SlideShare ist ein Scribd-Unternehmen logo

Automating Return Oriented Programming Attacks

ETH Zurich
ETH Zurich

Master thesis of Alen

1 von 31
Background Related Work Contribution Conclusion Automating Return Oriented Programming Attacks Alen Stojanov ´ Ecole Polytechnique F´d´rale de Lausanne e e Programming Methods Laboratory (LAMP) University of California, Irvine Secure Systems and Software Laboratory (SSSL) alen.stojanov@epfl.ch April 23, 2012 Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Motivation Return oriented programming is an exploit technique. Hand-crafting ROP attacks is tedious and error prone, and thus automation is required. Automating ROP attacks leads to fast generation of attacks or even higher level attacks We concentrate on stand-alone binaries and automate the creation of ROP attacks. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Return Oriented Programming (ROP) Return oriented programming (ROP) is an exploit technique which avoids code injection by reusing existing code to induce arbitrary behavior in a program. ROP attacks are conducted by chaining available instruction sequences (gadgets) ending in a “return” instruction. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Creating ROP attacks Attacker using this technique must accomplish two tasks: Find some way to subvert the program’s control flow from its normal course: Stack overflows Heap overflows String formatting vulnerabilities Force the program to act in the manner of his choosing. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Return Oriented Programming (ROP) Contribution Conclusion ▪ Return Oriented Programming avoids code injection by reusing legitimate code ROP illustrated ▪ Attackers place addresses of short instruction sequences ending in a return statement (gadgets) on the stack. Gadget 1 Simplified ROP ... jailbreak attack OPEN 0x080 RETURN Gadget 3 Gadget 2 ... ... Stack growth CONNECTION ADD EAX, EBX Gadget 3 RETURN POP EBP ... RETURN TO THE Gadget 4 RETURN ... WHITEHOUSE 0x1C0 RETURN ▪ Each return unwinds the stack and transfers control to the next gadget. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Variations: Jump Oriented Programming ROP also has variations such as Jump Oriented Programming. Instead of using ret instructions, emphasis is on pop reg; jmp reg. Display_ColorText ... 0x555A08 EAX = “white” 0x555A0C JMP Audio_LowerVolume ... 0x00555A08 0xABCD00 SUBI #5000, @EBX 0xABCD04 JMP 0x00212508 HelpTexts_IOSpecific ... Dispacher 0x00ABCD00 0x212500 EBX = “keyboard” 0x212504 else 0x212508 EBX = “mouse” 0x21250C JMP FileSystem_DirectoryName ... 0x777700 JSR strg_concat_EAX_EBX 0x00777700 0x777704 JMP 0x00919100 PrintManager_Prepare ... 0x919100 JSR open_connection 0x919104 JMP Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion ROP Threat The idea of ROP emerged with the discovery of the stack overflow attacks in 1997 and evolved as a community work First introduced in the academic world by H. Shacham in 2007 It bypasses the most widely deployed defence techniques such as W X and ASLR. It also affects different computer architectures including x86, ARM, SPARC, Atmel AVR, and PowerPC Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion ROP Threat (cont.) Current defences resemble peace-meal techniques to address each variant of code-reuse attacks: Return-less kernels Return address verification via hypervisors (HyperCrop) Binary Instrumentation for ROP detection (ROPdefender) ROP mitigation via code rewriting for gadgets removal and return address encoding (G-Free) Control Flow Integrity (CFI) Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion ROP Thread (cont.) The available protection mechanisms either: Do not provide comprehensive defence Introduce high performance overhead Are not deployed on all affected systems. This leaves the thread of ROP in the heart of security problems. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Automatic ROP Q combines software verification techniques in attack generation Return-into-libc provide automation on POSIX complaint systems Reverse Engineering Intermediate Language (REIL) provides automatic gadget search on different architectures. Return-Oriented Rootkits automate generation of ROP attacks in the Windows kernel Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Automatic ROP limitations Related work in automating ROP attacks is limited to: Gadgets operating on limited set of registers Predefined templates for gadget search As a result: Targeted shared libraries or operating system kernels where required instructions are likely to be present Approach unlikely to apply on wider range of smaller