SANS top 25Will memory errors remain a signicant threat?Do we need renewed/different research efforts?
(V. van der Veen, N. Dutt-Sharma, L. Cavallaro, and H. Bos, Memory Errors:the Past, the Present, and the Future , RAID 2012)
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 7 / 24
-
8/13/2019 w5_w5-4_memerr
16/39
Memory Errors: The Present
-
8/13/2019 w5_w5-4_memerr
17/39
The PresentVulnerability Analysis
Number of memory errors are dropping
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 9 / 24
-
8/13/2019 w5_w5-4_memerr
18/39
The PresentVulnerability Breakdown
No more format stringsFrom stack to heap smashing
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 10 / 24
-
8/13/2019 w5_w5-4_memerr
19/39
The PresentExploit Breakdown
The heap is difficult to exploit
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 11 / 24
-
8/13/2019 w5_w5-4_memerr
20/39
The PresentExploit Analysis
Exploitation is getting harder
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 12 / 24
h
-
8/13/2019 w5_w5-4_memerr
21/39
The PresentExploit Analysis
Exploitation is getting harder
Fewer reports
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 12 / 24
Th P
-
8/13/2019 w5_w5-4_memerr
22/39
The PresentPublic Disclosure?
Is there something else that could explain this drop in reports?1 0-day private market2 Bounty programs3 Black market
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 13 / 24
-
8/13/2019 w5_w5-4_memerr
23/39
Th P t
-
8/13/2019 w5_w5-4_memerr
24/39
The Present0-Day Private Market
Pwn2Own 2012[. . . ] But the other one, a memory corruption aw in IEs protectedmode sandbox, VUPEN will keep for itself and its customers (NATOgovernments and partners)
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 14 / 24
The Present
-
8/13/2019 w5_w5-4_memerr
25/39
The Present0-Day Private Market
Pwn2Own 2012[. . . ] But the other one, a memory corruption aw in IEs protectedmode sandbox, VUPEN will keep for itself and its customers (NATOgovernments and partners)
Other companies selling zero-daysNetragardEndgame SystemsNorthrop GrummanRaytheonHacking Team (cyber surveillance)
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 14 / 24
The Present
-
8/13/2019 w5_w5-4_memerr
26/39
The PresentBounty Programs
Vendors have started paying for zero-daysMozilla (up to $3,000)
Google (up to $20,000)Facebook (minimum of $500)Baracuda Networks (up to $3,133.7)Zero Day Initiative. . .
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 15 / 24
The Present
-
8/13/2019 w5_w5-4_memerr
27/39
The PresentBlack Market
Selling on black markets is also lucrative
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 16 / 24
-
8/13/2019 w5_w5-4_memerr
28/39
Memory Errors: The Future
The Future
-
8/13/2019 w5_w5-4_memerr
29/39
The FutureTrends
What can we expect in the future?
Exploitation is getting harderPublic disclosure is being avoidedIncrease of bounty programsIncrease of 0-day private markets
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 18 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
30/39
The FuturePercentages
Stats show memory errors seem to persist
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 19 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
31/39
The FuturePercentages
Stats show memory errors seem to persist
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 19 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
32/39
The FuturePercentages
Stats show memory errors seem to persist
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 19 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
33/39
The FutureC Usage
Most important programming language (still)Lots of existing C softwareNot safe by designHard to get it right
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 20 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
34/39
The FutureC Usage
Most important programming language (still)Lots of existing C softwareNot safe by designHard to get it right
Memory errors are endemic in C-like programs
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 20 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
35/39
Non-control data
Non-control data attacks are realistic threats (USENIX Security2005)Exim attack (2005)
Typical heap overow: overwrite a variableDoes not divert control owUndetected by NX, ALSR, canary protection
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 21 / 24
The Future
-
8/13/2019 w5_w5-4_memerr
36/39
Non-control data
Non-control data attacks are realistic threats (USENIX Security2005)Exim attack (2005)
Typical heap overow: overwrite a variableDoes not divert control owUndetected by NX, ALSR, canary protection
More attacks in the future?
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 21 / 24
Conclusions
-
8/13/2019 w5_w5-4_memerr
37/39
Conclusions
Memory errors will remain a serious threatHigh amounts paid for zero-days
Exploitation is getting harder but less publicExploit kits also keep exploiting legacy apps
Focus on comprehensive mitigationsFocus on preventing privilege escalation
Fine-grained sandboxing?
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 22 / 24
Recommended Readings I
-
8/13/2019 w5_w5-4_memerr
38/39
g
J. Caballero, C. Grier, C. Kreibich, and V. Paxson.Measuring Pay-per-Install: The Commoditization of Malware Distribution.In Proceedings of the the 20th USENIX Security Symposium , San Francisco, CA, August2011.
C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko,P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Z. Raque, M. A.Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker.Manufacturing Compromise: The Emergence of Exploit-as-a-Service.In Proceedings of the 19th ACM Conference on Computer and Communication Security ,Raleigh, NC, October 2012.
A. Nappa, M. Z. Raque, and J. Caballero.Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting.In Proceedings of the 10th Conference on Detection of Intrusions and Malware &Vulnerability Assessment , Berlin, Germany, July 2013.
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 23 / 24
Suggested Readings
-
8/13/2019 w5_w5-4_memerr
39/39
gg g
V. van der Veen, N. dutt Sharma, L. Cavallaro, and H. Bos. Memory Errors: The Past,the Present, and the Future. In In the Proceedings of the 15th International Symposiumon Research in Attacks Intrusions and Defenses (RAID) , September 2012.L. Bilge and T. Dumitras. Before we knew it: an empirical study of zero-day attacks inthe real world. In Proceedings of the 2012 ACM conference on Computer and communications security , CCS 12, pages 833844, New York, NY, USA, 2012. ACM.
(Week 5-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 15, 2013Week 5-4 24 / 24