Where’s the FEEB? Effectiveness of Instruction Set Randomization
description
Transcript of Where’s the FEEB? Effectiveness of Instruction Set Randomization
![Page 1: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/1.jpg)
Where’s the FEEB?Effectiveness of Instruction Set RandomizationCERIAS Security Seminar
Purdue University9 March 2005 David Evans
University of Virginiawork with Nora Sovarel, Nate Pauland the UVa/CMU Genesis Project
![Page 2: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/2.jpg)
2www.cs.virginia.edu/evans/purdue05
Security Through Diversity• Today’s Computing Monoculture
– Exploit can compromise billions of machines since they are all running the same software
• Biological Diversity– All successful species use very expensive
mechanism (i.e., sex) to maintain diversity• Computer security research: [Cohen 92],
[Forrest+ 97], [Cowan+ 2003], [Barrantes+ 2003], [Kc+ 2003], [Bhatkar+2003], [Just+ 2004]
![Page 3: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/3.jpg)
3www.cs.virginia.edu/evans/purdue05
Instruction Set Randomization[Barrantes+, CCS 03] [Kc+, CCS 03]
• Code injection attacks depend on knowing the victim machine’s instruction set
• Defuse them all by making instruction sets different and secret– Its expensive to design new ISAs and build
new microprocessors
![Page 4: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/4.jpg)
4www.cs.virginia.edu/evans/purdue05
DerandomizerProcessor
Automating ISR
Randomizer
Secret Key
OriginalCode
OriginalExecutable
RandomizedExecutable
![Page 5: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/5.jpg)
5www.cs.virginia.edu/evans/purdue05
DerandomizerProcessor
ISR Defuses Attacks
Randomizer
Secret Key
OriginalExecutable
RandomizedExecutable
MaliciousInjected
Code
Broken Malicious
Code
![Page 6: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/6.jpg)
6www.cs.virginia.edu/evans/purdue05
ISR DesignsColumbia [Kc 03]
RISE [Barrantes 03]
Randomization Function
XOR or32-bit transposition
XOR
Key Size32 bits (same key used for all locations)
program length (each location XORed with different byte)
Transformation Time Compile Time Load TimeDerandomization Hardware Software
(Valgrind)
![Page 7: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/7.jpg)
7www.cs.virginia.edu/evans/purdue05
How secure is ISR?Slows down an attack about 6 minutes!
Under the right circumstances…
![Page 8: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/8.jpg)
8www.cs.virginia.edu/evans/purdue05
Memory Randomization Attack
• Brute force attack on memory address space randomization (Shacham et. al. [CCS 2004]): 24-bit effective key space
• Can a similar attack work against ISR?– Larger key space: must attack in
fragments– Need to tell if partial guess is correct
![Page 9: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/9.jpg)
9www.cs.virginia.edu/evans/purdue05
ISR AttackAttack Client
ISR-protectedServer
Incorrect Guess
Crash!
Attack Client Correct Guess ISR-protectedServer
Observable Behavior
![Page 10: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/10.jpg)
10www.cs.virginia.edu/evans/purdue05
Server Requirements• Vulnerable: buffer overflow is fine• Able to make repeated guesses
– No rerandomization after crash– Likely if server forks requests (Apache)
• Observable: notice server crashes• Cryptanalyzable
– Learn key from one ciphertext-plaintext pair– Easy with XOR
![Page 11: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/11.jpg)
11www.cs.virginia.edu/evans/purdue05
Two Attack Ideas• RET (0xC3): return from procedure
– 1-byte instruction: up to 256 guesses– Returns, leaves stack inconsistent
• Only works if server does something observable before crashing
• JMP -2 (0xEBFE): jump offset -2– 2-byte instruction: up to 216 guesses– Produces infinite loop
• Incorrect guess usually crashes server
![Page 12: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/12.jpg)
12www.cs.virginia.edu/evans/purdue05
Jump AttackVu
lner
able
Buff
er
Overwritten Return Address
0xEB (JMP)0xFE (-2)
Unknown Masks
Correct guess producesinfinite loop
216 possible guesses for 2-byte instruction
![Page 13: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/13.jpg)
13www.cs.virginia.edu/evans/purdue05
Incremental Jump Attack
Guessing next byte: < 256 attempts
Vuln
erab
le B
uffer
Overwritten Return Address
0xEB (JMP)0xFE (-2)
Unknown Masks
Guessing first 2 byte masks
Overwritten Return Address
0xEB (JMP)0xFE (-2)
Unknown Masks
0xCD (INT)Guessed
Masks
![Page 14: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/14.jpg)
14www.cs.virginia.edu/evans/purdue05
Guess Outcomes
Observe “Correct” Behavior
Observe “Incorrect” Behavior
Correct Guess Success False Negative
Incorrect Guess
False Positive Progress
![Page 15: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/15.jpg)