binaries Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Contribution We focus on stand-alone binaries where gadget set is limited We operate on Linux OS on x86 architecture Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation 0x00000000 By analysing different binaries we observe: Text Segment Data Segment Data segment of a typical Linux process can BSS segment be used to read and write memory Heap Most common gadgets available: pop-gadgets (almost every CPU register) mov-gadgets (memory and registers) Memory Mapping add-gadgets (memory and registers) At least one gadget performing arithmetic and logical operations is available Crafting ROP exploit is tedious when only Stack few gadgets are available Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. If there are only few gadgets available, then gadget chaining requires to move the data between registers, such that the result of one operation can be used as an input to the next operation. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx ret 0x42295cee: sub eax, edx inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax ret Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx 1 ret 0x42295cee: sub eax, edx 3 inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax 2 ret Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Collateral Damage In most cases useful gadgets include pop instruction or other instructions that change the state of some registers before the return instruction When those gadgets are used, the value of those registers is lost and considered as a collateral damage In other cases, instructions modifying the value of a particular address relative to some register are also present before the return instruction. Those registers must be initialized properly to avoid segmentation faults. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Register Transfer Graph edx edx Generate Register Transfer mov mov Graph to analyse data flow eax cl between registers and memory mov mov [ebx,] Take into consideration the collateral damage edi ebx al mov [ebp,edi,] xchg xchg mov Discover available register candidates eax Use the graph to chain gadgets mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov X X esp Pidgin CPU Register Memory Add. Data Movement Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Intermediate Results Strongly Connected Components Cardinality (SCCC) gives the number of registers available for moving data. Binary Size (b) SCCC 8 ● ● ● ● ●● ● vlc 1.228 x 10KB 1 master 3.227 x 10KB 0 ● firefox 4.915 x 10KB 1 rpcbind 5.325 x 10KB 2 6 ● amarok 6.963 x 10KB 0 avahi 1.147 x 10KB 3 Available x86 CPU Registers ● ● apache2 4.055 x 100KB 3 cupsd 4.342 x 100KB 3 4 ● sshd 5.407 x 100KB 5 yast2 5.939 x 100KB 4 ● ●● pidgin 1.049 x 1MB 5 dhclient 1.761 x 1MB 6 Xorg 1.987 x 1MB 7 2 ● filezilla 2.589 x 1MB 8 mysqld 7.004 x 1MB 8 ● ● smbd 1.017 x 10MB 8 opera 1.706 x 10MB 8 0 ● ● skype 2.143 x 10MB 8 104.5 105 105.5 106 106.5 107 107.5 acroread 2.393 x 10MB 8 Binary Section Size chrome 5.396 x 10MB 8 Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Encapsulate available gadgets performing logical or arithmetic operation to operate on the memory locations by using the Register Transfer Graph (virtual instructions) Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation Read data from memory location to the gadget registers, and write back to memory. edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] 5 edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Results add sub inc dec and or xor not neg jmp test cmp acroread skype opera smbd mysqld filezilla Xorg dhclient pidgin yast2 sshd cupsd apache2 avahi amarok rpcbind firefox master vlc Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Conclusion In most cases one gadget having one of the logical or arithmetic instructions is enough to encapsulate the computation of all instructions across memory locations. Once we generate virtual registers and virtual instructions, it is easy to create a small compiler or interpreter on top of those instructions. Automating ROP is possible on stand-alone binaries having size as little as 400KB. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Future Work Extend the automatic attack generation using the Jump Oriented Programming model. Automate the conditional branching, to have fully automatic generation of ROP attacks. Create a virtual stack that resides in the data segment, or in any writeable memory section of the process and generate a higher level language. Alen Stojanov Automating Return Oriented Programming Attacks
Background Related Work Contribution Conclusion Thank You Questions ? Alen Stojanov Automating Return Oriented Programming Attacks