15www.cs.virginia.edu/evans/purdue05
False Positives• Injected bytes produce an infinite loop:
– JMP -4 – JNZ -2
• Injected bytes are “harmless”, later executed instruction causes infinite loop
• Injected guess causes crash, but timeout expires before remote attacker observes
![Page 16: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/16.jpg)
16www.cs.virginia.edu/evans/purdue05
False Positives – Good News• Can distinguish correct
mask using other instructions
• Try injecting a “harmless” one-byte instruction– Correct: get loop– Incorrect: usually crashes
• Difficulty: dense opcodes– No pair that differs in only
last bit are reliably different in harmfullness
Overwritten Return Address
0x90 (NOOP)0xEB (JMP)
Unknown Masks
0xFE (-2)Guessed
Masks
![Page 17: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/17.jpg)
17www.cs.virginia.edu/evans/purdue05
False Positives – Better News• False positives are not random
– Conditional jump instructions– Opcodes 01110000-0111111
•All are complementary pairs: 0111xyza not taken 0111xyzā is!• 32 guesses always find an infinite
loop• About 8 additional guesses to
determine correct mask
![Page 18: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/18.jpg)
18www.cs.virginia.edu/evans/purdue05
Extended Attack“C
rash
Zon
e”
Overwritten Return Address
0xCD (INT)0xE9 (Near Jump)
32-b
it o
ffset
(to ju
mp
to
orig
inal
re
turn
addr
ess)
0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0x06 (offset)0xEB (JMP)
• Near jump to return location– Execution continues
normally– No infinite loops
• 0xCD 0xCD is interrupt instruction guaranteed to crash
![Page 19: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/19.jpg)
19www.cs.virginia.edu/evans/purdue05
Expected Attempts
~ 15½ to find first jumping instruction
+ ~ 8 to determine
correct mask 23½ expected
attempts per byte
“Cra
sh Z
one”
Overwritten Return Address
0xCD (INT)0xE9 (Near Jump)
32-b
it o
ffset
(to ju
mp
to
orig
inal
re
turn
addr
ess)
0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0x06 (offset)0xEB (JMP)
![Page 20: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/20.jpg)
20www.cs.virginia.edu/evans/purdue05
Experiments• Implemented attack against
constructed vulnerable server protected with RISE [Barrantes et. al, 2003]– Memory space randomization works!
• Turned of Fedora’s address space randomization
– Needed to modify RISE• Ensure forked processes use same
randomization key (other proposed ISR implementations wouldn’t need this)
• Obtain correct key over 95% of the time
![Page 21: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/21.jpg)
21www.cs.virginia.edu/evans/purdue05
Attempts Required4339 attemptsto get first 2 bytes 101,65
1 attempt
sto get 4096 bytes
![Page 22: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/22.jpg)
22www.cs.virginia.edu/evans/purdue05
Attempts per Byte
Drops to below
24 average attemptsper byte
~212 attempts for first 2 bytes
![Page 23: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/23.jpg)
23www.cs.virginia.edu/evans/purdue05
Total Time4-byte key (Columbia implementation) in <
3½ minutes
4096-byte keyin 48 minutes
Attacker: “Is this good enough?” Defender: “Is this bad enough?”
![Page 24: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/24.jpg)
24www.cs.virginia.edu/evans/purdue05
How many key bytes needed?• Inject malcode in one ISR-
protected host– Sapphire worm = 376 bytes
• Create a worm that spreads on a network of ISR-protected servers– Space for FEEB attack code: 34,723
bytes– Need to crash server ~800K times
![Page 25: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/25.jpg)
25www.cs.virginia.edu/evans/purdue05
Maybe less…?• VMWare: 3,530,821 bytes • Java VM: 135,328 bytes • Minsky’s UTM: 7 states, 4 colors
•MicroVM: 100 bytes
![Page 26: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/26.jpg)
26www.cs.virginia.edu/evans/purdue05
Enti
re M
icroV
M
Code
push dword ebp mov ebp, WORM_ADDRESS + WORM_REG_OFFSET pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax)read_more_worm: ; read NUM_BYTES at a time until worm is done cld xor ecx, ecx mov byte cl, NUM_BYTES mov dword esi, WORM_ADDRESS ; get saved WormIP add dword esi, eax mov edi, begin_worm_exec rep movsb ; copies next Worm block into execution buffer add eax, NUM_BYTES ; change WormIP pushad ; save register vals mov edi, dword [ebp] ; restore worm registers mov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET] mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET] mov eax, dword [ebp + EAX_OFFSET]begin_worm_exec: ; this is the worm execution buffer nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop mov [ebp], edi ; save worm registers mov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebx mov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecx mov [ebp + EAX_OFFSET], eax popad ; restore microVM register vals jmp read_more_worm