Empfohlen

Abstracting Vector Architectures in Library Generators: Case Study Convolutio...
Abstracting Vector Architectures in Library Generators: Case Study Convolutio...Abstracting Vector Architectures in Library Generators: Case Study Convolutio...
Abstracting Vector Architectures in Library Generators: Case Study Convolutio...ETH Zurich
 
Android from A to Z
Android from A to ZAndroid from A to Z
Android from A to ZHazem Hagrass
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Embedded system - introduction to arm7
Embedded system - introduction to arm7Embedded system - introduction to arm7
Embedded system - introduction to arm7Vibrant Technologies & Computers
 
Compiler
CompilerCompiler
Compileralekhya57
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 

Empfohlen

Abstracting Vector Architectures in Library Generators: Case Study Convolutio...
Abstracting Vector Architectures in Library Generators: Case Study Convolutio...Abstracting Vector Architectures in Library Generators: Case Study Convolutio...
Abstracting Vector Architectures in Library Generators: Case Study Convolutio...ETH Zurich
 
Android from A to Z
Android from A to ZAndroid from A to Z
Android from A to ZHazem Hagrass
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Embedded system - introduction to arm7
Embedded system - introduction to arm7Embedded system - introduction to arm7
Embedded system - introduction to arm7Vibrant Technologies & Computers
 
Compiler
CompilerCompiler
Compileralekhya57
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Mechanism Of Polymorphic And Metamorphic Virus
Mechanism Of Polymorphic And Metamorphic VirusMechanism Of Polymorphic And Metamorphic Virus
Mechanism Of Polymorphic And Metamorphic Virusvivid_0416
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Emilio Coppa
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESSDebugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESSartgillespie
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyMarcus Botacin
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64The Linux Foundation
 
Debuging tech
Debuging techDebuging tech
Debuging techyarshure Kong
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Ross Boucher - Quality Control: Testing and debugging your apps
Ross Boucher - Quality Control: Testing and debugging your appsRoss Boucher - Quality Control: Testing and debugging your apps
Ross Boucher - Quality Control: Testing and debugging your appsWeb Directions
 
Domain-Specific Profiling - TOOLS 2011
Domain-Specific Profiling - TOOLS 2011Domain-Specific Profiling - TOOLS 2011
Domain-Specific Profiling - TOOLS 2011Jorge Ressia
 
Hardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionHardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionMarcus Botacin
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
LISP: How I Learned To Stop Worrying And Love Parantheses
LISP: How I Learned To Stop Worrying And Love ParanthesesLISP: How I Learned To Stop Worrying And Love Parantheses
LISP: How I Learned To Stop Worrying And Love ParanthesesDominic Graefen
 
Textorize
TextorizeTextorize
TextorizeThomas Fuchs
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 

Weitere ähnliche Inhalte

Ähnlich wie Automating Return Oriented Programming Attacks

Mechanism Of Polymorphic And Metamorphic Virus
Mechanism Of Polymorphic And Metamorphic VirusMechanism Of Polymorphic And Metamorphic Virus
Mechanism Of Polymorphic And Metamorphic Virusvivid_0416
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Emilio Coppa
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESSDebugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESSartgillespie
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyMarcus Botacin
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64The Linux Foundation
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Ross Boucher - Quality Control: Testing and debugging your apps
Ross Boucher - Quality Control: Testing and debugging your appsRoss Boucher - Quality Control: Testing and debugging your apps
Ross Boucher - Quality Control: Testing and debugging your appsWeb Directions
 
Domain-Specific Profiling - TOOLS 2011
Domain-Specific Profiling - TOOLS 2011Domain-Specific Profiling - TOOLS 2011
Domain-Specific Profiling - TOOLS 2011Jorge Ressia
 
Hardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionHardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionMarcus Botacin
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
LISP: How I Learned To Stop Worrying And Love Parantheses
LISP: How I Learned To Stop Worrying And Love ParanthesesLISP: How I Learned To Stop Worrying And Love Parantheses
LISP: How I Learned To Stop Worrying And Love ParanthesesDominic Graefen
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 

Ähnlich wie Automating Return Oriented Programming Attacks (20)

Mechanism Of Polymorphic And Metamorphic Virus
Mechanism Of Polymorphic And Metamorphic VirusMechanism Of Polymorphic And Metamorphic Virus
Mechanism Of Polymorphic And Metamorphic Virus
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESSDebugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
Debugging: Or How I Learned To Stop Worrying and Love EXC_BAD_ACCESS
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
 
Debuging tech
Debuging techDebuging tech
Debuging tech
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Ross Boucher - Quality Control: Testing and debugging your apps
Ross Boucher - Quality Control: Testing and debugging your appsRoss Boucher - Quality Control: Testing and debugging your apps
Ross Boucher - Quality Control: Testing and debugging your apps
 
Domain-Specific Profiling - TOOLS 2011
Domain-Specific Profiling - TOOLS 2011Domain-Specific Profiling - TOOLS 2011
Domain-Specific Profiling - TOOLS 2011
 
Hardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior DetectionHardware-Assisted Application Misbehavior Detection
Hardware-Assisted Application Misbehavior Detection
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
LISP: How I Learned To Stop Worrying And Love Parantheses
LISP: How I Learned To Stop Worrying And Love ParanthesesLISP: How I Learned To Stop Worrying And Love Parantheses
LISP: How I Learned To Stop Worrying And Love Parantheses
 
Textorize
TextorizeTextorize
Textorize
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 

Automating Return Oriented Programming Attacks

  • 1. Background Related Work Contribution Conclusion Automating Return Oriented Programming Attacks Alen Stojanov ´ Ecole Polytechnique F´d´rale de Lausanne e e Programming Methods Laboratory (LAMP) University of California, Irvine Secure Systems and Software Laboratory (SSSL) alen.stojanov@epfl.ch April 23, 2012 Alen Stojanov Automating Return Oriented Programming Attacks
  • 2. Background Related Work Contribution Conclusion Motivation Return oriented programming is an exploit technique. Hand-crafting ROP attacks is tedious and error prone, and thus automation is required. Automating ROP attacks leads to fast generation of attacks or even higher level attacks We concentrate on stand-alone binaries and automate the creation of ROP attacks. Alen Stojanov Automating Return Oriented Programming Attacks
  • 3. Background Related Work Contribution Conclusion Return Oriented Programming (ROP) Return oriented programming (ROP) is an exploit technique which avoids code injection by reusing existing code to induce arbitrary behavior in a program. ROP attacks are conducted by chaining available instruction sequences (gadgets) ending in a “return” instruction. Alen Stojanov Automating Return Oriented Programming Attacks
  • 4. Background Related Work Contribution Conclusion Creating ROP attacks Attacker using this technique must accomplish two tasks: Find some way to subvert the program’s control flow from its normal course: Stack overflows Heap overflows String formatting vulnerabilities Force the program to act in the manner of his choosing. Alen Stojanov Automating Return Oriented Programming Attacks
  • 5. Background Related Work Return Oriented Programming (ROP) Contribution Conclusion ▪ Return Oriented Programming avoids code injection by reusing legitimate code ROP illustrated ▪ Attackers place addresses of short instruction sequences ending in a return statement (gadgets) on the stack. Gadget 1 Simplified ROP ... jailbreak attack OPEN 0x080 RETURN Gadget 3 Gadget 2 ... ... Stack growth CONNECTION ADD EAX, EBX Gadget 3 RETURN POP EBP ... RETURN TO THE Gadget 4 RETURN ... WHITEHOUSE 0x1C0 RETURN ▪ Each return unwinds the stack and transfers control to the next gadget. Alen Stojanov Automating Return Oriented Programming Attacks
  • 6. Background Related Work Contribution Conclusion Variations: Jump Oriented Programming ROP also has variations such as Jump Oriented Programming. Instead of using ret instructions, emphasis is on pop reg; jmp reg. Display_ColorText ... 0x555A08 EAX = “white” 0x555A0C JMP Audio_LowerVolume ... 0x00555A08 0xABCD00 SUBI #5000, @EBX 0xABCD04 JMP 0x00212508 HelpTexts_IOSpecific ... Dispacher 0x00ABCD00 0x212500 EBX = “keyboard” 0x212504 else 0x212508 EBX = “mouse” 0x21250C JMP FileSystem_DirectoryName ... 0x777700 JSR strg_concat_EAX_EBX 0x00777700 0x777704 JMP 0x00919100 PrintManager_Prepare ... 0x919100 JSR open_connection 0x919104 JMP Alen Stojanov Automating Return Oriented Programming Attacks
  • 7. Background Related Work Contribution Conclusion ROP Threat The idea of ROP emerged with the discovery of the stack overflow attacks in 1997 and evolved as a community work First introduced in the academic world by H. Shacham in 2007 It bypasses the most widely deployed defence techniques such as W X and ASLR. It also affects different computer architectures including x86, ARM, SPARC, Atmel AVR, and PowerPC Alen Stojanov Automating Return Oriented Programming Attacks