![Page 27: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/27.jpg)
27www.cs.virginia.edu/evans/purdue05
save worm address in ebpmove stack frame pointer
WormIP 0copy worm code into buffer
update WormIPsave MicroVM registers
load worm registers22-byte worm
execution buffersave worm registers
load MicroVM registersjmp to read next block
saved registersworm code
host key masksguessed (target) masks
other worm data
Learned Key
Bytes 76 bytes of code+ 22 bytes for execution+ 2 bytes to avoid NULL= 100 bytes is enough > 99% of the time
MicroVM
Worm code must be coded in blocks that fit
into execution buffer (pad with noops so
instructions do not cross block boundaries)
![Page 28: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/28.jpg)
28www.cs.virginia.edu/evans/purdue05
Making Jumps• Within a block - short relative jump is
fine• Between worm blocks
– From end of block, to beginning of block – Update the WormIP stored on the stack– Code conditional jump, JZ target in worm
as:JNZ +5 ; if opposite condition, skipMOV [ebp + WORMIP_OFFSET] target
![Page 29: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/29.jpg)
29www.cs.virginia.edu/evans/purdue05
Deploying a Worm• Learn 100 key bytes to inject MicroVM
– Median time: 311 seconds, 8422 attempts– Fast enough for a worm to spread effectively
• Inject pre-encrypted worm code– XORed with the known key at location– Insert NOOPs when necessary to avoid
NULLs• Inject key bytes
– Needed to propagate worm
![Page 30: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/30.jpg)
30www.cs.virginia.edu/evans/purdue05
Preventing Attack: Break Requirement
• Vulnerable: eliminate vulnerabilities– Rewrite all your code in a type safe language
• Able to make repeated guesses– Rerandomize after crash
• Observable: notice server crashes– Maintain client socket after crash?
• Cryptanalyzable– Use a strong cipher like AES instead of XOR
![Page 31: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/31.jpg)
31www.cs.virginia.edu/evans/purdue05
Better Solution• Avoid secrets!
– Keeping them is hard– They can be broken or stolen
• Prove security properties without relying on assumptions about secrets or probabilistic arguments
![Page 32: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/32.jpg)
32www.cs.virginia.edu/evans/purdue05
Secretless Security Structurework with Jack Davidson, Jonathan Hill, John Knight & Anh
Nguyen-Tuong
Input(Possibly Maliciou
s)
Server Variant
A
ServerVariant
B
MonitorOutpu
t
InputReplicator
![Page 33: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/33.jpg)
33www.cs.virginia.edu/evans/purdue05
Disjoint Variants• Any attack that succeeds against Variant A
must cause Variant B to crash• Monitor observes crash and recovers
Input
Server Variant
A
ServerVariant
B
MonitorOutput
InputReplicator
Examples:Instruction SetsMemory AddressesSchedule Interleaving
![Page 34: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/34.jpg)
34www.cs.virginia.edu/evans/purdue05
JOJNOJB
JNBJZ
JNZ
JMPCALL
…Variant A Variant B
JNO
JNB
JNZ
CALLJO
JB
JZ
JMP
Making Disjoint Variants
![Page 35: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/35.jpg)
35www.cs.virginia.edu/evans/purdue05
Challenges• Engineering
– Input replicator and monitor– Shared state (databases, files)– Nondeterminism (session state)
• Security– Proving variants are disjoint– Multi-stage attacks– Achieving high-level disjoint properties
![Page 36: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/36.jpg)
36www.cs.virginia.edu/evans/purdue05
Jaws
Diversitydepends on
yourperspective
Slide from my USENIX Security 2004 Talk, What Biology Can (and Can’t) Teach us about Security
![Page 37: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/37.jpg)
37www.cs.virginia.edu/evans/purdue05
Summary• Diversity defenses defeat
undetermined adversaries• Determined adversaries may be
able to determine secrets– Break ISR-protected server in < 6
minutes• Secretless diversity designs
promise provable security against classes of attack
![Page 38: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/38.jpg)
38www.cs.virginia.edu/evans/purdue05
Credits
Nora “NORAndomizer” SovarelNate “Byte Annihilator” PaulGenesis Project: Jack Davidson, Adrian Filipi, Jonathan Hill, John Knight,
Anh Nguyen-Tuong, Chenxi Wang (CMU)Thanks: Gabriela Barrantes (RISE code), Stephanie Forrest, Fred SchneiderSponsor: DARPA SRS (Lee Badger), NSF CAREER/ITR
![Page 39: Where’s the FEEB? Effectiveness of Instruction Set Randomization](https://reader031.fdocuments.net/reader031/viewer/2022020117/5681683f550346895dde0eaf/html5/thumbnails/39.jpg)
39www.cs.virginia.edu/evans/purdue05
Questions?