  • 8. Background Related Work Contribution Conclusion ROP Threat (cont.) Current defences resemble peace-meal techniques to address each variant of code-reuse attacks: Return-less kernels Return address verification via hypervisors (HyperCrop) Binary Instrumentation for ROP detection (ROPdefender) ROP mitigation via code rewriting for gadgets removal and return address encoding (G-Free) Control Flow Integrity (CFI) Alen Stojanov Automating Return Oriented Programming Attacks
  • 9. Background Related Work Contribution Conclusion ROP Thread (cont.) The available protection mechanisms either: Do not provide comprehensive defence Introduce high performance overhead Are not deployed on all affected systems. This leaves the thread of ROP in the heart of security problems. Alen Stojanov Automating Return Oriented Programming Attacks
  • 10. Background Related Work Contribution Conclusion Automatic ROP Q combines software verification techniques in attack generation Return-into-libc provide automation on POSIX complaint systems Reverse Engineering Intermediate Language (REIL) provides automatic gadget search on different architectures. Return-Oriented Rootkits automate generation of ROP attacks in the Windows kernel Alen Stojanov Automating Return Oriented Programming Attacks
  • 11. Background Related Work Contribution Conclusion Automatic ROP limitations Related work in automating ROP attacks is limited to: Gadgets operating on limited set of registers Predefined templates for gadget search As a result: Targeted shared libraries or operating system kernels where required instructions are likely to be present Approach unlikely to apply on wider range of smaller binaries Alen Stojanov Automating Return Oriented Programming Attacks
  • 12. Background Related Work Contribution Conclusion Contribution We focus on stand-alone binaries where gadget set is limited We operate on Linux OS on x86 architecture Alen Stojanov Automating Return Oriented Programming Attacks
  • 13. Background Related Work Contribution Conclusion Observation 0x00000000 By analysing different binaries we observe: Text Segment Data Segment Data segment of a typical Linux process can BSS segment be used to read and write memory Heap Most common gadgets available: pop-gadgets (almost every CPU register) mov-gadgets (memory and registers) Memory Mapping add-gadgets (memory and registers) At least one gadget performing arithmetic and logical operations is available Crafting ROP exploit is tedious when only Stack few gadgets are available Alen Stojanov Automating Return Oriented Programming Attacks
  • 14. Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. Alen Stojanov Automating Return Oriented Programming Attacks
  • 15. Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. Alen Stojanov Automating Return Oriented Programming Attacks
  • 16. Background Related Work Contribution Conclusion Observation (cont.) If there is no gadget available that does a particular logical or arithmetical operation we might be able to find suitable substitution. If there is no gadget and no substitution, then that particular operation will not be available in the ROP attack. If there are only few gadgets available, then gadget chaining requires to move the data between registers, such that the result of one operation can be used as an input to the next operation. Alen Stojanov Automating Return Oriented Programming Attacks
  • 17. Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx ret 0x42295cee: sub eax, edx inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax ret Alen Stojanov Automating Return Oriented Programming Attacks
  • 18. Background Related Work Contribution Conclusion Example Calculate C = C (edx) −A (ebp) −B (ecx) having: 0xb9268970: add ebp, ecx 1 ret 0x42295cee: sub eax, edx 3 inc [esi+0x5D5B] ret 0x42295cee: mov ecx, eax 2 ret Alen Stojanov Automating Return Oriented Programming Attacks
  • 19. Background Related Work Contribution Conclusion Collateral Damage In most cases useful gadgets include pop instruction or other instructions that change the state of some registers before the return instruction When those gadgets are used, the value of those registers is lost and considered as a collateral damage In other cases, instructions modifying the value of a particular address relative to some register are also present before the return instruction. Those registers must be initialized properly to avoid segmentation faults. Alen Stojanov Automating Return Oriented Programming Attacks
  • 20. Background Related Work Contribution Conclusion Register Transfer Graph edx edx Generate Register Transfer mov mov Graph to analyse data flow eax cl between registers and memory mov mov [ebx,] Take into consideration the collateral damage edi ebx al mov [ebp,edi,] xchg xchg mov Discover available register candidates eax Use the graph to chain gadgets mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov X X esp Pidgin CPU Register Memory Add. Data Movement Alen Stojanov Automating Return Oriented Programming Attacks
  • 21. Background Related Work Contribution Conclusion Intermediate Results Strongly Connected Components Cardinality (SCCC) gives the number of registers available for moving data. Binary Size (b) SCCC 8 ● ● ● ● ●● ● vlc 1.228 x 10KB 1 master 3.227 x 10KB 0 ● firefox 4.915 x 10KB 1 rpcbind 5.325 x 10KB 2 6 ● amarok 6.963 x 10KB 0 avahi 1.147 x 10KB 3 Available x86 CPU Registers ● ● apache2 4.055 x 100KB 3 cupsd 4.342 x 100KB 3 4 ● sshd 5.407 x 100KB 5 yast2 5.939 x 100KB 4 ● ●● pidgin 1.049 x 1MB 5 dhclient 1.761 x 1MB 6 Xorg 1.987 x 1MB 7 2 ● filezilla 2.589 x 1MB 8 mysqld 7.004 x 1MB 8 ● ● smbd 1.017 x 10MB 8 opera 1.706 x 10MB 8 0 ● ● skype 2.143 x 10MB 8 104.5 105 105.5 106 106.5 107 107.5 acroread 2.393 x 10MB 8 Binary Section Size chrome 5.396 x 10MB 8 Alen Stojanov Automating Return Oriented Programming Attacks
  • 22. Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Alen Stojanov Automating Return Oriented Programming Attacks
  • 23. Background Related Work Contribution Conclusion Steps towards automation Use memory locations available in the data segment of the process as registers (virtual registers) Encapsulate available gadgets performing logical or arithmetic operation to operate on the memory locations by using the Register Transfer Graph (virtual instructions) Alen Stojanov Automating Return Oriented Programming Attacks
  • 24. Background Related Work Contribution Conclusion Encapsulation Read data from memory location to the gadget registers, and write back to memory. edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 25. Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 26. Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 27. Background Related Work Contribution Conclusion Encapsulation edx edx Data Segment mov mov 3 eax cl 2 mov mov [ebx,] 5 edi ebx al 0xb92689782: add ebp, ebx mov [ebp,edi,] xchg xchg mov ret eax mov xchg mov mov [esi,edi,] ebp esi ecx mov [ebp,] mov esp Alen Stojanov Automating Return Oriented Programming Attacks
  • 28. Background Related Work Contribution Conclusion Results add sub inc dec and or xor not neg jmp test cmp acroread skype opera smbd mysqld filezilla Xorg dhclient pidgin yast2 sshd cupsd apache2 avahi amarok rpcbind firefox master vlc Alen Stojanov Automating Return Oriented Programming Attacks
  • 29. Background Related Work Contribution Conclusion Conclusion In most cases one gadget having one of the logical or arithmetic instructions is enough to encapsulate the computation of all instructions across memory locations. Once we generate virtual registers and virtual instructions, it is easy to create a small compiler or interpreter on top of those instructions. Automating ROP is possible on stand-alone binaries having size as little as 400KB. Alen Stojanov Automating Return Oriented Programming Attacks
  • 30. Background Related Work Contribution Conclusion Future Work Extend the automatic attack generation using the Jump Oriented Programming model. Automate the conditional branching, to have fully automatic generation of ROP attacks. Create a virtual stack that resides in the data segment, or in any writeable memory section of the process and generate a higher level language. Alen Stojanov Automating Return Oriented Programming Attacks
  • 31. Background Related Work Contribution Conclusion Thank You Questions ? Alen Stojanov Automating Return Oriented Programming Attacks